VMs on individual Spoke cannot ping each other

Question

We have Spoke 1 and Spoke 2 Vnet which are peered with HUBVnet. Traffics on each Spoke are routed to Azure Firewall in HUB Vnet. Meaning the communication between VMs on each Spokes are controlled through the Network Rule on Azure Firewall ( located in HUB Vnet).

I am able to access the Web Page and RDP towards the VM on spoke 2 from source VM located in Spoke 1 through Azure Firewall , as expected. The only issue i have is i am not able to ping towards the above same VM , even though the Network rule in Azure Firewall are created to allow "ANY" service.

Could you please assist me on troubleshooting this issue.

Best Regards,

Answer 1

@shiji ,

Ping uses ICMP and make sure you allow ICMP in below places:

1. Azure Firewall should allow ICMP (You mentioned it is allowed )
2. Destination VM should allow ICMP (By default it does for VNET peering traffic)
3. Guest OS should allow ICMP. I mean Windows Firewall (Most probable reason for the ICMP failure.)

Also If you want to test connectivity do not use ICMP in Azure. Its good to use tools like psping where you can do TCP based connectivity tests.

Regards,
Karthik Srinivas

Answer 2

I have exactly facing with same problem when I am trying to ping a machine in another spoke through the azure firewall (premium). All the protocols are selected (Any) but on that specific Network rule ports are open only for SMB and CIFS between the two VMs and ping result shows "Request time out". The interesting part is when using "any port" then ping result would turn to Reply message even though ICMP is not listed in the "protocol" list!!! Using Psping shows same result, though

Answer 3

Hi there,

If the RDP and http/https are working between the vms and azure firewall is allowing any, you have 2 things to check.

1- The NSG on the destination vm and its subnet should allow ICMP in inbound direction.
2- The firewall on the OS itself should allow ICMP-reply , or turned off.

Br,