When the UDR assoc the Subnet is not possible connect by RDP from the Internet, or other services exposed in the internet.
If I could create the NAT Rule on the Azure Firewall I can expose any services in internet and this issue would be resolved.
thank you so much.
Best Regards1 vote
If there are many VNET's connected to the ExpressRoute, traffic of one VNET can impact other VNET's traffic. We need a way to see which srcip and dstip traffic is responsible for filling up the ExpressRoute. Current NSG flow data does not include amount of data between endpoints, thus we need another way of analysing top consumers of the ExpressRoute.1 vote
Connectivity check is being integrated with Network Watcher connection monitoring. Upcoming shortly.
For business purpose, we wanna offer an idea of selecting peering IP from non-GW subnet while using Azure VPN BGP. this IP was currnetly allocated from ge subnet. but we wanna change to specific IP . let's say our address space range is 10.0.0.0/16, but our GW subnet is 10.0.0.0/24, Peering IP is 10.0.0.254. but one of subnet is 10.13.100.70/28, we wanna change peering IP to 10.13.100.70. but this is impossible, could we make some changes in further?1 vote
Thanks for the suggestion – we will look into this request. But this is currently not on the roadmap.
I would like to set up a packet filter for VPN GW.
It is the same as RRAS packet filter setting.
Inbound IP address and port range filter, and outbound IP address and port range filter.
Our VNET is connecting between sites with customers' VNET and VNET GW. Even if it is attacked from outside the customer's VNET, I do not want to endanger our VNET. I would like to filter traffic arriving at VNET with source IP and destination port number.
How can it be realized?
Thanks for the feedback. This is currently not planned. To protect your virtual network, one suggestion is to setup Network Security Group on your subnets or NICs to filtered out unwanted traffic.
How about enabling the view of the MS-Azure AS number on the portal when configuring Private Peering.1 vote
Thank you for the feedback. If I understand correctly, you would like us to display the ExpressRoute ASN on the portal so that you do not have access the documentation when configuring the peer ASN – as an easy reference.
Look forward to your response!
We have a configuration where we want VMs on the same subnet to communicate directly through the virtual network, and VMs on different subnets to communicate through a firewall. We have done this by defining a unique route table for for each subnet.
It would be far more better to have a "Local Subnet" object so that a single route table could be used for all the subnets in a vnet. For example, create a route with Address Prefix as "Local Subnet" with nexthop "Virtual Network".1 vote
VMs in the same subnet already connect directly through the virtual network. Subnets are part of the virtual network. Not sure your ask is clear. Please elaborate on the overall scenario that requires such configuration.
Currently, Application Gateway is the only service on Azure that supports offloading certificates for SSL, but Application Gateway can take a long time to provision and update with changes, and is unable to handle the high stress levels imposed by some apps. Application Gateway should be quick to provision and update after configuration changes, and it should be able to handle large numbers of requests per minute (e.g., 6,000 per minute).1 vote
We recently introduced changes which make any updates to Gateway complete in less than a minute. We are also working on reducing provisioning time. Regarding SSL offload performance – you should be able to increase the number of instances to scale out and handle increased load. 6000 new SSL connections per minute is not a lot and should be able to be served by a single Large instance. Please open a support ticket if you are seeing issues with performance at this scale.
Splitting a resource group for each service makes it hard to connect the service to the network.
I offer VNet peering free of charge or demand network service globalization1 vote
Can VPN gateway push a new DNS server address to client when the client connected1 vote
Delete a network security group: this description is insufficient. please make it better1 vote
Do you mean in the Azure Portal?
Let us know and we will update.
- Anavi N [MSFT]
I need to get the bandwidth utilized per month with cost only for internet traffic in/out from datacenter (**Excluding the VM to VM traffic in/out). It will be helpful for Firewall,WAF,SIEM kind of implementation analysis (if historic usage available for last (1hr,24,7days,30days,,matrix)1 vote
Hi there, you should be able to see this in your Azure bill.
Let us know if you’re looking for something different.
- Anavi N [MSFT]
We should be able to attach multiple public IP's to a single NIC without having multiple private IP's.
It is very difficult to configure 3rd party firewalls needing a 1:1 between public IP's and private IP's as far as routing rules go.1 vote
Hi there, what is the scenario for this?
Could you leverage Public IP Prefix with outbound rules?
- Anavi N [MSFT]
Where I try to change the ip for more that one inbound rule, there is a validation message says that the port is duplicated (although it is not)
Excepted not to see this message1 vote
Currently SonicWall NSv (Firewall/Security/VPN/Router)-BYOL plans starts from NSv200, (unlimited nodes). For SMB offices and private companies optimal start plan - NSv25 (up to 25 nodes). Optimal for budget and used resources.1 vote
For now we can only dump network flow logs from nsg in the same region as our storage account. If we have to export flow logs from all regions we have to create 27 diff storage accounts. On top of that if i want to export my flow logs to external application i have to create 27 diff trigger functions, which is very cumbersome to manage1 vote
We've run into a recent problem where we couldn't dynamically upgrade (from 100Mb to 500Mb) an Expressroute circuit quickly when needed. We were told the MS NNI to our carrier (Verizon) was at capacity. The only option was to re-create the Expressroute circuit and then re-provision the Verizon SCI side of the link (took about 2 weeks). I would like to see Microsoft working with the carriers on a method of dynamically moving connections to different NNI's with capacity if needed. Maybe there is a grooming operation that runs between MS & the carriers that dynamically moves these links to new NNI's to keep the overall utilization on NNI's at a certain capacity. In talking with the support engineer regarding this topic, this is a very common occurrence and the support teams would also like to see this fixed. It's not convenient for customers to potentially have to re-provision circuits constantly when upgrades are needed. Along with this, it would be a very nice feature to be able to downgrade Expressroute circuits.
We've run into a recent problem where we couldn't dynamically upgrade (from 100Mb to 500Mb) an Expressroute circuit quickly when needed. We were told the MS NNI to our carrier (Verizon) was at capacity. The only option was to re-create the Expressroute circuit and then re-provision the Verizon SCI side of the link (took about 2 weeks). I would like to see Microsoft working with the carriers on a method of dynamically moving connections to different NNI's with capacity if needed. Maybe there is a grooming operation that runs between MS & the carriers that dynamically moves these links to…1 vote
valid suggestion subject to upvote
On the Azure side, on a Basic VPN S2S VPN Gateway, the VPN gateway is always configuring a traffic selector of 0.0.0.0/0 not taking into consideration the configured on premises address ranges. This is by design and makes the basic gateway a non usable product.
If you want split tunneling you are forced to an advanced gateway, with Policy Based Traffic Selectors, even if you only are establishing one single tunnel.
More info on case 1190209250001831 vote
valid suggestion subject to upvote
WAF fails to establish success health using the web service SAP cloud connector with custom TLS1.2 and struggled to find the issue from WAF.
WAF fails to establish success health using the web service SAP cloud connector with custom TLS1.2 and struggled to find the issue from WAF stand point. Means, We modified multiple TLS1.2 algorithm and tested to fix the issue. Why the custom/selected TLS1.2 algo is not working? Can you build the "front end troubleshooting page or packet capture page" to select correct TLS1.2 or elect the correct TLS1.2 automatically?
Moreover, Could you modify the name from "Listener" to "Backend Listener"? Boz, This name is really confusing with frontend certificate and backend TLS parameters.1 vote
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
My lists of Application Gateway Rules / Listeners and HTTP Settings is growing very fast. I've applied a naming convention but the lists are in random order so it's hard to find the settings which are for the same customer.1 vote
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.
- Don't see your idea?