Share via

Why am I unable to ping externally on my Azure Linux Machine?

Brian Vargas 0 Reputation points
2023-05-15T20:30:19.8366667+00:00

Hello,

I am currently managing a Linux VM that doesn't have a public IP address. The machine is capable of successfully pining other devices within the same virtual network. However, I'm facing a problem when attempting to ping any public IP addresses, which fails.

Any ideas on this issue?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,775 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-05-29T11:00:43.65+00:00

    Hello @Brian Vargas ,

    Apologies for the delay in response.

    I understand that you would like why you are unable to ping external Public IPs from your Azure Linux Machine that doesn't have a Public IP address.

    In Azure, there are 4 most commonly used methods to enable outbound connectivity:

    • Use the frontend IP address(es) of a load balancer for outbound via outbound rules
    • Associate a NAT gateway to the subnet
    • Assign a public IP to the virtual machine
    • Default outbound access

    Virtual machines created in a Vnet without explicit outbound connectivity defined are assigned a default outbound public IP address or a pseudo-IP. This IP address enables outbound connectivity from the resources to the Internet. This access is referred to as default outbound access.

    Even though default outbound access enables outbound connectivity from the resources to the Internet, it has some restrictions as below:

    • The default outbound IP is a dynamic IP assigned by Azure that you can't control.
    • ICMP pings to or from external IPs from VMs with only a pseudo IP (default outbound access) will not work.
    • In default outbound access, an Azure resource is allocated a minimal number of ports for outbound.
    • Default SNAT isn't recommended for production workloads and can cause connectivity failures.

    ICMP pings are supported under the following conditions assuming there are no NSG rules blocking or guest OS firewall rules preventing the communication:

    • VM-to-VM in a Virtual Network
    • VM-to-on premises via a Virtual Network Gateway
    • VM-to-public IP or public IP-to-VM, if there is an instance level public IP associated with the VM. ICMP pings to or from external IPs from VMs with only a pseudo-IP will not work.

    Work Arounds for your issue:

    • If you require ICMP ping to/from external IPs, the only solution is to assign an instance level public IP to the relevant VM.
    • If you only need to establish connectivity, you can use TCP pings without needing to establish instance level public IP.

    NOTE: TCP ping is simply a test on whether a TCP three-way handshake will be successful. TCP pings are typically done with the tcpping, psping, or nping utilities. Since TCP pings run on top of the TCP protocol, TCP pings are supported in all scenarios.

    Refer: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections

    https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.