We have requirements from customers to restrict access via their company subnets. It would be very nice if the App Gateway supported not only the SSL offload but the ability to apply ACLs to allow or deny access via a defined network range using X-FORWARDED-FOR headers.54 votes
I want to be alerted, when my metered ExpressRoute is reaching a certain limit (that it is cheaper for me to go with unlimited model).
Overall no monitoring supported to verify if peering is up, how much inbound and outbound traffic is going through the ExpressRoute/Virtual Network Gateway.
The ExpressRoute is critical and therefore its state needs to be monitored.52 votes
We have a ranges of IP for each datacenter
Instead of current tags (internet, azureloadbalance) we could add AzureWestUS,AzureNorthEurope
https://www.microsoft.com/en-us/download/details.aspx?id=4165351 votes5 comments · Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →
Thank you for your suggestions, it is a good idea and we are considering adding this to our available system tags.
Please provide risk mitigation ways to migrate from legacy VPN gateway SKUs to the new gateway SKUs. Currently, the only way is to delete everything and recreate it again.51 votes
Thanks for the suggestion. This is something we are looking into. But no downtime migration will be very challenging due to current platform constraints. We will likely need to take a phased approach with some downtime involved (maintenance windows required) while trying to preserve VPN gateway public IP addresses. Please stay tuned.
I'm experimenting with using App Gateway as a frontend server to do URL routing to one Windows App Service and one Linux App Service, via the portal. I'm an hour in to this process because each and every step takes many minutes to complete.50 votes
Thanks for your feedback. We are working on improving the update experience to make it faster. As an alternate suggestion, please note that multiple configuration steps can be combined into a single update via PowerShell or ARM template for faster updates.
Can you provide any guidance on when we could expect to see this awesome tool in Azure Stack? it would be hugely beneficial49 votes
We are reviewing plans to add Network Watcher capability into Azure Stack
P2S connection is working fine and I can access VMs on VNET.
It would good to have feature if you enable [Use default gateway on remote network] that you can browse internet and it looks like you are coming from Azure network if you visit some site.
Something like proxpn, purevpn and similar services.47 votes
This suggestion has two parts:
1. Use default route or forced tunneling on P2S client rather than split tunneling
2. Enable Azure VPN gateway as an forward proxy to the Internet
At this point, these will be considered as long term roadmap items.
It would be nice if we could purchase elastic IPv6 blocks of IPs, then when setting up an endpoint for a VM we could select the specific IP from the block for the endpoint.47 votes
We currently offer the option of reserving single IPv4 public addresses. Reservation of blocks of IPv4 and IPv6 public addresses is, unfortunately, still in work- we apologize for the delay.
On a related topic, Azure now offers load-balanced, dual-stack (IPv4+IPv6) Internet connectivity for Azure VMs. This native IPv6 connectivity (TCP, UDP, HTTP…inbound and outbound initiated) all the way to the VM enables a broad range of service architectures. IPv6 for Azure VMs is available now in most Azure regions. Data transfers over IPv6 are billed at the same rates as IPv4. For more information, please visit this Overview of IPv6 for Azure Load Balancer: https://azure.microsoft.com/en-us/documentation/articles/load-balancer-ipv6-overview/
Please provide Azure Services with an Internal Endpoint (a least Azure Storage and Azure Backup) to build up machines without Internet Connection.43 votes
Storage service tags gives this capability and it was Completed. Private IP for storage is under review.
Vote for allowing UDP through the firewall. Such as ping inbound, because the ping are the minimal required for so much app.43 votes
Thank you for suggesting this. This is in feature backlog and we’re looking at this again now for supporting ICMP ping to VIP.
IPv4 addresses are running out and Azure has had a lot of problems with this, resolved by buying IPv4 address pools at a significant cost.
Some users and cloud deployments only require connectivity with on premises networks (either IPv4 or IPv6, not both).
Make IPv6 available for all services and allow the option of choosing what type of addresses are required (IPv4+IPv6 or IPv6 only).
