Networking
The Networking forum covers all aspects of Networking in Azure, including endpoints, load-balancing, network security, DNS, Traffic Manager, virtual networks, and external connectivity.
Virtual Network:
Traffic Manager:
If you have any feedback on any aspect of Azure relating to Networking, we’d love to hear it.
-
Publish the the list of Traffic Manager Probe IPs
We have several VMs which provide a service to our web roles. We use traffic manager to loadbalance between these VMs.
As the the only valid traffic to these VMs is from our webroles, our office or the TM probes, we use windows firewall on the VMs to restrict all other traffic.
The issue we have is that the traffic manager Probe IPs change on occasion.
If the list of Probe IPs was published, we could ensure that our FW rules are kept upto date ensuring that TM is doing it's supposed to be doing!
1,354 votesWe’re working on it!
-
Support IPv6 Throughout the Azure Platform
IPv6 has been a standard for years and ISPs are starting to roll out native IPv6 stacks to consumers. The time is now to support IPv6.
929 votesAs noted by SamirF, Azure now offers load-balanced, dual-stack (IPv4+IPv6) Internet connectivity for Azure VMs. This native IPv6 connectivity (TCP, UDP, HTTP…inbound and outbound initiated) all the way to the VM enables a broad range of service architectures. IPv6 for Azure VMs is available now in most Azure regions. Data transfers over IPv6 are billed at the same rates as IPv4. For more information, please visit this Overview of IPv6 for Azure Load Balancer: https://azure.microsoft.com/en-us/documentation/articles/load-balancer-ipv6-overview/
We realize load-balanced Internet connectivity is just the first step of what is implied by this suggestion & comments and support for more scenarios is under development.
Please add suggestions for specific scenario/service you need IPv6 enabled to help guide our prioritization and work?
Many thanks,
The Azure Networking IPv6 feature team -
Either add Point-to-Site SSTP VPN clients for Mac/Linux or enable other connectivity options
With Azure trying to attract more than just Windows devs, we need to be able to VPN using non-Windows platforms for point-to-site connections.
866 votes -
ICMP Support for Azure Websites, Roles, Cloud Services
Need support for ICMP features like Ping in Azure Websites, Azure Mobile Services thru node.js, Web/Worker Roles/Cloud Services.
864 votes -
allow multi-site VPN's using static gateways
being restricted to only one VPN when using a static gateway is extremely limiting. This means that once a static VPN has been created between a VNet and a site (i.e. our office) we have no way of connecting the Azure Vnet to another VNet using a different VPN i.e. no multi-site VPN feature if a static gateway has to be used for ANY VPN. This stops any other connectivity into the VNet apart from enpoints and ACL's which is both less secure and messy to manage.
850 votes45 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →Thanks for the feedback. This feature ask is under review – to help with our investigation, could you share with me the specific VPN brands/makes you have?
Thanks,
Yushun [MSFT] -
Network Security Group logging capabilities to show dropped packets
Enable Network Security Group logging capabilities to show dropped packets.
Please provide a way to log the dropped packets that are blocked by Network Security Groups and make the log accessible to us for auditing and security reasons.
424 votes -
Stop/Start Virtual Network Gateway - to don't pay when it not in use
There are two charges related to the Azure VPN service: the compute resource charge at $0.05/hour, and the egress data volume charge. Both are based on resource consumption, Unfortunately, even if the VPN tunnels are not connected, the gateway compute resource is still being consumed and will cost ~$38 monthly!
This is not really "Pay only for what you use".Need functionality to “STOP” (and of course "START") a gateway if the customer is certain that the gateway will not be in use.
367 votes25 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →Add the item to VPN backlog.
Thanks,
Yushun [MSFT] -
change virtual machine virtual network through portal
Today, I needed to change a virtual network to a existing Virtual Machine. I had to delete this VM, create a new one using attached disks from the old one and set the Virtual Network. It would be nice if we had another way to do that, using Portal for example.
329 votesThe request is to support moving an existing VM into a VNet. This will be considered.
-
Site to Site VPN: allow local network range to include Azure VNET range
I’ve created a virtual network (10.25.0.0/17) that our instances will live in, and created a local network representing CORPNET (10.0.0.0/8). In effect, we’re trying to have the virtual network be a subnet within our larger internal IP block to emulate an internal datacenter. When trying to create the site to site VPN using the local network, I get an error about an address conflict, which seems to be due to the virtual network and local network be overlapping.
Per MSFT: The local network range cannot include the Azure VNET range. The local network definition(s) are used to establish routes between…326 votesThank you for the feedback.
Unfortunately, this is the current constraint of the Azure VPN and Virtual Network configuration. There is currently no workaround but to punch holes in the on premises definition.
The suggestion on the more traditional route lookup is under consideration, We will share more details once our plan and execution are finalized.
Thanks,
Yushun [MSFT] -
Azure should be its own domain registrar
Windows Azure should offer domain registrar services so users don't have to maintain our domain names with a separate company. This also has the potential to greatly streamline the process of setting up a website on Azure.
317 votesThis remains on our long-term backlog as something we want to offer as part of the Azure DNS service in due course. Thank you everyone for the feedback so far, and please continue to share your comments.
