Share via

ICMP outbound on Azure Virtual machines

Mohamed jihad bayali 1,131 Reputation points
2022-12-26T13:57:40.553+00:00

Hello Team,

I'm having a question, i just noticed that i cannot ping nothing from my Azure VM (Inbound/outbound) so i cannot use tracert to troubleshoot a network issue ...

I created the nsg rules to allow icmp

i turned off the local FW on the vm but still, ping is returning timeout.

I just wanna know if by default on azure vms we cannot ping ips ?

Note that i'm not using a dedicated ip public for my VM.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,289 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 41,071 Reputation points Microsoft Employee
    2022-12-27T07:19:30.927+00:00

    Hi @Mohamed jihad bayali ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to understand why you are not able to perform ICMP pings to Internet from Azure VM.

    • This is an expected behavior for VMs without a dedicated Public IP
    • In this case, this VM gets assigned a random IP from a pool of available IP addresses. You will not be able to ping any external public IPs using the random IP.
    • You can assign a public to the VM and use it for pinging external IPs
    • However, in either case, tracert would not work - this is by design.
    • While tracert may work for private traffic, tracert would not work for public traffic.
    • If you are troubleshooting a NVA scenario, you should see the tracert hops till the traffic enters Internet routing.

    Please let me know should you have further queries on this.

    Thanks,
    Kapil

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ali AlEnezi 1,061 Reputation points
    2022-12-26T17:12:49.52+00:00

    Hello,

    By default, outbound ICMP traffic is blocked on Azure virtual machines (VMs). This means that you will not be able to use the ping or tracert commands to send ICMP packets to other devices or servers from your Azure VM.

    To allow outbound ICMP traffic on your Azure VM, you will need to create an outbound security rule in the network security group (NSG) associated with your VM's virtual network interface. Here is an example of an outbound rule that allows ICMP traffic:

    • In the Azure portal, navigate to the "Network security groups" page.
    • Select the NSG that is associated with your VM's virtual network interface.
    • Click on the "Outbound security rules" tab.
    • Click on the "Add" button to create a new rule.
    • In the "Add outbound security rule" window, enter the following settings:
    • Name: Give the rule a descriptive name, such as "Allow ICMP outbound".
    • Protocol: Select "ICMP" from the drop-down list.
    • Destination: Enter the destination IP address or range that you want to allow ICMP traffic to. You can use an asterisk (*) to allow all destinations.
    • Destination port range: Leave this field blank.
    • Priority: Assign a priority value to the rule. Rules with lower priority values are processed before rules with higher priority values.
    • Action: Select "Allow" from the drop-down list.
    • Click "OK" to create the rule.

    Once you have created the outbound rule, you should be able to use the ping and tracert commands to send ICMP packets to other devices or servers from your Azure VM.

    While there are no strict rules that prevent you from enabling ICMP traffic on your Azure virtual machines (VMs), there are some considerations that you should take into account when deciding whether to allow ICMP traffic:

    1. Security: Allowing ICMP traffic can potentially expose your VMs to security risks, as it enables attackers to send ping requests and other types of ICMP packets to your VMs. This can potentially be used to scan your VMs for vulnerabilities, or to launch denial of service (DoS) attacks.
    2. Performance: Enabling ICMP traffic may have an impact on the performance of your VMs, as it requires additional processing resources to handle the incoming and outgoing ICMP packets.
    3. Compliance: Depending on your industry and regulatory requirements, you may be required to disable or restrict certain types of traffic, including ICMP, to ensure compliance with security standards.

    Good luck!

  2. msrini-MSFT 9,271 Reputation points Microsoft Employee
    2022-12-27T06:08:08.9+00:00

    Hi,

    When you are not using a PIP assigned to a VM, it gets NAT'd using an IP address that is assigned by the platform and ICMP will not work.

    Try assigning a Public IP to the VM and try using ICMP, it should work.

    Regards,
    Karthik Srinivas