Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Stop/Start Virtual Network Gateway - to don't pay when it not in use

      There are two charges related to the Azure VPN service: the compute resource charge at $0.05/hour, and the egress data volume charge. Both are based on resource consumption, Unfortunately, even if the VPN tunnels are not connected, the gateway compute resource is still being consumed and will cost ~$38 monthly!
      This is not really "Pay only for what you use".

      Need functionality to “STOP” (and of course "START") a gateway if the customer is certain that the gateway will not be in use.

      970 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)

        Folks – thanks for you comments on this feature. We understand that this is an important ask for many customers. It is in our list of features to add and is being discussed. Once we decide on a timeline for supporting this we will make an announcement.

      • VPN Gateway monitoring

        It would be great to have monitoring options in the azure portal which would show the bandwidth usage and throughput charts. It would help in figuring out if the 100mbps limit of the standard gateway sku is being hit at peak loads. If the details can be further provided for each individual site-to-site or point-to-site connection then that would be great thing to have. It would help immensely in finding out which connection is hogging the bandwidth the most.

        367 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • Site to Site VPN: allow local network range to include Azure VNET range

          I’ve created a virtual network (10.25.0.0/17) that our instances will live in, and created a local network representing CORPNET (10.0.0.0/8). In effect, we’re trying to have the virtual network be a subnet within our larger internal IP block to emulate an internal datacenter. When trying to create the site to site VPN using the local network, I get an error about an address conflict, which seems to be due to the virtual network and local network be overlapping.
          Per MSFT: The local network range cannot include the Azure VNET range. The local network definition(s) are used to establish routes between…

          362 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • Auto-connect for point-to-site VPN.

            When the device is restarted, or internet connectivity is regained, the device automatically connects to the VPN again.

            270 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Provide multi-factor authentication capabilities in VPN client

              The ask is pretty self-explanatory.

              We want to host sensitive data in Azure VMs and enable connectivity only via P2S VPN.

              Today, the VPN client only requires having the cert to gain access the Azure Network. As the cert can easily end up in the hands of someone who shouldn't have access to it...it's not very secure.

              For MFA, integration with PhoneFactor would be cool. At a minimum, the VPN client should require a username/password in addition to requiring the cert.

              205 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • 112 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)

                  Thank you for your patience. This is still under review. We are working on other features that are moving us closer to being able to provide these capabilities, but cannot yet dedicate resources to this feature.
                  Thanks,
                  Bridget [MSFT]

                • Point-to-site VPN authentication support for Azure AD

                  Instead of only requiring on a certificate for authentication in Azure VPN Point-to-site solutions, it would be nice if the Azure networking team would consider adding support for username (UPN) and password that is authenticated against either Azure AD or ADFS.

                  109 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                  • Improve VPN gateways performances and limits

                    Using VPN to connect sites to Azure is great. But we are rapidly hitting the gateways limits:
                    - One gateway per VNet
                    - A max of 30 Tunnels per gateway (10 and 20 for standard)
                    - A max of 200 Mb/s per gateway (shared by all VPNs)

                    Today, not all regions and customers can afford 'ExpressRoute' to get more bandwidth and scalability. So why this 'very limited' options.

                    74 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Allow native VPN S2S from Azure to AWS

                      Azure coexistence with AWS (and even GCP) is a very common scenario. Currently the only way to connect Azure and AWS is using a combination of Azure Virtual Network Gateway with a VM (Strongswan, OpenVPN, RRAS) deployed in AWS. We have no documentation around it, while Google provides VPN interoperability guidelines (here: https://cloud.google.com/compute/docs/vpn/interop-guides).

                      This is complicated to manage when you add things such as High Availability and all the required configuration. Also, these manual configurations are never the most optmized.

                      I understand we have a few different parameters vs. AWS and that's why Azure can't set up this S2S…

                      61 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)

                        Thanks for the suggestion – this will require the new Azure VPN gateway SKUs to add IKEv1 support. It’s under review but will be in the longer term roadmap. For the short term, please leverage virtual appliances from Azure Marketplace to facilitate this connectivity.

                        Thanks,
                        Yushun [MSFT]

                      • Migration of VPN Gateway from old to new SKUs

                        Please provide risk mitigation ways to migrate from legacy VPN gateway SKUs to the new gateway SKUs. Currently, the only way is to delete everything and recreate it again.

