Networking

The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.

Virtual Network:

  • Service overview

  • Technical documentation

  • Pricing details
  • Traffic Manager:

  • Service overview

  • Technical documentation

  • Pricing details
  • Network Watcher:

  • Service overview

  • Technical documentation

  • Pricing details
  • If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.

    How can we improve Azure Networking?

    You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

    There are two ways to get more votes:

    • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
    • You can remove your votes from an open idea you support.
    • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
    (thinking…)

    Enter your idea and we'll search to see if someone has already suggested it.

    If a similar idea already exists, you can support and comment on it.

    If it doesn't exist, you can post your idea so others can support it.

    Enter your idea and we'll search to see if someone has already suggested it.

    • Hot ideas
    • Top ideas
    • New ideas
    • My feedback
    1. Allow ACL on Application Gateway for IP filtering via X-FORWARDED-FOR header

      We have requirements from customers to restrict access via their company subnets. It would be very nice if the App Gateway supported not only the SSL offload but the ability to apply ACLs to allow or deny access via a defined network range using X-FORWARDED-FOR headers.

      54 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        started  ·  4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
      • Monitoring of ExpressRoute

        I want to be alerted, when my metered ExpressRoute is reaching a certain limit (that it is cheaper for me to go with unlimited model).
        Overall no monitoring supported to verify if peering is up, how much inbound and outbound traffic is going through the ExpressRoute/Virtual Network Gateway.
        The ExpressRoute is critical and therefore its state needs to be monitored.

        52 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          started  ·  4 comments  ·  ExpressRoute  ·  Flag idea as inappropriate…  ·  Admin →
        • add tags for NSG on a portal with datacnters ranges

          We have a ranges of IP for each datacenter

          Instead of current tags (internet, azureloadbalance) we could add AzureWestUS,AzureNorthEurope
          https://www.microsoft.com/en-us/download/details.aspx?id=41653

          51 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • Migration of VPN Gateway from old to new SKUs

            Please provide risk mitigation ways to migrate from legacy VPN gateway SKUs to the new gateway SKUs. Currently, the only way is to delete everything and recreate it again.

            51 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)

              Thanks for the suggestion. This is something we are looking into. But no downtime migration will be very challenging due to current platform constraints. We will likely need to take a phased approach with some downtime involved (maintenance windows required) while trying to preserve VPN gateway public IP addresses. Please stay tuned.

              Thanks,
              Yushun [MSFT]

            • Faster configuration updates

              I'm experimenting with using App Gateway as a frontend server to do URL routing to one Windows App Service and one Linux App Service, via the portal. I'm an hour in to this process because each and every step takes many minutes to complete.

              50 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                0 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →

                Thanks for your feedback. We are working on improving the update experience to make it faster. As an alternate suggestion, please note that multiple configuration steps can be combined into a single update via PowerShell or ARM template for faster updates.

              • Network Watcher in Azure Stack?

                Can you provide any guidance on when we could expect to see this awesome tool in Azure Stack? it would be hugely beneficial

                49 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  4 comments  ·  Network Watcher  ·  Flag idea as inappropriate…  ·  Admin →
                • Use P2S VPN connection as default gateway (like standard VPN)

                  P2S connection is working fine and I can access VMs on VNET.

                  It would good to have feature if you enable [Use default gateway on remote network] that you can browse internet and it looks like you are coming from Azure network if you visit some site.
                  Something like proxpn, purevpn and similar services.

                  47 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)

                    Hi,

                    This suggestion has two parts:

                    1. Use default route or forced tunneling on P2S client rather than split tunneling
                    2. Enable Azure VPN gateway as an forward proxy to the Internet

                    At this point, these will be considered as long term roadmap items.

                    Thanks,
                    Yushun [MSFT]

                  • Allow IPv6 VIPs - Charge for *blocks of* IPv6 addreses

                    It would be nice if we could purchase elastic IPv6 blocks of IPs, then when setting up an endpoint for a VM we could select the specific IP from the block for the endpoint.

                    47 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      0 comments  ·  IPv6  ·  Flag idea as inappropriate…  ·  Admin →

                      We currently offer the option of reserving single IPv4 public addresses. Reservation of blocks of IPv4 and IPv6 public addresses is, unfortunately, still in work- we apologize for the delay.

                      On a related topic, Azure now offers load-balanced, dual-stack (IPv4+IPv6) Internet connectivity for Azure VMs. This native IPv6 connectivity (TCP, UDP, HTTP…inbound and outbound initiated) all the way to the VM enables a broad range of service architectures. IPv6 for Azure VMs is available now in most Azure regions. Data transfers over IPv6 are billed at the same rates as IPv4. For more information, please visit this Overview of IPv6 for Azure Load Balancer: https://azure.microsoft.com/en-us/documentation/articles/load-balancer-ipv6-overview/

                    • Azure Internal Endpoints to Vnet

                      Please provide Azure Services with an Internal Endpoint (a least Azure Storage and Azure Backup) to build up machines without Internet Connection.

                      43 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        3 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                      • Allow ICMP ping to VIP (Allow Ping inbound)

                        Vote for allowing UDP through the firewall. Such as ping inbound, because the ping are the minimal required for so much app.

                        43 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          1 comment  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                        • Make all services available with IPv6 addresses.

                          IPv4 addresses are running out and Azure has had a lot of problems with this, resolved by buying IPv4 address pools at a significant cost.
                          Some users and cloud deployments only require connectivity with on premises networks (either IPv4 or IPv6, not both).
                          Make IPv6 available for all services and allow the option of choosing what type of addresses are required (IPv4+IPv6 or IPv6 only).
                          Also, consider:
                          ● Giving each cloud service a /60 (or bigger) instead of a /64;
                          ● Making IPv6 addresses static, since pool depletion is no longer an issue.