-
add a source tag for Azure Datacenter IPs to NSG Rules
On the following link, we are able to get the list of the azure datacenter / endpoint IPs that are actually used.
https://www.microsoft.com/EN-US/DOWNLOAD/DETAILS.ASPX?ID=41653
Please add a source tag like INTERNET or VIRTUALNETWORK to use Azure IP addresses in NSG rules.
302 votes15 comments · Security (ACLs, Firewalls, Intrusion Detection) · Flag idea as inappropriate… · Admin →Per
Anitha Adusumilli [MSFT]Great input – Thanks for the feedback. We’ll certainly consider this feature add for NSGs.
-
Traffic Manager for SQL Database
The traffic manager is a great way to account for failover between web nodes in different data centers. However, an analogous paradigm doesn't exist for databases. In the premium tier, you can enable active geo-replication. However, all applications dependent on the primary either need to have their connection strings changed over when failing over between data centers, or they have to have some sophisticated retry logic built in at the application tier. It would be great if applications could point to a single, consistent endpoint and the geo-failover could be handled at a higher level the way it is with…
207 votesThank you for the suggestion, we will take it under consideration.
-
Endpoints can accept a port range instead of entering each open open one at a time
If I have a port range it is really a pain to add endpoints if I need to add a port range between 20000 and 20010 for TCP and UDP. In this case I have to create 20 endpoints.
204 votesThank you for suggesting this. This is in feature backlog and we’re looking at this again now.
-
Support apex (naked) domains more seamlessly
Some things work, other things don't. I can setup an apex domain, but to get SSL working on an apex domain in hosted cloud service web role requires tweaking. Traffic manager doesn't work with apex domains.
Azure needs a DNS service like Amazon's Route 53. (http://aws.amazon.com/route53/)174 votesUpdate: supporting naked domains requires us to integrate Azure Traffic Manager with Azure DNS. That remains a key roadmap item for us, but at present we can’t give an ETA.
Please see the FAQ section on this page for more information about this scenario: https://azure.microsoft.com/documentation/articles/traffic-manager-how-traffic-manager-works/#faq
-
Extend Azure DNS to support zone transfers so it can be used as seconday DNS
If Azure DNS supported zone transfers, then if could be used both as a reliable secondary DNS service, or as an external proxy service for AD split-brain, or on-premise hosted DNS configurations.
173 votesThanks you for the suggestion. This remains a key backlog item for us.
We’d be interested in further input via your comments. Please consider the following questions:
– Do you require zone transfers in to Azure DNS, or zone transfers out? Why?
– Do you require AXFR or IXFR?
– How should zone transfers be secured? -
Azure Load Balancer to support HTTPS probes
Currently it is not possible to utilise a HTTPS (port 443) probe against a backend pool and as a result you must use either port 80 or a TCP probe which isn't the same as actually making a HTTPS request and testing the HTTP response code.
173 votesThank you for suggesting this. This is in feature backlog and we’re looking at this again now.
-
Auto-connect for point-to-site VPN.
When the device is restarted, or internet connectivity is regained, the device automatically connects to the VPN again.
173 votes15 comments · VPN Connectivity (Point-to-Site, Site-to-Site) · Flag idea as inappropriate… · Admin →As explained in the previous response. Add this item to backlog.
Thanks,
Yushun [MSFT] -
Add the ability to Monitor Site 2 Site VPN's and create alerts when they drop
Add the ability to Monitor Site 2 Site VPN's and create alerts when they drop
165 votesThanks for the feedback. The product team has received several feedback. We will evaluate the feature and plan accordingly.
Thanks!
-
Don't strip QOS DSCP markings
Azure vNets with ExpressRoute should support QOS markings. Ideally the Expressroute circuit should honour and prioritise packets with DSCP priorities set.
If honouring DSCP is not possible then the values should at least be passed along and not be stripped out.
We have Azure connected to our internal MPLS network via an Expressroute Exchange provider. (Our MPLS provider is not setup as a Network provider in Azure). Some of our remote sites have congested links however with QOS we ensure all business applications perform well.
We are now moving some business applications into Azure and getting performance problems due to…
149 votes -
Make VPN gateway more configurable
We should be able to fully customize the VPN gateway parameters for phase 1 & 2 negotiations:
* Specify the pre-shared key
* Lifetime values
* Encryption
* Static IP address that won't change if the gateway is deleted and recreated
* etc.143 votesThis is currently in the work. We have enabled some configurations on IPsec/IKE parameters or options. Will continue to expand the configuration options.
Thanks,
Yushun [MSFT]
![Yushun Wang [MSFT]](https://web-archive.nli.org.il/National_Library/20170827070107im_/https://secure.gravatar.com/avatar/dbabf8c1687a27d399182fd0d1f71a3e?size=40&default=https://assets0.uvcdn.com/pkg/admin/icons/user_70-62136f6de7efc58cc79dabcfed799c01.png){kind=icon}
![Yushun Wang [MSFT]](https://web-archive.nli.org.il/National_Library/20170827070107im_/https://secure.gravatar.com/avatar/dbabf8c1687a27d399182fd0d1f71a3e?size=40&default=https://assets1.uvcdn.com/pkg/admin/icons/user_70-62136f6de7efc58cc79dabcfed799c01.png){kind=icon}
- Don't see your idea?
