Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Make Traffic manager able to access Web Apps that uses Authentication

      Traffic manager is currently unable to get the status of a Web App that's using the Authentication/Authorization (simple auth) feature. It would be nice if it could use some kind of service account (or similar) to get authenticated and get the Web App status but still have the security features intact.

      10 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • To know what IP Addresses are used by NAT on Public Peering

        Currently we know that the Microsoft Edge Routers are doing NAT translation for the packets coming from Public Peering.
        Sometimes we need to know what IP addresses are used for that, but there is no way to know that without contacting Microsoft Support.
        We want to know which addresses are used on Portal or PowerShell.

        27 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          under review  ·  0 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
        • Increase backend http setting limit on Application Gatway

          Application gateway has a backend http setting limit of 20.
          We want to use it in front of Service Fabric and legacy cloud applications.
          Each of our service fabric apps runs on its own port and so requires a probe, http setting and url rule.
          We exceeded the 20 fairly rapidly.

          56 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
          • Traffic Manager should default to port 443 for HTTPS

            First time configuring Traffic Manager and I pointed it at https but forgot to change the port, took a support call to resolve.

            Suggest that the default port be changed to 443 if you toggle to https, or at least warn that you are on a non-default https port

            5 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Ability to group Network Security Groups

              Consider adding some kind of grouping functionality within Network Security Groups. This would make things a lot more simple

              Somekind like this: https://blogs.technet.microsoft.com/isablog/2009/11/25/forefront-tmg-rule-grouping/

              7 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Faster configuration updates

                I'm experimenting with using App Gateway as a frontend server to do URL routing to one Windows App Service and one Linux App Service, via the portal. I'm an hour in to this process because each and every step takes many minutes to complete.

                38 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

                  Thanks for your feedback. We are working on improving the update experience to make it faster. As an alternate suggestion, please note that multiple configuration steps can be combined into a single update via PowerShell or ARM template for faster updates.

                • Show domain in logs

                  The access logs for the application gateway only show the routes. We use a single gateway to host multiple sites and some have similar folder structures, this makes evaluating access and tracing issues a bit difficult. It would be great if the actual domain (http://www.something.com) was listed in there too.

                  10 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    under review  ·  0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                  • Allow customization of Application Gateway WAF rule matching

                    I would like to be able to selectively remove some cookies and some HTTP headers from all rule application scans, on a case by case basis.

                    Problem Statement:
                    The web application firewall functionality of the application gateway scans the entire HTTP message, without the ability to customize where the scan will occur.

                    This leads to false positives where scan pattern matches will detect suspicious characters in URL encoded blobs like security or access tokens, or in other arbitrary places like cookies.

                    The following Microsoft tools have caused this problem on my environment:
                    - Kudu tools for web applications
                    - API…

                    18 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                    • Add OMS integration for NSG Flog Logs

                      Currently you can only send flow logs to a storage account. Add support for sending them to OMS.

                      22 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        0 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                      • Support enabling and disabling NSG rules

                        Support enabling and disabling NSG rules

                        It would be nice if we could disable rules instead of having to delete them like other firewall products support :)

                        17 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • Rename NSG policy

                          Allow us to rename previously created NSG policy to another name. It would make naming much easier. Now we have to re-create all policy again

                          17 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • time protocol

                            Network Time - Precision Time Protocol (IEEE 1588 std) support

                            Azure should provide a know reference service for a network time protocol such as NTP or preferably for the IEEE 1588 standard Precision Time Protocol, or provide this as an option with the Blockchain service.

                            10 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              under review  ·  0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                            • Offer IPv6 nameservers

                              Currently Azure DNS only provides IPv4 nameservers. Please provide IPv6 nameservers as well, preferably 2 or 3 of them along with the IPv4.

                              21 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Network Watcher in Azure Stack?

                                Can you provide any guidance on when we could expect to see this awesome tool in Azure Stack? it would be hugely beneficial

                                7 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  2 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                                • Increase Idle Timeout on Internal Load Balancers to 120 Mins

                                  We use Azure Internal Load Balancers to front services which make use of direct port mappings for backend connections that are longer than the 30 min upper limit on the ILB. That is, our ILBs accept port connections on a nominated set of ports and pass those connections to the backend services running on the same ports.
                                  We are experiencing dropped TCP connections from clients connecting to the backend services via the ILB. After investigating the issue in collaboration with the Azure Networking Team it was verified that altering the default OS TCP keep alive duration to below 30mins would…

                                  117 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    under review  ·  0 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Allow a VM's NIC to use a VNET\Subnet from another Subscription

                                    Given that the syntax of json deployment templates allows referencing resources by a unique resourceid which includes the guid of the subscription, I would like to create a VM in subscription 'A', whose NIC references a subnet that is part of a VNET in subscription 'B'.

                                    The reason for this is two-fold:
                                    1) This would allow a corporate networking function to securely manage all the networking infrastructure in a corporate IT-owned and managed subscription, but allow it to be consumed by line-of-business units, whose subscriptions are restricted (via ARM policies) to not allow the creation of VNETs.
                                    2) This would…

                                    16 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      under review  ·  1 comment  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Allow option to choose the SSL endpoint to target for Azure Web App endpoints in Traffic Manager

                                      There is a limitation with using Traffic Manager with Azure Web Apps/App Services right now.

                                      See this article: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate#step-3-change-your-domain-name-mapping-ip-based-ssl-only

                                      When a user combines both IP-based SSL and SNI-based SSL bindings in their app service, SNI-based bindings need to have different DNS configurations in order to work properly. The SNI-based bindings need to target "sni.<appname>.azurewebsites.net" instead of just <appname>.azurewebsites.net.
                                      It's not possible to directly get to the site at "sni.<appname>.azurewebsites.net" as it's only used for SSL routing in the App Service infrastructure, so you cannot use this URL when adding the App Service as an external endpoint (pinging fails and it…

                                      4 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)

                                        Hi Matt,

                                        Thank you for the feedback. We are always looking to increase the ease in which different Azure services can be consumed together and this falls into that. We will be definitely looking into this specific integration point.

                                        Azure Networking Team

                                      • Cisco CSR 1000v supports upto 5 Gbps of throughput on AWS but it only allows 500 Mbps throughput on Azure. Why this limitation on Azure?

                                        Cisco supports upto 5Gbps of throuput on AWS but only allows 500 Mbps on MS Azure. What is the reason for this limited throughput on Azure? I believe there are some join tests done by Cisco and Microsoft before concluding this limitation? How do we overcome this limitation?

                                        4 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          under review  ·  1 comment  ·  Speed/Bandwidth  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Allow transitive network flow between peered VNET's

                                          if we assume Three networks.

                                          VNET1 <> VNET2 <>VNET3

                                          <> denotes vnet peering

                                          A machine on VNET1 cannot directly see a machine in VNET3

                                          We would like this facility to enable us to build a network design without having to use vitual network appliances to make this happen.

                                          7 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            under review  ·  0 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                                          • Support VNET re-deployment without destroying subnets

                                            When you deploy a VNET from an ARM template in incremental mode I would expect omitting the subnet property would not change the subnets since they are child resources. Instead they are destroyed. I think this is inconsistent with all other similar resource types e.g. app service plans and web apps, azure SQL servers and databases, etc... Please make VNETs and subnets deployments consistent.

                                            https://github.com/Azure/azure-quickstart-templates/issues/2786

                                            62 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              I agree to the terms of service
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                              under review  ·  1 comment  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                                            • Don't see your idea?

                                            Feedback and Knowledge Base