Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Make Front Door work correctly for Azure B2C sign into a aspnet core web app

      I have a aspnet core web app which uses Azure B2C for storing registered users data. Registration and sign in for the app works as expected.

      I tried to configure the site to work with Front Door. however, we noticed Correlation Failed exceptions being logged immediately after the user had signed in. They were not then being redirected correctly to the next view.

      Further investigation showed that Front Door was stripping cookies from a key response being returned from Azure B2C. These were the very cookies used to complete the sign in process for B2C. this explained the failure.

      In…

      32 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    2. Add option to detach specific files from the Azure Front Door dynamic cache

      When you host a SPA (Single Page Application) on an Azure Blob storage with Azure Front Door (with dynamic caching activated):

      Everytime you release a new version of the app, users have to force-reload the page in order to get the new version.
      Because the links to the new assets (like main.***.js, ...) are located in the index.html, which has been cached.

      I was able to solve it:
      1. Let the Azure CLI set the Cache-Control header to "no-cache" on the index.html after pushing it to the blob storage:
      az storage blob update --account-name $(storageAccount) --container $web --name index.html --content-cache-control…

      31 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    3. Azure Front Door WAF should scan POST requests with content-type multipart

      At the moment the Azure Front Door WAF does not scan for XSS threats when the request going through FD is of content-type multipart. This was advised this is the case by the Microsoft Support team. For example, if I send the following request through Azure Front Door with OWASP DefaultRuleSet enabled on its WAF:
      POST:

      content-type: multipart/form-data; boundary=----WebKitFormBoundaryriZKfNGOPKHI8rWO

      Form Data:
      958127ef-8053-4054-811e-49d54be8a09f: <script>alert('hello');</script>

      The WAF does not detect the XSS threat simply because of the content-type.

      This is fundamental to have in a service dedicated to protect backend systems. I am conscious this is currently being worked, however what is…

      25 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    4. Azure Front Door should automatically configure custom domains on backend app services

      When a custom domain is registered with Azure Front Door it should register that custom domain with backend app services.

      When backend app services do not have the same custom domain as AFD, app service session cookies are not passed back to the browser. Therefore session affinity is broken.

      Although there is a workaround that involves pointing the custom domain at the app services to register the domain, then pointing the custom domain back to AFD, it some cases that's just not feasible.

      We will be halting further rollout of AFD to our customers until this issue is resolved.

      24 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    5. More Front Door routing options - based on headers and/or IP addresses

      Currently, it looks that Front Door only supports routing based on URL path. It would be nice to be able to route traffic according to headers and/or IP addresses as well.

      E.g.,
      Forward traffic coming from 6.7.8.9 to backend pool X.
      or
      Forward traffic with the header User-Agent containing googlebot to backend pool Y. (not promoting cloaking here at all, but dynamic rendering instead https://developers.google.com/search/docs/guides/dynamic-rendering)

      23 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    6. 19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    7. Provide a lower starting cost for Front Door

      I have a simple static web page with HTML and JavaScript and a simple azure function working with a cosmos db, with very little traffic. Static web and function costs only cents and cosmos for ~23$. Adding a azure Front Door to this setup, will tripple the price (need two rules). I really like a to use Front Door, but adding this to my setup is to costly in relation to the other costs.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    8. Expand Azure Front Door Compression Support

      Currently AFD only performs compression when CDN caching is enabled and when the cached files are 8MB or less in size.

      These two limitations create problems in some scenarios - especially when large 3rd party JavaScript libraries are being leveraged and an external CDN can't be used for those libraries.

      Please allow for compression to be enabled independently of caching, and allow for files larger than 8MB to be compressed.

      18 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    9. Tag Front Door

      Allow tagging an existing Front Door. Currently is possible to tag a front door only during creation.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    10. Azure Front Door - Routing based on Query string parameters

      It seems Azure Front Door does not support Pattern matching on the basis of Query string parameters.

      Is there a way i can redirect requests bases on value of url parameter?

      ex: https://www.contoso.com/api/page1?type=EU

      Parameter "type" can have multiple values, if the value is "EU", the AFD should redirect to https://eu.contoso.com.
      if the value is "US", the AFD should redirect to https://us.contoso.com.

      15 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    11. Set headers detailing TLS handshake

      Additional x-azure-{x} headers which provide details about the TLS handshake between the client and front door, such as the selected cipher, TLS version and key length. This will help provide operational insight about the client base.

