VMs on individual Spoke cannot ping each other

shiji 21 Reputation points
2021-11-13T16:45:36.1+00:00

We have Spoke 1 and Spoke 2 Vnet which are peered with HUBVnet. Traffics on each Spoke are routed to Azure Firewall in HUB Vnet. Meaning the communication between VMs on each Spokes are controlled through the Network Rule on Azure Firewall ( located in HUB Vnet).

I am able to access the Web Page and RDP towards the VM on spoke 2 from source VM located in Spoke 1 through Azure Firewall , as expected. The only issue i have is i am not able to ping towards the above same VM , even though the Network rule in Azure Firewall are created to allow "ANY" service.

Could you please assist me on troubleshooting this issue.

Best Regards,

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
333 questions
No comments
{count} votes

Accepted answer
  1. msrini-MSFT 5,676 Reputation points Microsoft Employee
    2021-11-15T03:54:40.377+00:00

    @shiji ,

    Ping uses ICMP and make sure you allow ICMP in below places:

    1. Azure Firewall should allow ICMP (You mentioned it is allowed )
    2. Destination VM should allow ICMP (By default it does for VNET peering traffic)
    3. Guest OS should allow ICMP. I mean Windows Firewall (Most probable reason for the ICMP failure.)

    Also If you want to test connectivity do not use ICMP in Azure. Its good to use tools like psping where you can do TCP based connectivity tests.

    Regards,
    Karthik Srinivas

    No comments

2 additional answers

Sort by: Most helpful
  1. Ghafghazi, Salar 1 Reputation point
    2022-09-22T23:46:52.787+00:00

    I have exactly facing with same problem when I am trying to ping a machine in another spoke through the azure firewall (premium). All the protocols are selected (Any) but on that specific Network rule ports are open only for SMB and CIFS between the two VMs and ping result shows "Request time out". The interesting part is when using "any port" then ping result would turn to Reply message even though ICMP is not listed in the "protocol" list!!! Using Psping shows same result, though

    No comments

  2. Nader Khalil 1 Reputation point
    2022-10-05T08:17:39.573+00:00

    Hi there,

    If the RDP and http/https are working between the vms and azure firewall is allowing any, you have 2 things to check.

    1- The NSG on the destination vm and its subnet should allow ICMP in inbound direction.
    2- The firewall on the OS itself should allow ICMP-reply , or turned off.

    Br,

    No comments