Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details

  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details

  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details

  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Possibility to change default gateway and force traffic via 3rd party gateway deployed as vm in Azure.

      Traffic generated by VMs in Azure is not possible to be filtered or monitored right now. As there are vendors offering this type of functionality, it would be great to redirect machines to 3rd party gateway running in the cloud. Implementation for Azure team is trivial: change one dhcp option and disable default Azure gateway.

      1,154 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      10 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    2. add a source tag for Azure Datacenter IPs to NSG Rules

      On the following link, we are able to get the list of the azure datacenter / endpoint IPs that are actually used.

      https://www.microsoft.com/EN-US/DOWNLOAD/DETAILS.ASPX?ID=41653

      Please add a source tag like INTERNET or VIRTUALNETWORK to use Azure IP addresses in NSG rules.

      917 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      40 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    3. Add the ability to set firewall rules at the subnet level

      I would like the ability to set firewall rules at the subnet level in order to create a properly segmented network (i.e. DMZ vs. Internal).

      630 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      8 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    4. Enable ICMP traffic to Azure VMs over the Internet

      There are several scenarios that ICMP traffic to Azure VMs is necessary. Specially for monitoring tools that requires this kind of communication. When the time this was written, AWS offers ICMP traffic controlled by endpoints, which is not possible with Azure VMs endpoints.

      565 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      37 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    5. Network Security Group logging capabilities to show dropped packets

      Enable Network Security Group logging capabilities to show dropped packets.

      Please provide a way to log the dropped packets that are blocked by Network Security Groups and make the log accessible to us for auditing and security reasons.

      500 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      17 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    6. Add a Network Security Group tag for Azure Service

      Add a Network Security Group tag for Azure Services. Currently, if I create a rule blocking outbound internet traffic for a VNet or Subnet, blob.core.windos.net is blocked, causing all sorts of issues. The only work around now is to create rules to allow MS datacenter public IP’s and this list can change at any time. Having all these services in one tag would allow us to block outbound internet traffic without blocking access to Azure resources.

      125 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      9 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    7. Allow specification of multiple ports in a single NSG rule

      Allow a comma separated list of port numbers to allow a single rule to provide (for example) access to a domain controller (which would normally require the following ports opened: 53, 88, 135, 139, 389, 445, 464, 636, 1025, 3268-3269, 5722, 9389, 49152-65535).
      This seems to be basic functionality for firewall applications, but the absence of this ability within NSG rules means that the 200 soft limit (400 hard limit) is reached extremely quickly in a corporate environment.

      110 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      19 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    8. ACLs for Outbound Traffic to Limit Exfiltration

      ACLs currently limit only inbound traffic, and not outbound traffic. But to reduce the risk of data exfiltration on a compromised host, you want to limit outbound traffic as well. Many firewalls and security appliances already do this.

      79 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    9. Provide operation logs for Network Security Rules

      Hi,
      I have spend a large amount of time troubleshooting network security rules (added to a group and attached to a subnet). While they appear rather simple at first, the complexity comes when the source and destination IP is either DIP,PIP,VIP or RIP depending on the connection and the ports are dynamic or randomly allocated. Add to this the fun of trying to work out a load-balanced incoming IP, and I dream of the day I can open the log and resolve my issue.

      60 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      completed  ·  0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    10. add tags for NSG on a portal with datacnters ranges

      We have a ranges of IP for each datacenter

      Instead of current tags (internet, azureloadbalance) we could add AzureWestUS,AzureNorthEurope
      https://www.microsoft.com/en-us/download/details.aspx?id=41653

      51 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    11. Packet tracert functionality for Network Security Group (NSG).

      As NSG rules become more complex it's would be great to have troubleshooting.
      For example I want to define source ip address/port and destination ip/port and tool would check is traffic allowed and if not - what rule denies it.

      39 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    12. Dealing with NSG in Azure portal

      It will be great to have the ability to deal with Network Security Groups in Azure portal. Currently the ability is there only using PS scripts.

      The real value add is when you have RBAC for NSG and enable it in portal, lot of project teams can decide and chose the relevant NSG groups to apply based on RABC- if they can or not.

      31 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    13. Add NSG Service Tag for OMS Services.

      We have Azure VMs with NSG rules that deny all internet traffic and would like to be able to add a rule to allow communication with OMS services like Log Analytics by a service tag rather than by individually whitelisting every address range in the Azure Datacenter IP space.

      29 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      5 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    14. Network Security Group logging intresting flows (Source/Destination IP ports)

      Currently the NSG's are limited by only logging event and rule counters. these logs are good to have but not useful in doing security correlation or specific flow troubleshooting.

      Requesting Azure Team incorporates specific flow EX:

      (Specific IP A) (source protocol)>>>(Specific IP B) (destination protocol) action

      Rather than what we get today is only the policy that was consumed (broad and not specific):

      }","subnetPrefix":"10.10.10.0/24" matchedConnections":###

      (subnetPrefix) (source protocop)>>>(subnetPrefix) (destination protocol) action

      26 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    15. Add a "comment" property to Network Security Group rules

      It's possible to tag a whole group, but not an individual inbound or outbound rule. I often find myself adding a bunch of IPs to a NSG, and it would be really great to see this in the console. If it's a property, it could be managed via the ARM templates too

      22 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      2 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    16. When we add the NSG security rules it would be nice if we can chose a "Azure data centar" tag .

      When we add the NSG security rules it would be nice if we can chose a "Azure data centar" tag like "Internet" tag in the destination tag.

      21 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    17. When Network Security Group applied for Subnet or changes writes this Azure Log.

      We need records in log when someone apply or remove NSG for subnet. Also it would be great to log changes to NSR rules.

      19 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      1 comment  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    18. Accept a list of allowed ports separated by comma in network security group

      Please allow the ability to specify a list of non-continuous ports for inbound and outbound rules on network security groups. Currently adding several non-continuous ports to allow specific subnets requires one rule for each combination of port and subnet.

      16 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    19. Allow for Inter-app networking

      Right now if I want a shared service (MongoDB for example) I need to either set up a dedicated MongoDB app and have my other applications talk to its load balancer or I need to create one Mega-App that has all my MongoDB services and MongoDB itself. Both of these approaches have pros and cons but are generally cumbersome.

      The way Amazon does it is everything is assigned to a "security group". Security groups determine which ports are publicly accessible and everything in a security group can directly talk to every other machine in that security group through its internal…

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      6 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    20. Log all requests including source IP for NSG

      I need to generate a report of all source IPs over port 80 for a given day for a specific VM.

      9 votes
      Vote
      Sign in
      (thinking…)
      Sign in with: Microsoft
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      0 comments  ·  Network Security Groups  ·  Flag idea as inappropriate…  ·  Admin →
    ← Previous 1
    • Don't see your idea?

    Feedback and Knowledge Base