                          43 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            1 comment  ·  IPv6  ·  Flag idea as inappropriate…  ·  Admin →

                            This is closely related to the suggestion “Support IPv6 Throughout the Azure Platform” but we’re taking this suggestion as ensuring ALL the various Azure services (Storage, etc.) offer IPv6 connectivity.

                            A step towards this goal is the IPv6 connectivity now available for Azure VM’s. Azure now offers load-balanced, dual-stack (IPv4+IPv6) Internet connectivity for Azure VMs. This native IPv6 connectivity (TCP, UDP, HTTP…inbound and outbound initiated) all the way to the VM enables a broad range of service architectures. IPv6 for Azure VMs is available now in most Azure regions. Data transfers over IPv6 are billed at the same rates as IPv4. For more information, please visit this Overview of IPv6 for Azure Load Balancer: https://azure.microsoft.com/en-us/documentation/articles/load-balancer-ipv6-overview/

                            Please add suggestions for specific scenario/service you need IPv6 enabled to help guide our prioritization and work?

                            Many thanks,
                            The Azure Networking IPv6 feature team

                          • Block out access to azure resources from outside

                            I am looking for a way to completely block out access to azure resources from outside of Japan. An access from abroad is most likely from a person who are not from our company.

                            Recently, I am terribly worried because there are a lot of illegal access from the outside country. It's very reassuring to have the ability to shut off foreign access in Azure. This scenario is difficult to achieve because the NSG feature has a limit in a number of IP addresses which can be restricted.

                            41 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              1 comment  ·  IP addresses  ·  Flag idea as inappropriate…  ·  Admin →
                            • Allow Upgrade or Swap VIP also when number of endpoints has been changed

                              Or allow the external IP address to be fixed/allocated to the Hosted Service.

                              The scenario is that during the lifetime of the application you may need to modify the number of endpoints, and re-deploy the solution BUT KEEP PUBLIC IP.

                              The best would be if Swap VIP could handle this - to avoid downtime, but I am willing to have some downtime as long as Upgrade is supported. This is to avoid service unavailable during the time DNS CNAME records are updated.

                              41 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                4 comments  ·  Load Balancing  ·  Flag idea as inappropriate…  ·  Admin →
                              • Support EV SSL cerrtificates in application gateway

                                Please support EV SSL certificates in Application Gateway. What is the reason they aren't supported already?

                                40 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  3 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                • Want that VNet Peering can be created another Region in same Gio

                                  Currently, although it is possible to create a Peering between VNet within the same region, the same thing can be carried out also in the address space and subnets in VNet.

                                  When VNet Peering can be created another Region in Same Gio that becomes available, I believe that the network design and expansion becomes easy.

                                  I kindly ask for your consideration.

                                  40 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    5 comments  ·  Virtual Networks (VNET)  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Formalize the Traffic Manager user agent string

                                    I would like to see the user agent that Traffic Manager uses in its HTTP requests as part of monitoring/probing become formalized so that applications can take a dependency on the user agent string name and not worry about it changing in the future affecting the application that has behavior that depends on the user agent.

                                    For an example where the user agent string is needed to comply with URL canonicalization needs along with Traffic Manager being involved, please refer to http://social.msdn.microsoft.com/Forums/azure/en-US/d9f8e779-644d-4263-990c-9de5a7cf403c/is-the-user-agent-for-traffic-manager-guaranteed.

                                    40 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • implement Service tags for UDR/Route

                                      Can be good when we create a Route/UDR to have the possibility to select in "Next Hop Type" a service Tag, or Azure Region IP range.

                                      40 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Add a Network Security Group tag for Windows Update

                                        I'd like to be able to block all outbound traffic on my NSG but still allow windows update to work. This is difficult to do as the windows update depends on quite a few DNS names and the IP address of these apparently changes often.

                                        If I could specify an "Allow" rule for a service tag called "WindowsUpdate" or similar with a higher priority than my "DenyAll" rule this would acheive this.

                                        40 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                        • Application Gateway WAF: update to OWASP CRS 3.0.2

                                          The 'OWASP 3.0' (3.0.0) WAF rule set generates a lot of false positives, even on random base64 payloads. The only option is to disable many rules.

                                          2 examples which frequently trigger on SAML authentication exchanges are 932140 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/671) and 941120 (https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/675).

                                          OWASP CRS 3.0.2 reworked some rules, in order to reduce some of these false positives. Please support CRS 3.0.2 (either as an in-place upgrade for 3.0.0, or as a new option).

                                          38 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            4 comments  ·  Application Gateway  ·  Flag idea as inappropriate…  ·  Admin →
                                          • We need the new configuration in Azure Traffic Manager.

                                            We need the new configuration in Azure Traffic Manager.

                                            When prior region is replying intermittent healthy response to Traffice Manager, It occurs Failover and Failback repeatedly.
                                            (e.g. In case the endpoint returns HTTP 500 intermittently by some system failure, if TM receives HTTP 200 by luck when TM probes there, TM sends requests to troublous endpoint until next probe chance.)

                                            We need the configuration that manual Failback.

                                            38 votes
                                            Vote
                                            Sign in
                                            Check!
                                            (thinking…)
                                            Reset
                                            or sign in with
                                            • facebook
                                            • google
                                              Password icon
                                              Signed in as (Sign out)
                                              You have left! (?) (thinking…)
                                            • Don't see your idea?

                                            Feedback and Knowledge Base