@Carl ,
Thank you for your query. As for our recommendations , we ask the user to target the machines/apps only which are owned by them . In this case you own the metasploitable instance and hence you can run tests form it from anywhere. you would have to first allow ICMP protocol for ping on the NSG (Network security group) associated with the VM . In order to reduce the attack surface , azure by default denies any incoming traffic from public internet to Azure VMs . You will need to allow ICMP protocol on the NSG associated with the metasploitable VM instance in order to get the ping command to your instance working from from your remote Kali linux outside azure.
Metasploitable comes in windows and linux both flavors . On windows you may need to additionally enable the default rule on Windows firewall called "File and printer sharing (Echo Request - ICMPv4 - In)" for the Public profile at least.
Unless the linux version of metaexploitable have any internal firewall system like firewalld/iptables which has ICMP blocked , you may not face any issue on the linux flavor . Considering that Metasploitable is a highly vulnerable instance created for learning pen testing , its highly unlikely but if you use any modified image you can may have to keep that in mind.
We also have a pen-testing rules of engagement document which I would strongly recommend you to read before you start your learning adventure. We allow the following types of tests and disallow any kind of Denial of Service attack.
- Tests on your endpoints to uncover the Open Web Application Security Project (OWASP) top 10 vulnerabilities
- Fuzz testing of your endpoints
- Port scanning of your endpoints
If this is just for testing in a closed environment and learning pen testing using metasploitable , I would suggest you to check Azure Lab services where we have a detailed guide for setting up a lab for ethical hacking class. If you need to simulate DDoS attack, we have a partner Breakpoint Cloud which can help you test your assumptions of how a denial of service attack on azure protected resource would look like. If the information provided in the post is helpful, please accept as answer which will help improve the relevancy of the answer and in turn help others in the community searching for similar answers. Should you still have any further queries on this or I have missed any details , please feel free to let us know and we will be happy to help you further. I have included multiple links and would strongly recommend you to read through them.
Thank you.