• 6 min read

Azure Networking updates for Fall 2017

At September’s Ignite 2017, our announcements focused on the fundamental pillars of security, performance, monitoring, connectivity, and availability. At Ignite we learned from thousands of customers building sophisticated virtual networks to support their mission critical applications

At September’s Ignite 2017, our announcements focused on the fundamental pillars of security, performance, monitoring, connectivity, and availability. At Ignite we learned from thousands of customers building sophisticated virtual networks to support their mission critical applications. We’ve enhanced our services putting a special emphasis on simplifying their management. We continue to expand the regions where the new offerings are available. Here is a short summary with more details below.

  • Vnet Service Endpoints preview in all public regions
  • DDoS protection now in US, Europe, and Asia regions
  • Service Tags Preview in all public regions
  • Augmented Rules GA in all public regions
  • Data Plane Developer Kit now in Preview
  • Network Performance Monitor for ExpressRoute Preview
  • Azure Monitor and Resource Health for ExpressRoute GA
  • Traffic View visualizations in Portal
  • Point-to-Site VPN for Macs and AD Authentication GA
  • Azure DNS CAA Records and IPv6 support GA


VNet Service Endpoints preview now available in all public regions

Virtual Network Service Endpoints extend your virtual network private address space and the identity of your VNet to Azure services to secure Azure services such as Storage and SQL Database which have Internet facing IP addresses. Service Endpoints for Azure Storage and Azure SQL Database are now available in preview in all regions in Azure public cloud. We will be including additional Azure services to VNet Service Endpoints in the coming months. For more information see VNet Service Endpoints.


VNet Service Endpoints restricts Azure services to be accessed only from a VNet

DDoS Protection Preview now in US, Europe, and Asia

The new Azure DDoS Protection service helps protect your application from targeted DDoS attacks and provides additional configuration, alerting and telemetry.  Continuous and automatic tuning helps protect your publicly accessible resources in a VNet. By profiling your application’s normal traffic patterns using sophisticated machine learning algorithms to intelligently detect malicious traffic, targeted DDoS attacks are mitigated. Azure DDoS Protection is now available for preview in select regions in US, Europe, and Asia. For details see DDoS Protection.

Azure DDoS Protection helps protect publicly accessible resources in a VNet

Simplifying Networking Security Management

Network Security Groups (NSGs) allow you to define network security access policies based on IP addresses controlling access to and from VMs and subnets in your VNet. Managing complex security policies using only IP addresses can be cumbersome and error-prone. We simplified the management of NSGs with Service Tags, Application Security Groups and enhanced NSG rule capabilities.


Simpler Network Security Group management with tags, groups, and enhanced rules

Service Tags Preview now in all public cloud regions

Previously a VNet requiring access to services such as Storage had to allow access to ranges of Azure public IP addresses. Maintaining these IP address ranges was problematic. A service tag simplifies this management task by using a symbolic name to represent all the IP addresses for a given Azure service, either globally or regionally. For example, the service tag named Storage represents all the Azure Storage IP addresses. You can use service tags in NSG rules to allow or deny traffic to a specific Azure service by name. The underlying IP addresses for the tag are automatically updated. Service Tags for Storage, SQL, and Traffic Manager are available in preview in all regions in Azure public cloud with more services coming soon. For more information see Service Tags.

Network Security Group Augmented Rules GA in all regions

Augmented Rules for Network Security Groups simplify security definitions. You can define larger, more complex network security policies with fewer rules that are more easily maintained. Multiple ports, multiple explicit IP addresses, Service Tags and Application Security Groups can all be combined into a single easily understood security rule. This can allow multiple internet clients to access your website using a single NSG rule rather than having an NSG rule per client. Network Security Group Augmented Rules is now GA released in all regions in Azure public cloud. For more details see NSG Augmented Rules.

Performance – Azure remains the fastest public cloud

Azure Accelerated Networking

In Azure Networking, we are continually pushing to provide the best performance for our customers. At Ignite, we announced the fastest VMs offered for the public cloud with 30 Gbps of VM-to-VM throughput. Customers can now easily enable this feature on several our VM instances sizes and distros. For more details see Azure Accelerated Networking.

