Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Support Proxy Protocol

      The current Azure Load Balancer implementation does not support the Proxy Protocol as AWS does (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html).

      This makes implementing Openshift on Azure troublesome as the real client IP is not available to backends (https://docs.openshift.com/container-platform/3.9/installconfig/router/proxyprotocol.html).

      The proxy protocol allows pass through of real client IP's to the backend application for TCP load balancer setups. This may be particular important for Openshift deployments or alike, where the certificate management should be done in the PaaS platform (on the router) and not on the ELB.

      Right now the Openshift template from MS (https://github.com/Microsoft/openshift-origin) uses TCP…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      4 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your feedback.

      Azure Load Balancer does not terminate connections, it is not a proxy, and does always preserve the source IP address of the inbound flow.

      We don’t provide logging from the Load Balancer resource itself, but you can use NSG flow logs to retrieve flow information as needed.

    2. Powershell Command for Associating Backend Pools to InboundNAT rules on a Load Balancer

      Need a PowerShell command to allow association of an existing Backend Pool to an InboundNAT rule as currently this can only be achieved manually after rule creation and is extremely tedious and time consuming.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    3. Test alert for diag log.

      I want to confirm whether LB can send diagnostic log to the storage account but I couldn't happen to put any logs intentionally. So I hope we can use test alert for diagnostic log.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    4. Provide access logging of the load balancer

      It would be great if we could get a log of all connections served by the load balancer, including the date/time, source IP:Port, the backend server it had forwarded to, connection duration, etc.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    5. Provide wider range of config options similar to HAProxy

      Currently, available config options of ILB are very limited and thus we have to somehow rely on HAProxy setup to achieve specific loadbalancing needs. It would be nice if you could extend and mimic the options of HAProxy, most notably weights, custom acl's along with custom probe settings.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for your suggestion. I’m going to decline this for now as the Azure Load Balancer is a TCP & UDP load balancer and does not have layer 7 functionality. Application Gateway or a 3rd party product may be a solution for the interim. I have noted the ask, but any change to this for Azure Load Balancer would be long term.

      That said, we are looking at weighting, ACLs, and probe enhancements again now.

    6. Test alert for LoadBalancerAlertEvent.

      I can't confirm whether ALB can put diagnostic logs to a storage account. I hope we will be able to put test alert in future.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    7. loadbalancer inbound NAT rule to arbitrary IP

      Having an IPSec to on-prem, I would like to leverage an Azure Load Balancer to provide inbound NAT to services hosted on a private network (across the IPSec tunnel).

      Currently LB's can only direct to VM or Availability Set, not user specified IPs.

      It might make sense to create a "Private IP Address" resource type that would identify the 1..N addresses that the LB is NAT'ing to... or just let me plug in 1..N addresses.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    8. Load Balancer should drop all packets for ports not configured

      Load Balancer should drop all packets for ports not configured before they get to my NSGs. See REG: 119012221000062 for additional information. Basically, the Azure LB installed as part of the Azure AD service is configured for port 443. But my NSG flow logs show packets arriving on a port other than 443 and incidentally for the destination as the public IP associated with the LB. My initial complaint was why do I see such a public IP address and I was told this is unavoidable because SNAT is enabled on this LB. I have no control over this LB…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. As per the information provided (accurately) in the support case, the packet does not reach your VM but does show up in NSG flow logs as dropped. This is by design and a result of Load Balancer being a pass through network load balancer, particular when SNAT ports are open. What you are observing is not packets reaching the virtual machine.
      — Christian

    9. Allow Basic Port Forwarding With Network Load Balancer for all Services

      Azure Network Load Balancer should support basic port forwarding, many customers have firewall rules that block PaaS Services. Today you can create a port forwarder with NLB, but only to its supported endpoints. Ideally you could forward to any Azure hostname or IP address.

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    10. Send FIN after probe confirms healthy

      The current behaviour of the four way handshake of the health probe is to not send the FIN until the next probe is due.

      The FIN should be sent as soon as the health has been confirmed.

      For example:
      We've got an Azure Load Balancer running over a RabbitMQ cluster with a health probe set to check port 5672 every 60 seconds.

