Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Disable source NAT on incoming sessions on Azure Firewall

      Hi,

      As far as I can tell, source NAT is applied to all incoming sessions crossing a destination nat-rule on the Azure Firewall.

      It would be great if there was an option for this implicit source NAT to be disabled. Doing so would allow internal Azure VMs to see the real public IP address of the system making the incoming connection.

      The Azure Firewall deployment docs state that a default route should be set on the host's subnets pointing to the Azure Firewall - so source NAT should not be necessary for (public) Internet IP addresses to be routed successfully…

      57 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    2. Add Effective Routes blade to Azure Firewall

      We are currently evaluating the use of Azure Firewall as our core firewall between on-prem and an Azure Hub/Spoke architecture via ExpressRoute.

      We need to be able to see what the effective routes are that Azure Firewall is using when we route all of our spoke traffic to it, and our on-prem traffic destined for the spokes to it as well. Currently, Effective Routes are only visible on resources with an associated NIC.

      Given that Azure Firewall is a PaaS network appliance, this is a critical feature for making it useful in our use case.

      50 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    3. Please add start / stop cmdlets (ex. Stop-AzFirewall / Start-AzFirewall)

      Could you please provide cmdlets like Stop-AzApplicationGateway / Start-AzApplicationGateway.

      Following steps are really complexed. (Why Firewall doesn't keep VNet and Public IP information?)
      We need more simple step for stopping and restarting Firewall because its too expensive for PoC.
      If you can add cmdlets and portal UI, it really helpful for us.

      https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#how-can-i-stop-and-start-azure-firewall

      40 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    4. Azure firewall application rule does not support non-http80/http8080/https443 protocol, for example SMTP. Please add the new feature.

      In order to inspect access to smtp.office365.com through Azure firewall, and leverage target FQDN in application rule, please add SMTP protocol support since currently AFW does not support non-http80/http8080/https443 protocol.

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    5. Azure Firewall with Just in Time Access

      With the latest just in time access support for Azure Firewall, DNAT rules are added when access is requested to the private IP. We have secure servers without public endpoints secured by JIT. As soon as a request is made to access port 3389, Azure Firewall NATs a port (13389) on its public endpoint mapped to our server. There is no notification of this happening at the time of the JIT request. It would be great to have a feature that would allow the DNAT setting to be disabled when requesting access through JIT.

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    6. Support to retrieve effective route of Azure Firewall

      I believe Azure Firewall doesn't support to retrieve effective route at this moment. While if we advertise a lot of routes from on-premise or if we have hub-spoke setup, it's hard for us to know how Azure Firewall forward the traffic. Can we add this feature? Thanks!

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    7. Azure Firewall - FQDN Based NAT!

      I strongly hope AzureFirewall has "FQDN-based-Nat" function!!!

      20 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    8. Azure Firewall geo based rules

      Support for geo based Rules in azure firewall.
      IE Any traffic from Country A will be blocked

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    9. Azure Firewall - Allow rules for any port on FQDNs

      Currently there is no option to allow connections to FQDNs through the Azure firewall unless the connection is on port 80 or 443.
      This means that we can't secure connections from IaaS VMs to services such as Service Bus which requires ports 9350-9354.
      Currently the only other alternative is a 3rd party NVA.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    10. Customizing OWASP Rules in Application Gateway

      There should be the possibility to customize the OWASP rules in the Application Gateway WAF v2, not just the ability to turn them on or off. For example, Rule 911100 (method not allowed by policy) doesn't allow PUT or PATCH HTTP methods. It would be good to be able to modify this rule to allow more methods, not just turn the rule off if we want these methods.

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    11. Add what network rule is matched in logging

      The Network rule log does not include the matching rule name like it does for Application rule log. In the Application rule log it reads "Action: Allow. Rule Collection: collection1000. Rule: rule1002" in the message, but Network rules end at "Action: Allow". It makes it hard to troubleshoot firewalls, and know what rule is causing the issue. It also makes it hard to introduce the firewall into an existing environment where you have to start with an allow all rule because you do not know if what rules are getting matched.

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    12. Disable SNI TLS extension check on Azure Firewall

      We are getting a lot of "Action: Deny. Reason: SNI TLS extension was missing" on Azure Firewall Log, which causes application failure if client application doesn't support SNI at the time of client hello. Can we add a feature to support Disable SNI check on Firewall manually?

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    13. FQDN like this 'gr-Prod-*.cloudapp.net' can not be set

      Even though this rule is mentioned in the docs here - https://docs.microsoft.com/en-us/azure/app-service/environment/firewall-integration#fqdn-httphttps-dependencies, it's not possible to create because the portal says gr-Prod-*.cloudapp.net invalid FQDN.

      I know that ASE rules should be handled by Service Tags, but not in my case.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    14. Diagnostic log for Azure Firewall includes rule collection name for each entry

      Right now, if we follow https://docs.microsoft.com/en-us/azure/firewall/tutorial-diagnostics. The Diagnostic log entry for Azure Firewall likes below:
      { "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}}

      Due to security policy and audit purpose on customer side, We want to have the rule collection name can be recorded as well, so that we know the traffic hits which rule.

      "category": "AzureFirewallNetworkRule", "time": "2019-09-03T10:08:17.4381790Z", "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS//PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from 10.0.1.100:22 to 112.85.42.195:45791. Action: Deny"}, "RuleCollectionName": "***"}

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    15. Update Subscription Limits Documentation

      Update your subscription limits documentation. Your documentation makes no mention of the single public IP address limitation. https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#azure-firewall-limits. Thanks.

      6 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    16. User / Group based Firewall Rules

      To move existing Webservices to Azure (Linux Webservers with internal Services) i would like to place them behind an Azure Firewall with Path Through Authentication against Azure AD, so that employees have access to the Ressource and any other access is blocked.I want to create Rules based on users not on IP-Addresses.

      Regards,
      Reiner

      4 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    17. Consumption based pricing for Azure Firewall

      The fixed hourly cost of azure firewall makes it prohibitively expensive to use in low-volume scenarios. We don't want to be put in a situation where we have to make a financial decision that overrides security patterns/architectures. Please give us some more licensing options so that we can take this product and deploy comprehensively through our networks at any point of scale.
      Thanks,
      Ben

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    18. Add support for Azure Firewall in Cloud App Discovery

      Cloud App Discovery can digest firewall logs from known firewall brands. Manually or by implementing a log parsing container application.

      Please enable seamless integrations between Cloud App Discovery and Azure Firewall

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    19. Azure Firewall - DNAT rule for the target FQDN.

      We can use DNAT rule with source ip address or destination ip address. But I want to use the DNAT rule with the target FQDN. I know application rule can use the target FQDN so I hope we can also use the feature with DNAT rule.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    20. WAF fails to establish success health using the web service SAP cloud connector with custom TLS1.2 and struggled to find the issue from WAF.

      WAF fails to establish success health using the web service SAP cloud connector with custom TLS1.2 and struggled to find the issue from WAF stand point. Means, We modified multiple TLS1.2 algorithm and tested to fix the issue. Why the custom/selected TLS1.2 algo is not working? Can you build the "front end troubleshooting page or packet capture page" to select correct TLS1.2 or elect the correct TLS1.2 automatically?

      Moreover, Could you modify the name from "Listener" to "Backend Listener"? Boz, This name is really confusing with frontend certificate and backend TLS parameters.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Firewall  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    ← Previous 1
    • Don't see your idea?

    Feedback and Knowledge Base