                        51 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)

                          Thanks for the suggestion. This is something we are looking into. But no downtime migration will be very challenging due to current platform constraints. We will likely need to take a phased approach with some downtime involved (maintenance windows required) while trying to preserve VPN gateway public IP addresses. Please stay tuned.

                          Thanks,
                          Yushun [MSFT]

                        • Use P2S VPN connection as default gateway (like standard VPN)

                          P2S connection is working fine and I can access VMs on VNET.

                          It would good to have feature if you enable [Use default gateway on remote network] that you can browse internet and it looks like you are coming from Azure network if you visit some site.
                          Something like proxpn, purevpn and similar services.

                          47 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)

                            Hi,

                            This suggestion has two parts:

                            1. Use default route or forced tunneling on P2S client rather than split tunneling
                            2. Enable Azure VPN gateway as an forward proxy to the Internet

                            At this point, these will be considered as long term roadmap items.

                            Thanks,
                            Yushun [MSFT]

                          • 32 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • Add option to connect or disconnect vpn

                              In ASM model, we have an option to connect or disconnect an vpn connection. Now in arm model if we need to disconnect a vpn we need to delete the connection and if we need to connect the vpn we need tonrecreate thw connection

                              31 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Set up a VPN device script Link as present in the Classic Portal

                                I was setting up the Site to Site in New portal and found the link to download the VPN script wasn't present as in Classic portal. It would be good we have that link in new portal so that we can share that Network admins to setup site-site Connection with on-premise and Azure Vnet

                                29 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                • configurable MTU

                                  I've seen several conflicting recommendations for IPSec tunnel MTU/MSS.

                                  First and foremost, publishing this (preferably inside the tunnel slice/pane) is a good first step, since it'd allow us to know definitively what we can do.

                                  Second, and more significantly, I'd like to be able to CHANGE it... preferably by increasing the size... it seems that every time I turn around, the MTU needs to shrink - I'd rather leverage jumbo frames to allow higher throughput.

                                  19 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)

                                    Hi Scott,

                                    Thanks for the feedback – totally understand the pain points and confusion. There are a couple of constraints on the Azure side and also specifically with VPN. The key issue is this is for packets coming over the Internet which we can only assume total packet size of 1500 bytes max. Azure SDN platform performs additional encapsulation on the packets within our datacenter networks, so it will be subtracted from there.

                                    1. On the Azure VPN gateways, the recommendation is to set TCP MSS clamping to 1350; or if not possible for your device, then set MTU to 1400 bytes on the IPsec tunnel interface. We had updated/clarified the Azure documentation to call that out.

                                    2. Changing MTU currently is not possible from the Azure VPN gateways. We will take it into configuration, but it will not be possible in the short term due to the scale…

                                  • 16 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • Make P2S (Point-To-Site) VPN work with Active-Active GW

                                      For running Production workloads in Azure we find that having a HA solution is important, and therefore using an Active-Active VPN GW is a must for us. Though we would also like to still use App Services linked to our custom vNet. At the moment this seems to not be possible as P2S VPN is not supported with a Active-Active GW.

                                      Therefore please make it compatible so we can connect App Services to our custom vNet and be able to communicate with onprem resources.

                                      15 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • provide diagnostic ability in Azure Resource Manager VPN tunnels

                                        The PowerShell command that is used in the classic "ASM" VPN troubleshooting is not compatible with the new Azure Resource Manager VPN tunnels. This makes it very difficult to troubleshoot VPN problems.

                                        The newest Azure PowerShell doesn't provide any start-azureRMvirtualnetworkgatewaydiagnostics like the old azure services manager did.

                                        13 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                        • To have the possibility to set radius timeout on the VPN gateway point to site confguration

                                          When using the new radius authentication feature on Azure VPN Gateway it would be nice to be able to control the timeout to the radius server. This would make the usage of Azure MFA for VPN authentication possible. (IT works now if users are very fast at answering the phone)

                                          13 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • Allow special chartacters in the pre-shared key for IPSec VPN tunnels

                                            Allow special chartacters in the pre-shared key for IPSec VPN tunnels

                                            10 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                            ← Previous 1
                                            • Don't see your idea?

                                            Feedback and Knowledge Base