Data Plane Developer Kit preview availability

At Ignite, we announced support for the Data Plane Developer Kit (DPDK). DPDK enables higher performance for network intensive applications such as network appliances that demand the most efficient and highest rate packet processing available. We are announcing the public preview of DPDK in all Accelerated Networking VMs in Canada East. This is available now for customers to evaluate. To learn more about DPDK, please contact us at AzureDPDK@microsoft.com


Customers entrust Azure to run their mission critical workloads. Providing deep operational insights into the real-time behavior of these production applications is essential. We continue to enhance our network monitoring capabilities to address customers’ needs.

Network Performance Monitor for ExpressRoute now preview

Network Performance Monitor (NPM) is an end-to-end monitoring solution for ExpressRoute, from on-premises to Microsoft. Customers can monitor latency, packet loss, bandwidth between on-premises and their VNets and set threshold based alerts using these metrics and visualize their ExpressRoute topology. With Service endpoint monitoring, customers can track reachability of Office 365 and PaaS services such as Azure Storage. Network Performance Monitor for ExpressRoute Preview is now available in East US, South East Asia and West Europe regions. For more details see Network Performance Monitor for ExpressRoute.



ExpressRoute Network Performance Monitoring over multiple paths

Azure Monitor and Resource Health for ExpressRoute Circuits GA

We are announcing the General Availability of Azure Monitor for ExpressRoute. Customers can see ExpressRoute Circuit total throughput in Azure Monitor on the portal.

We are also announcing Resource Health for ExpressRoute Circuits. Customers can check for known issues with their ExpressRoute Circuits and see any relevant troubleshooting steps before submitting a support ticket.


Throughput per ExpressRoute circuit with Azure Monitor

Visualize your traffic patterns using Traffic View

Azure Traffic Manager Traffic View provides customers actionable intelligence about their users and assist with selecting Azure regions for better performance and reduced latency. We are adding powerful visualizations of the Traffic View data providing a heatmap of users’ experience, allowing customers to understand traffic patterns at a global level and zoom in on specific geographies. For more information please see Traffic View Overview.


Traffic pattern for an endpoint


Point-to-Site VPN for Macs and AD Authentication now GA

We are announcing the general availability of Point-to-Site (P2S) VPN for macOS as well as Active Directory (AD) Domain authentication for P2S VPN. Customers can connect to Azure Virtual Networks over P2S VPN from their macOS devices using the native IKEv2 VPN client. SSTP continues to be the P2S solution for Windows. Customers can support a mixed client environment consisting of both Windows and macOS by enabling both IKEv2 and SSTP VPN.


P2S VPN connects Windows and macOS machines to Azure VNets

To simplify authentication customers can use their organization domain credentials for IKEv2 and SSTP VPN authentication by enabling RADIUS authentication. The Azure VPN Gateway integrates with the customer’s RADIUS and AD Domain deployment in Azure or their on-premises datacenter. RADIUS servers integrate with other identity providers providing multiple authentication options (including multi-factor) for P2S VPN.


AD Domain Authentication for P2S VPN

Azure provides customers the VPN client configuration required for the native VPN clients on Windows and macOS to connect to Azure. Both P2S VPN for Macs and AD Domain Authentication are available on all Gateway SKUs except the Basic SKU. To learn more about Azure P2S VPN visit our Point-to-Site VPN page.

Azure DNS CAA Record Support and IPv6 Nameservers now GA

We are pleased to announce general availability for support for IPv6 DNS queries and support for Certificate Authority Authorization (CAA) Records. The Certification Authority Authorization (CAA) resource record allows domain owners to specify one or more Certification Authorities (CAs) that are authorized to issue certificates for their domains. Checking for CAA records as part of the certificate issuance process is now mandatory for CAs. This defense-in-depth security feature allows CAs to reduce risk of unintended certificate mis-issue. To learn more, see this post with more details about Azure DNS support for CAA Records and IPv6.


We will continue working to simplify the overall network management, security, scalability, availability and performance of your mission-critical applications. With Azure Networking, you can fully reap the benefits offered by our cloud and our global backbone network. There will be more updates and announcements in the coming months. This is an exciting time for all of us as the cloud continues to evolve. We welcome your continued feedback on the features we released at Ignite as well as these new features and capabilities to ensure our roadmap meets your requirements.