Azure VMs not able to talk to STUN server for WebRTC

Question

Azure VMs not able to talk to STUN server for WebRTC

Naval Rishi 20

I have a VM that I'm trying to use to with a webRTC application but it's not able to talk to any STUN servers to get ICE candidates. I'm using this for testing. This works on my personal machine on my Wifi and even on my phone on mobile data but doesn't work for any VMs.
https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
The VM has a public IP, no outbound traffic restriction, no extra firewall in the NSG, all default settings, but I can't figure out why the request fails. I tried self troubleshooting from Azure and it gives a green tick for all services but the connectivity check fails.

Anonymous

2025-05-19T01:52:50.0166667+00:00

Hi Naval Rishi,
Based on your query,
You are able to access the website on your local machine but not from the Azure VM. Could you please share a screenshot showing how the website looks when you access it locally?

When I access the website from both my local machine and the Azure VM, I am able to see the interface as shown below.

Can you please confirm if you are seeing the same interface when accessing it locally?

Also, please share a screenshot of the website when you try to access it from the Azure VM, including any error messages you encounter. This will help us understand the issue better and assist you accordingly
Naval Rishi 20 Reputation points

2025-05-19T10:43:08.6+00:00

My issue is not with opening the side but when I click the gather candidates button I get this error as in screenshot attached which means I am not able to access the STUN server from the desktop. I have not configured any restrictions or firewall in the VNET of this VM.
Anonymous

2025-05-20T05:53:49.29+00:00

Hi Naval Rishi,
Thank you for your reply. We are looking into the issue. Could you please send a screenshot of the website's working interface, when you click the button.!
Naval Rishi 20 Reputation points

2025-05-20T06:28:56.18+00:00
this happens in chrome and edge but does not happen in Firefox. it works for all I can tell. but regardless what does not work in either is the ability to connect to another machine using webRTC.

I'm attaching the code you can run in the browser in 2VMs in different networks to reproduce the issue.

Client A

var config = {'iceServers': [{'urls': 'stun:stun.l.google.com:19302'}, {'urls':'stun:stun.12connect.com:3478'}]}

var localConnection = new RTCPeerConnection(config)

localConnection.oniceconnectionstatechange = e => console.log(localConnection.iceConnectionState);

localConnection.dataChannel = localConnection.createDataChannel("messages")

localConnection.dataChannel.onmessage = e => {

console.log("Message on " + localConnection.dataChannel.label); console.log(new Date() + ": " + e.data);

}

localConnection.dataChannel.onopen = e => console.log("Data channel opened - " + localConnection.dataChannel.label)

localConnection.dataChannel.onerror = e => console.log(JSON.stringify(e))

localConnection.onicecandidate = e => console.log(new Date() + ": New Ice Candidate - " + JSON.stringify(localConnection.localDescription))

await localConnection.createOffer()

await localConnection.setLocalDescription()

localConnection.onicecandidateerror = e => { debugger; }

after that run

copy(localConnection.localDescription)

Client B

var config = {'iceServers': [{'urls': 'stun:stun.l.google.com:19302'}, {'urls':'stun:stun.12connect.com:3478'}]}

var localConnection = new RTCPeerConnection(config)

localConnection.ondatachannel = e => {

console.log("New channel opened : " + e.channel.label)

localConnection.dataChannel = e.channel;

localConnection.dataChannel.onmessage = e => {

console.log("Message on " + localConnection.dataChannel.label); console.log(new Date() + ": " + e.data);

}

}

localConnection.onicecandidate = e => console.log(new Date() + ": New Ice Candidate - " + JSON.stringify(localConnection.localDescription))

localConnection.onicecandidateerror = e => { debugger; }

await localConnection.setRemoteDescription(<copied-local-description-from-client-A)

await localConnection.createAnswer()

await localConnection.setLocalDescription()

wait for a few seconds at max and it fails as B is not able to gather ICE candidates.

