Share via

Whether ICMP is allowed on VPN GW, Express Route GW, Azure Firewall, App GW

Raviraj Velankar 136 Reputation points
2023-06-29T06:14:27.2433333+00:00

Hello,

I have following query.

Whether ICMP protocol such as Echo Request, Echo Reply, trace-route is allowed on Azure VPN GW, Express Route GW, Azure firewall by default or not. If there is a requirement to trace-route from VM in Azure to Server/VM at Onprem to determine in between hop or network devices packet is routed through.

For example, if there is an IPSec VPN tunnel over Express Route circuit as primary path and IPsec VPN tunnel over Internet as secondary path and BGP is configured over both tunnel. Onpremise routes are received from both IPsec VPN tunnel & routing is influenced from On-premise side and if there is an requirement to check the exact path taken by packet then whether it is feasible to capture IP address of network devices (through tracert or traceroute command) along the path from source to destination VMs

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,803 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-06-29T13:49:53.6733333+00:00

    Hello @Raviraj Velankar ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if ICMP protocol such as Echo Request, Echo Reply, trace-route is allowed on Azure VPN GW, Express Route GW, Azure firewall by default or not.

    You can use ICMP protocol within Azure VNets.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#what-protocols-can-i-use-within-vnets

    And as of today, Inbound ICMPv4 pings are supported on Azure Load Balancer.

    Refer: https://azure.microsoft.com/en-us/updates/general-availability-inbound-icmpv4-pings-are-now-supported-on-azure-load-balancer/

    https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-test-frontend-reachability?tabs=windows-outside%2Cping%2Cwindowsvm

    Now coming back to your question, traceroute will work in the following scenarios:

    • VM to VM via Private IP address (this will appear as one hop if the two VMs are in the same VNet).
    • VM to On-Premises via:
    1. VPN Tunnel
    2. Express Route Private Peering
    • On-Premises to Azure via:
    1. VPN Tunnel
    2. Express Route Private Peering
    • Traceroute to/from Internet:
    1. VM-to-public IP or public IP-to-VM will work, if there is an instance level public IP associated with the VM.
    2. ICMP pings to or from external IPs from VMs with only a pseudo-VIP will not work.
    • For ICMP traceroute (via Windows or via Linux with -I specified), you need to ensure that you have an NSG created that allows ICMP and that your Windows Firewall is enabled for ICMP.

    We recommend customers not to use ICMP to test Azure Firewall as it doesn't always log ICMP properly. You can use some other mechanism such as PSPING, TCPPING or RDP. But if you just want to test the exact path taken by a packet, you may be able to use tracert but with the above conditions in mind.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/overview#known-issues

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.