      A packet capture shows the following:


      1. Load balancer SYN

      2. RabbitMQ ACK

      3. Load Balancer ACK

      4. 10 seconds later RabbitMQ RST

      5. Another 50 seconds later Load Balancer FIN

      Azure load balancer documentation declares that it does a four way handshake…

      3 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. We don’t have any near term plans to change probe behavior.

      A possible workaround may be to use an HTTP endpoint and configure an HTTP probe or increase the RabbitMQ timeout.

      Or you can instead substitute Azure Service Bus which also support AMQP.
      — Christian

    11. Allow the load balancer to support Azure databases as a backend pool

      It would be great if, in addition to Availability Sets and VMs, the various databases from Azure (MySQL, and PostgreSQL) could be part of a back end pool.

      2 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    12. IN ACS Context We Need LBs Doing SSL Offload

      In the context of Azure Container Services (Kubernetes in my case), it is a problem having Azure LBs with zero SSL Offloading. It's fine that SSL Offloading is offered with Application Gateways, but when ACS provisions a Kubernetes cluster with Azure LBs you have no ability out of the box to offload SSL for hosting web applications. It's great that Azure Kubernetes has a plugin to automate exposing pods via the Azure Load Balancer, but we need to have a way to do SSL load balancing that doesn't involve routing through nginx containers.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      declined  ·  1 comment  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    13. Optionally allow virtual servers a direct connection to the Internet, NAT is too limiting

      Forcing NAT for every VM makes it much more difficult to build Highly Available systems using Azure.

      IPSec is the most common way to secure communications across the Internet and is often used in IaaS when setting up highly available services.

      For example, if I want to replicate MongoDB from US EAST to US WEST, using IPSec between the two VMs is the easiest way to accomplish that.

      But Azure forces NAT for every VM making it impossible to use IPSec.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
      declined  ·  Narayan Annamalai responded

      Thanks for the feedback.

      Although we will be working on providing a dedicated NAT IP address for a virtual machine we will not be routing the traffic directly to the VM, it will still go through Azure’s NAT device.

      For high availability, Azure offers free load balancing on a cloud service. You can put 1 or more instances behind a public IP and can take advantage of the load balancing Azure provides to customers as a basic service.

      I will be interested to know if that does not solve a particular scenario.

      Thanks!

    14. 1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    15. Load balanced set form not displaying

      The Load balanced set creation form or details view doesn't display correctly. Instead, some sort of crying cloud icon is displayed. When clicking on the icon, it "flashes" the correct form but the crying cloud comes back.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    16. Bug: Incorrect message When deleting VM regarding Internal Load balancer

      When i delete a virtual machine that belongs to an internal load balancer in the new portal the display says it will delete the load balancer and i can't deselect this even tough there are other machines connected the the load balancer. IN the end it's not deleted but it's a false message.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    17. Auto-start Secondary Website when using Failover

      I would like to be able to have my website stopped and waiting for failover and automatically started when the failover occurs.

      I could do this but I would have to setup my own monitoring service.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    18. SLBv2 HAPort Preview

      For the HAPort Feature just announce preview on Ignite 2017, after register the preview feature from cli, try to create ha rule but failed with error
      Failed to save load balancer rule 'harule'. Error: Subscription 4507938f-a0ac-4571-978e-7cc741a60af8 is not registered for feature Microsoft.Network/AllowILBAllPortsRule required to carry out the requested operation

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    19. response substring matcher in load balancer

      Support the common load balancer feature of matching a substring in probe responses as well as checking response codes. For one or both of Azure LB or Application Gateway products.

      This permits simple and dynamic switching of servers between load balancer pools (eg: live and staging pools, or dedicated and public pools) by updating a health check page without reconfiguration and/or restarts.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    20. How to configure SSL on Azure LoadBalancer

      Hi,

      We have configured 2 Windows resources and it has Apache server. now we have enabled Load balancer for these 2 instances and its working fine.

      I need to configure SSL for the load balancer . pls share the steps/guide to configure SSL on Azure load balancer.

      1 vote
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Load Balancer  ·  Flag idea as inappropriate…  ·  Admin →
    • Don't see your idea?

    Feedback and Knowledge Base