In edge it fails after setlocaldescription call in client A

Accepted answer

1 additional answer

Your answer

Anonymous

2025-05-19T01:52:50.0166667+00:00

Hi Naval Rishi,
Based on your query,
You are able to access the website on your local machine but not from the Azure VM. Could you please share a screenshot showing how the website looks when you access it locally?

When I access the website from both my local machine and the Azure VM, I am able to see the interface as shown below.

Can you please confirm if you are seeing the same interface when accessing it locally?

Also, please share a screenshot of the website when you try to access it from the Azure VM, including any error messages you encounter. This will help us understand the issue better and assist you accordingly
Naval Rishi 20 Reputation points

2025-05-19T10:43:08.6+00:00

My issue is not with opening the side but when I click the gather candidates button I get this error as in screenshot attached which means I am not able to access the STUN server from the desktop. I have not configured any restrictions or firewall in the VNET of this VM.
Anonymous

2025-05-20T05:53:49.29+00:00

Hi Naval Rishi,
Thank you for your reply. We are looking into the issue. Could you please send a screenshot of the website's working interface, when you click the button.!

Answer 1

Nikhil Duserla 8,100 Microsoft External Staff Moderator

Hello @Naval Rishi,

Navigate to RDP application and mark the settings. Navigate to local resources>>In local resources and resources click more and choose the devices in below. User's image

try test again once marked the devices.

User's image

If you have any further queries, do let us know.

If you found this informative, please consider accepting an answer as a token of appreciation. And don't forget to give it a thumbs up 👍 if it was helpful.

User's image

Naval Rishi 20 Reputation points

2025-05-23T12:40:21.83+00:00

The main website that i linked in the post still breaks. But my use case is actually working fine now. This is the solution. Thanks a lot.

Answer 2

Hi Naval Rishi,

thank you for posting your question on the Q&A portal and providing those details about your issue with Azure Virtual Machines and WebRTC. It’s definitely frustrating when something works locally but not in the cloud, so let’s try to break this down step by step.

First, since your VM has a public IP and no outbound restrictions in the Network Security Group (NSG), the basics seem correct. But there are a few Azure-specific things that could be blocking STUN traffic. WebRTC relies on STUN servers to discover ICE candidates, and if the VM can’t reach them, it’s often a networking or configuration issue.

One common gotcha is that Azure’s default NSG rules allow outbound traffic, but some ISPs or intermediate firewalls might block UDP ports used by STUN (usually 3478 and 5349). Even though your NSG is open, Azure’s underlying infrastructure or your VM’s local firewall could interfere. You can check the local firewall on the VM to ensure it’s not blocking these ports. Here’s Microsoft’s documentation on NSG rules for reference: Network Security Groups in Azure.

Another thing to test is whether your VM can reach the STUN server at all. Try running a simple UDP connectivity test using tools like nc (netcat) or Test-NetConnection in PowerShell. For example, if you’re using stun.l.google.com:19302, you could check if the VM can send/receive UDP packets to that endpoint. If it fails, it might be a routing issue. Azure sometimes applies platform-level filters, so you might need to explicitly allow UDP traffic in the NSG, even if it seems open.

Also, double-check that the VM’s public IP is properly associated and not stuck in a "middle" state. Sometimes, restarting the VM or reassigning the IP can help. Here’s more info on public IPs in Azure: Public IP addresses in Azure.

Lastly, if you’re using a custom DNS or have modified the VM’s network settings, ensure DNS resolution works for the STUN server’s domain. You can test this with nslookup stun.l.google.com from the VM.

If none of this helps, could you share the exact error or behavior you’re seeing? For example, does the request time out, or is there a specific error in the browser console? That might give more clues.

Hope this points you in the right direction! Let me know if you hit any snags, and I’ll try to help further.

Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
https://ctrlaltdel.blog/

Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
https://ctrlaltdel.blog/

Share via

Azure VMs not able to talk to STUN server for WebRTC

1 additional answer

Your answer