● Giving each cloud service a /60 (or bigger) instead of a /64;
● Making IPv6 addresses static, since pool depletion is no longer an issue.43 votes
This is closely related to the suggestion “Support IPv6 Throughout the Azure Platform” but we’re taking this suggestion as ensuring ALL the various Azure services (Storage, etc.) offer IPv6 connectivity.
A step towards this goal is the IPv6 connectivity now available for Azure VM’s. Azure now offers load-balanced, dual-stack (IPv4+IPv6) Internet connectivity for Azure VMs. This native IPv6 connectivity (TCP, UDP, HTTP…inbound and outbound initiated) all the way to the VM enables a broad range of service architectures. IPv6 for Azure VMs is available now in most Azure regions. Data transfers over IPv6 are billed at the same rates as IPv4. For more information, please visit this Overview of IPv6 for Azure Load Balancer: https://azure.microsoft.com/en-us/documentation/articles/load-balancer-ipv6-overview/
Please add suggestions for specific scenario/service you need IPv6 enabled to help guide our prioritization and work?
The Azure Networking IPv6 feature team
I am looking for a way to completely block out access to azure resources from outside of Japan. An access from abroad is most likely from a person who are not from our company.
Recently, I am terribly worried because there are a lot of illegal access from the outside country. It's very reassuring to have the ability to shut off foreign access in Azure. This scenario is difficult to achieve because the NSG feature has a limit in a number of IP addresses which can be restricted.41 votes
Thank you for your suggestion. We are planning to offer more in the NSG space as well as DDoS solutions.
Or allow the external IP address to be fixed/allocated to the Hosted Service.
The scenario is that during the lifetime of the application you may need to modify the number of endpoints, and re-deploy the solution BUT KEEP PUBLIC IP.
The best would be if Swap VIP could handle this - to avoid downtime, but I am willing to have some downtime as long as Upgrade is supported. This is to avoid service unavailable during the time DNS CNAME records are updated.41 votes
Thank you for suggesting this. This is in feature backlog and we’re looking at this again now for ARM IaaS VMs.
Please support EV SSL certificates in Application Gateway. What is the reason they aren't supported already?40 votes
Thank you for your feedback. This is part of product roadmap. We will send notification once this is completed.
Currently, although it is possible to create a Peering between VNet within the same region, the same thing can be carried out also in the address space and subnets in VNet.
When VNet Peering can be created another Region in Same Gio that becomes available, I believe that the network design and expansion becomes easy.
I kindly ask for your consideration.40 votes
Hi, this is been in preview. More info: https://azure.microsoft.com/en-us/updates/global-vnet-peering-preview/
I would like to see the user agent that Traffic Manager uses in its HTTP requests as part of monitoring/probing become formalized so that applications can take a dependency on the user agent string name and not worry about it changing in the future affecting the application that has behavior that depends on the user agent.
For an example where the user agent string is needed to comply with URL canonicalization needs along with Traffic Manager being involved, please refer to http://social.msdn.microsoft.com/Forums/azure/en-US/d9f8e779-644d-4263-990c-9de5a7cf403c/is-the-user-agent-for-traffic-manager-guaranteed.40 votes
We included formalizing the Traffic Manager user agent string in our roadmap.
Can be good when we create a Route/UDR to have the possibility to select in "Next Hop Type" a service Tag, or Azure Region IP range.40 votes
Thank you for the feedback. We will consider this for inclusion in our planning.
I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.
If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.40 votes2 comments · Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →
Thanks for the feedback, we’ll include it as part of our Service Tag program to allow customers to easily define traffic for Windows Updates.
The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.
2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).
OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).38 votes
Thanks for your feedback. This is planned as a new supported RuleSet.
We need the new configuration in Azure Traffic Manager.
When prior region is replying intermittent healthy response to Traffice Manager, It occurs Failover and Failback repeatedly.
(e.g. In case the endpoint returns HTTP 500 intermittently by some system failure, if TM receives HTTP 200 by luck when TM probes there, TM sends requests to troublous endpoint until next probe chance.)
We need the configuration that manual Failback.38 votes
Thanks for the suggestion, we’ll consider how we can best support failover/failback during ‘grey’ failures in future, including a manual failback option.
- Don't see your idea?