outbound pings are allowed via policy, can see them leaving via the logs, no returned traffic comes back to complete the ICMP and the client behind the azure firewall shows timed out. what gives? do you have to specifically allow ICMP replies?

@John Wirtz , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I see you are using Azure Firewall for inspecting traffic from VMs. Can you please provide more details on your environment? Are you ICMP pinging a Public IP in Internet Or Pinging another VM in the VNET from a VM in the same VNET via Azure Firewall? Are you sure the destination is capable of responding to a ICMP Ping? If you remove the Firewall from the routing, can you get a PING response back? You can do this by adding a more specific route in the UDR such that the traffic directly goes to the destination. Cheers, Kapil

Azure Firewall and outbound pings lost

Accepted answer

KapilAnanth-MSFT 41,071 Reputation points Microsoft Employee

2024-07-10T09:50:38.5133333+00:00
@John Wirtz ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see you are using Azure Firewall for inspecting traffic from VMs.

Can you please provide more details on your environment?

Are you ICMP pinging a Public IP in Internet

Or Pinging another VM in the VNET from a VM in the same VNET via Azure Firewall?

Are you sure the destination is capable of responding to a ICMP Ping?

If you remove the Firewall from the routing, can you get a PING response back?

You can do this by adding a more specific route in the UDR such that the traffic directly goes to the destination.

Cheers,

Kapil
Please sign in to rate this answer.

1 person found this answer helpful.
John Wirtz 20 Reputation points

2024-07-10T13:19:36.99+00:00

Thanks for the replies all. Here is more detail. Two VNets. One with a single Linux VM in a 10.0.0.0/24 Subnet and the Bastion in a subnet of 10.0.1.0/26. this is the "test VNet" and it is 10.0.0.0/16 address space. the other VNet is the firewall VNet and it is 10.1.0.0/26 and has the azure firewall in it. the two are peered and the UDR on the test VNet pushes all 0.0.0.0/0 to the 10.1.0.4/26 address that is the firewall. Outbound communication works to the internet from the test Linux VM, I can ping from the test linux VM to the 10.1.0.4 of the Azure firewall. If I remove the UDR and Peer and give the Linux VM its own public address it can ping to the internet fine using multiple hosts as the ping destination, typically use 4.2.2.1 as the go to for testing. Once the peering and UDR is in place you can not ping any host on the public internet via the test VM. I recall this being an issue in the past but I was hoping this was resolved at this point.

From research I have found this article https://learn.microsoft.com/en-us/azure/firewall/firewall-known-issues and information suggesting that the azure firewall still uses the azure load balancer as the front end and the "Load balancer doesn't support ICMP for outbound NAT, the only supported protocols are TCP and UDP."

Just curious if anyone has any other thoughts

KapilAnanth-MSFT 41,071 Reputation points Microsoft Employee

2024-07-11T08:38:31.1066667+00:00

@John Wirtz ,

Thank you for the detailed explanation.

Your observation is correct.

As per the Azure Firewall known issues, Network filtering rules for non-TCP/UDP protocols don't work with SNAT to the public IP address.

The article is updated as issues are resolved.

Is there any specific reason you are looking for a ICMP based test?

I would instead recommend using TCPPing/Telnet to test outbound reachability.

If there is a strict requirement in one or two cases, you can consider

Attaching a NAT Gateway/Public IP to the VM's subnet/VM

In the UDR, add an extra route such that "4.2.2.1" nextHop is Internet.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

John Wirtz 20 Reputation points

2024-07-11T17:01:46.4966667+00:00

we will call this one done with. There is no real "need" for ICMP, more of just how a lot of people "test" connectivity. I agree using TCP testing is better, just more wanted to make sure I was not missing anything

KapilAnanth-MSFT 41,071 Reputation points Microsoft Employee

2024-07-12T06:11:38.73+00:00

@John Wirtz ,

Sure.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I would greatly appreciate if you could Accept the answer and close this thread.

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil

John Wirtz 20 Reputation points

2024-07-12T14:47:09.0966667+00:00

done! thank you again
Sign in to comment

Share via

Azure Firewall and outbound pings lost

0 additional answers