Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow creation of NSG rules based on FQDN along with Ports

      NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM

      277 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    2. Allow network security groups to be created and renamed

      Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?

      My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.

      258 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    3. Add Custom Tags to NSG Rules

      It would be great if we can define our own on-premise network ranges (using 'Named networks' in AAD?) and add these as Custom Tags to our NSG rules. Now we have our on-premise ip-adresses/subnets as a seperate item in every NSG. When these ip-adresses/subnets change for whatever reason, we have to check every NSG and change this item. If we could use these 'centrally managed' ip-adresses/subnets as 'Custom Tags' in our NSG's rules we don't have to check and change every NSG rule with every ip-address change.

      257 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    4. Add a Network Security Group tag for Windows Update

      I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

      If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

      176 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    5. Ability to create source/destination objects containing multiple IP addresses/ranges

      When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.

      155 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    6. Network Security Group

      +Feature Request Discussion - There is a continued need for more intelligent NSG's going forward this is not only to provide a more dynamic, distributable scalable network but to replace more traditional models for DMZ designs. Focusing on distributed designs that do not rely on Virtual Appliances.

      There following features I believe would put Azure ahead of other cloud providers. These could be canned as a premium offering charged per NSG on any number of measures even number of requests etc..

      1. DNS Based Rules
      2. NSG NameSpaces for MS Public Services especially Azure PaaS Servers by Service
      3. Custom…

      119 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    7. Allow specification of multiple ports in a single NSG rule

      Allow a comma separated list of port numbers to allow a single rule to provide (for example) access to a domain controller (which would normally require the following ports opened: 53, 88, 135, 139, 389, 445, 464, 636, 1025, 3268-3269, 5722, 9389, 49152-65535).
      This seems to be basic functionality for firewall applications, but the absence of this ability within NSG rules means that the 200 soft limit (400 hard limit) is reached extremely quickly in a corporate environment.

      110 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    8. create predefined NSG for Azure Datacenters IP Range

      Let's say I have a VM that I want to restrict access from the outside. I want this VM to be accessible from my onprem IPs and from Azure IPs (since a part of my infrastructure is on azure). Since at the moment of discussion ARM VMs do not support static IP address, it will be very useful to create a NSG for allowing traffic only from azure IP ranges. Right now you cannot create such NSG because a NSG only allows a maximum of 100 rules. So, it will be a great idea to have predefined NSG to limit…

      88 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    9. multiple network security groups per NIC

      Allow multiple Network Security Groups per NIC. Amazon Web Services allows multiple NSGs to be associated to a NIC. This allows us to define one NSG for "Remote Access", a second for VLAN (it allows itself) and a third for "server role (DC, SQL, etc.)

      87 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    10. Copy NSG

      I want to copy new NSG from the existing NSG's similar policy.
      I don't want to keep making the same or similar to the NSG policy.
      The NSG copy function is required.

      87 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    11. Setting NSG immediately

      When NSG is set from PowerShell or the portal, the operation successfully completes soon but it takes a few minutes before the NSG setting will take effect.
      Please set NSG setting immediately.

      68 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    12. Enable the application of Network Security Group rules to groups of IPs

      Allow the creation of groups that contain multiple IP addresses. Then allow the application of Network Security Group rules to the group. As an example I could create a group, add the IP addresses of all my Domain Controllers to the group, then apply rules to the group, rather than duplicating rules for each Domain Controller where the only difference is the IP address.

      60 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    13. Support enabling and disabling NSG rules

      Support enabling and disabling NSG rules

      It would be nice if we could disable rules instead of having to delete them like other firewall products support :)

      59 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    14. Extend Locks to Individual Azure NSG Rules

      Extend Locks to Individual Azure NSG Rules.

      Large corporate environments need the flexibility to offer business units and employees Azure Development and POC environments that can still be secured but still allow flexibility to users.

      Companies need to have the ability to lock down block and allow NSG rules at the 100 level so they cannot be deleted by users but still allow users the ability to add / delete / modify other rules. NSG rule locks would provide the needed flexibility and security to these types of Azure environments. In addition, Azure Policy deployIfNotExists would also be needed to…

      49 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    15. NPS Extension for Azure MFA (IP Whitelist)

      Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?

      47 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    16. Rename NSG policy

      Allow us to rename previously created NSG policy to another name. It would make naming much easier. Now we have to re-create all policy again

      43 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    17. add a source tag for Office 365 IPs to NSG Rules

      Consider adding support for multiple address ranges in NSG rules or add a source tag for Office 365 IPs.

      Currently it is a nightmare to add all addresses for Exchange Online. We need a NSG policy for each address range :)

      https://feedback.azure.com/forums/217313-networking/suggestions/11716131-add-a-source-tag-for-azure-datacenter-ips-to-nsg-r

      39 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)

      We’re addressing this need with “Service Tags” which allow network security group rules to refer to Azure services such as “Storage” or “Sql” and the list of IP addresses is maintained transparently by the Azure platform. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
      We’ll be adding tags for additional Azure services over time.

    18. Be able to manage Role/Action at subnet level inside a vnet

      In ARM and RBAC model : Possiblity to have the subnet as an independant resource to be able to say using RBAC : "i want my user1 to be able to deploy VM to subnet 1 and 2 but not 3 because subnet 3 is an infrastructure subnet unhautorized to users."

      35 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    19. Network and Service object group support for NSG

      Network and Service object group support is missing in Network security Group (NSG). This makes NSG more difficult to Manage and control. Please consider this to make NSG more efficient.

      34 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    20. Add additional IP Protocols ls for NSG Rules

      Add the ability to add additional IP Protocols (i.e. ICMP, EIGRP, so forth) to an NSG rule. The only option today is TCP, UDP, or "*". Currently to allow ICMP you have to allow any protocol "*" and any port "*" in the rule instead of simply adding a rule for ICMP specifically. This inhibits the ability to meet security controls for isolation required in NIST SP800-53.

      30 votes
      Vote
      Sign in
      (thinking…)
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    ← Previous 1 3 4 5
    • Don't see your idea?

    Feedback and Knowledge Base