      13 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →

      Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature

    12. give FrontDoor health probes an identifiable user agent to enable traffice to be filtered in Application Insights

      Health Probe requests from Azure FrontDoor should have an identifiable user agent string, which ideally should be included in the default ApplicationInsights.Config filters section.

      Any user of FD whose sites us AI are going to find their telemetry feeds flooded with multiple requests a minute otherwise, and all suggestions given from other users or MS have been workarounds for what should be a standard filter being missing

      12 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    13. Add X-Azure-Client-IP-Country header to headers set by Front Door

      It would be really nice to have the country of the originating IP adress of the request available in the request headers, similar to Cloudflare's X-CF-IPCountry header.

      While Azure Front Door does provide routing rules depending on country, in my case the route is accessible globally but validation depends on the country of the originating IP address. Having it available in the header saves me an additional call to an IP Geolocation service.

      11 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    14. Ability to skip specific rules in Font Door WAF without skipping all rules

      There are a number of managed rules that trigger false-positives in Front Door's Web Application Firewall. For example, Google will attach a "gclid" URL parameter onto links for tracking, however, due to the randomness of this value, it can trigger the SQLI 942450 rule.

      The only options to prevent this from affecting customer are either:

      a) Remove the rule altogether, thereby reducing overall security across your backend hosts.

      or, b) Add in a custom rule to skip ALL rules when the "gclid" parameter is set (ie. Allow traffic). This is perhaps even worse than option (b), since you've effectively removed…

      10 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    15. Guaranteed time to roll out a custom SSL certificate when creating/updating FrontDoor endpoints

      When creating or updating a FrontDoor endpoint with a new URL it would be useful to have a expected time when all locations globally will serve with the correct certificate. I have been advised by Azure Support now that a normal turnaround time for our scenario (certificate provided by us, stored in Keyvault) should be 6-8 hours, but have just had an instance where it has taken over 24.

      Given we will be regularly adding new URLs and will need to advise clients when they should be able to correctly access the addresses a) it would be useful to be…

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    16. Allow front door service URL Rewrite to file instead of path

      Reopening https://feedback.azure.com/forums/217313-networking/suggestions/36442486-allow-front-door-service-url-rewrite-to-file-inste as it was marked as closed when it is not supported

      As original idea:
      "Allow URL Rewrite to rewrite a path to a file. This would enable users to host single page applications using front door."

      In a SPA application (Angular, Vue or React), we need requests paths to be rewritten to a single file (i.e. /index.html) as routing is managed by the application itself in JS code.

      The problem occurs when someone tries to access SPA URLs. Azure Front Door forwards to resources which don't exist and 404 response is returned which causes serious issues with many…

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    17. Handle passthrough of ARR affinity cookied when routing through FrontDoor

      Given that the ARR affinity at App service level relies on a cookie in the domain of the service's host name binding, FrontDoor renders this effectively dead when serving the URL differently externally. Some form of cookie passthrough/rewriting for this would allow for app-level affinity to still be possible

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    18. Make backend host header field behave consistently with portal

      Currently the behavior of a backend's "Backend Host Header" field behaves differently when you use the azure portal compared to when you use automation like ARM or Terraform.

      The documentation here states: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-backend-pool#feedback

      > For example, a request made for www.contoso.com will have the host header www.contoso.com. If you use Azure portal to configure your backend, the default value for this field is the host name of the backend. If your backend is contoso-westus.azurewebsites.net, in the Azure portal, the autopopulated value for the backend host header will be contoso-westus.azurewebsites.net. However, if you use Azure Resource Manager templates or another…

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    19. Add a URL Shortener / Short URL service to Front Door

      I have a map of rules that require redirects (301) and more flexible links for future maintenance -- similar to aka.ms or https://redirectiontool.trafficmanager.net tool that Microsoft uses internally.

      It'd be useful to have a service in Azure that provides these redirects backed by the CDN network (just how Azure Front Door works).

      I have thousands of these rules -- the costing per Routing rule would be too expensive to justify. Costing wise, perhaps redirects with no rewrites could be excluded from Routing Rules costs (or at least significantly cheaper)?

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    20. Provide an identifiable user agent for Front Door health probe requests

      HTTP requests sent by Azure FD for health probes should provide an identifiable User Agent, enabling application insights to filter these as synthetic traffic.

      Given the volume of requests this is going to be a problem for every Front Door user who uses AI telemetry

      8 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      triaged  ·  0 comments  ·  Azure Front Door Service  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base