Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
Network Watcher:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Allow creation of NSG rules based on FQDN along with Ports
NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM
375 votesThis remains on our long-term backlog as something we want to offer
For now we recommend trying Azure Firewall as the prefered solution to control outbound to Internet
-Mario [MSFT]
-
Add Custom Tags to NSG Rules
It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.
335 votesThis remains on our long-term backlog as something we want to offer
-Mario [MSFT]
-
Allow network security groups to be created and renamed
Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?
My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.
303 votesThis remains on our long-term backlog as something we want to offer
-Mario [MSFT]
-
Copy NSG
I want to copy new NSG from the existing NSG's similar policy.
I don't want to keep making the same or similar to the NSG policy.
The NSG copy function is required.92 votesHi Kimsejum
Thank you for sharing your idea, we’ll take this into consideration for future improvements
-
create predefined NSG for Azure Datacenters IP Range
Let's say I have a VM that I want to restrict access from the outside. I want this VM to be accessible from my onprem IPs and from Azure IPs (since a part of my infrastructure is on azure). Since at the moment of discussion ARM VMs do not support static IP address, it will be very useful to create a NSG for allowing traffic only from azure IP ranges. Right now you cannot create such NSG because a NSG only allows a maximum of 100 rules. So, it will be a great idea to have predefined NSG to limit…
88 votesThanks for the feedback, service tag is called AzureCloud and it’s already available in all regions
https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
-
Support enabling and disabling NSG rules
Support enabling and disabling NSG rules
It would be nice if we could disable rules instead of having to delete them like other firewall products support :)
62 votesThanks for your feedback
We’ll review this feature to include it on our roadmap.
-
NPS Extension for Azure MFA (IP Whitelist)
Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?
57 votes -
add a source tag for Office 365 IPs to NSG Rules
Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.
Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)
54 votesWe’re addressing this need with “Service Tags” which allow network security group rules to refer to Azure services such as “Storage” or “Sql” and the list of IP addresses is maintained transparently by the Azure platform. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
We’ll be adding tags for additional Azure services over time. -
Rename NSG policy
Allow us to rename previously created NSG policy to another name. It would make naming much easier. Now we have to re-create all policy again
46 votesThanks for your feedback, this feature is under review for future improvements
-
Network Security Rules by MAC address also.
Network Security Rules by MAC address also. Right now the portal only allows filtering via IP address or CIDR block. I would like to allow remote laptops to access but their WAN IP keeps changing.
44 votesHi JMartinez
Thanks for the feedback, we’ll consider this feature for future improvements
-
Be able to manage Role/Action at subnet level inside a vnet
In ARM and RBAC model : Possiblity to have the subnet as an independant resource to be able to say using RBAC : "i want my user1 to be able to deploy VM to subnet 1 and 2 but not 3 because subnet 3 is an infrastructure subnet unhautorized to users."
41 votesThank you for your suggestion, we added this to our roadmap.
-
Network and Service object group support for NSG
Network and Service object group support is missing in Network security Group (NSG). This makes NSG more difficult to Manage and control. Please consider this to make NSG more efficient.
34 votesThanks for the feedback! we are looking into exposing system tags for STORAGE and SQL in the near term.
System Tag for is also on our roadmap for future improvements -
Add DNS names to NSG source/ destination options like we currently can with IP addresses and tags
Enable NSGs to use DNS names instead of only IP addresses, Tags and any. A lot of services have very dynamic IP adresses. Using DNS names would help a lot.
32 votes[Sumeet M]: Thanks for your feedback. Currently we are focusing on Tags. We will review the suggestion in subsequent milestones.
-
WAF - Allow access to configure ModSecurity variables such as tx.high_risk_country_codes
The tx.high_risk_country_code and other variables like GeoIP database need to be configured for rules in REQUEST-910-IP-REPUTATION to have any affect. These could be defaulted to a value (and documented) for now, but overriding these ModSecurity variables per instance is needed in the future.
As it stands right now it appears that these are not configured, and are leading to people thinking they are protected by these rules when they are not.
28 votesThank you for your suggestion. We are reviewing it and will get back to you.
-
Replicate NSG to new region when using Azure Site Recovery
This is really needed feature!
The benefit having this is when setup Azure Site Recovery, which replicates VNET and VMs to a different region BUT there is no way to replicate NSGs! Manual work to replicate all security rules from one NSG in source region to another NSG to target region can take up hours if there are 200+ security rules !Please implement this.
Thanks23 votes -
Service Groups (tcp/udp) for Network Secrurity Group (NSG) for complex services.
Some time for services to work we need many tcp/udp ports. For example to limit access from DMZ to AD in another subnet we need to create a lot-lot-lot of rules.
Is it possible to create object with needed tcp/udp ports group and apply this service group to one NSG rule.22 votesThank you! This is a great suggestion – we are currently reviewing this for future updates to NSGs.
-
allow KMS traffic in Azure Firewall
Azure Firewall currently block by default traffic to Azure KMS servers, this should be included in the built-in to not disrupt license validation.
12 votes -
have the ability to use more than one asg in an nsg rule (separated with , for example)
let's say that i have 2 apps that i want to be able to access any endpoint.
APP A containing these servers:10.0.0.1,10.0.0.2
and APP B: 10.0.0.4,10.0.05my nsg rule will use :10.0.0.1,10.0.0.2,10.0.0.4,10.0.05
if i`m moving to work with asg i want the ability to add both app a and app b together in the same nsg rule.will it be supported?
10 votesThanks for the feedback, we have this improvement on the roadmap, today you’ll need to create 2 induvidual rules to achieve the same goal
We’ll incorporate the improvement on a future iteration.
-
Network Security Groups - Windows Server Roles and Features Rules
Can a feature be added to allow easy addition of inbound and outbound rules to an NSG for Windows Server Roles e.g. Active Directory Domain Services to add rules for SMB/LDAP/Kerberos to match the rules created/enable by adding a Feature in Server Manager in Windows Server OSs.
8 votesThanks for the feedback, this is something we are evaluating, having a simplified version for common use cases, looking forward to improve our feature with your feedback.
-
Ability to group Network Security Groups
Consider adding some kind of grouping functionality within Network Security Groups. This would make things a lot more simple
Somekind like this: https://blogs.technet.microsoft.com/isablog/2009/11/25/forefront-tmg-rule-grouping/
8 votesHi Peter
Thanks for the feedback we are looking into NSG improvements like grouping for rules and VM/NICs
- Don't see your idea?