7

How can I enable Ping on an Azure Linux VM, Centos 6.6 - I know we can enable this on a Windows VM, but how to do this for a Linux VM?

Thanks.

leo_cape
  • 198
  • 1
  • 3
  • 15

6 Answers6

8

Azure blocks by default ICMP traffic using Network Security groups. To enable you need to create a special rule allowing. For security reasons Azure not allow ICMP from internet

Some examples about how to do:

http://setspn.blogspot.com.es/2015/08/azure-quick-tip-block-or-allow-icmp.html

http://www.theconsultit.com/blog/2016/11/10/how-to-configure-azure-network-security-group-nsg-rule-for-icmp-traffic/

deconya
  • 135
  • 3
  • 8
7

  • Ping external address from Azure VM - does not work as Azure does not permit outbound ICMP

  • Ping Azure VM from external address - does not work as Azure does not permit inbound ICMP

  • Ping between Azure VMs using internal IP (DIP) - works, but guest OS firewall must be configured to allow it as by default ICMP is blocked by the guest.

  • Ping between Azure VM and on-premises through Azure Connect (point-to-point IPSec VPN tunnel) or Virtual Network Gateway (site-to-site IPSec VPN tunnel) - works, but guest OS firewall must be configured to allow it as by default ICMP is blocked by the guest.

As an alternative to ping with ICMP, you can verify connectivity by trying to reach a specific TCP port with tools such as TCPing, PortQuery, or NMap. Those will working inbound to an Azure VM as long as you have opened an endpoint for the port you are trying to reach, and the guest firewall allows it and something is listening on that port. For Azure Connect and Virtual Network Gateways you don't need the endpoints because you are communicating through a VPN tunnel, but the guest firewall would still need to allow the port you are testing, and something needs to be listening on that port.

David Makogon
  • 2,768
  • 1
  • 20
  • 29
HEDMON
  • 477
  • 3
  • 17
0

Nothing is required to enable ping replies which happens by default.

If there is no ICMP (ping) replies coming from the target host, it actually means that they get blocked somewhere along the way. This could happen at any point in either direction, but is mostly happening on your VM's firewall.

You should therefore confirm the VM's firewall is blocking the ping by disabling it. If that works, you just reactivate it and add a rule to allow it.

If disabling the VM's firewall does still not provide ICMP requests to be answered, you should use traceroute (or tracert on Windows) to see up until what point you get replies and investigate the two hops prior to your VM's IP. It would likely be blocked by your VM's host firewall at that point.

Julie Pelletier
  • 1,010
  • 7
  • 8
  • 4
    "ICMP protocol is not permitted through the Azure load balancer, you will notice that you are unable to ping an Azure VM from the internet, and from within the Azure VM, you are unable to ping internet locations." (https://blogs.msdn.microsoft.com/mast/2014/06/22/use-port-pings-instead-of-icmp-to-test-azure-vm-connectivity/) – HEDMON Jun 06 '16 at 06:11
  • Which confirms that the host's firewall is blocking ICMP requests as I mentioned. – Julie Pelletier Jun 06 '16 at 06:13
  • 1
    yes, I just want let you know exactly where is the problem ;) Even with the right firewall configuration, Azure won't let you ping (in/out), or at least is what they said – HEDMON Jun 06 '16 at 06:15
  • Gotcha. Good to know! :) – Julie Pelletier Jun 06 '16 at 06:15
0

You can get ping inbound by allowing port 0 in a NSG rule.

Get-AzureRmNetworkSecurityGroup -Name "nsgName" -ResourceGroupName "GroupName" | 
    Add-AzureRmNetworkSecurityRuleConfig -Name "AllowPing" -Description "Allow Ping" -Access 
    "Allow" -Protocol "*" -Direction "Inbound" -Priority 40002 -SourceAddressPrefix 
    "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange "0" |
    Set-AzureRmNetworkSecurityGroup
Jeter-work
  • 845
  • 4
  • 15
Alex Hutington
  • 1
  • 1
  • 1
    I reformatted the answer for readability, but expanding the answer would greatly improve the value of the answer. Readers who are new to PowerShell and/or Azure need to know which aspects are named by the user (they may have different names in the user's environment, especially if they inherited the environment) and which ones are allowed parameters in a parameter set (e.g. inbound in `-Direction "Inbound"`). – Jeter-work Aug 13 '18 at 13:03
  • Specifying port "0" acts as a wildcard, allowing ALL traffic, not just ICMP. – dyasta Feb 23 '19 at 15:48
0

I was able to ping out-of-the-box from an Azure VM running Ubuntu 18 LTS, but I cannot ping from an external location to the VM.

I looked around and inbound ICMP ping requests are disabled by Azure. They are considering enabling it--or at least allowing one to enable it from their portal under "Networking"

Dan Anderson
  • 101
  • 2
-1

After some research I was able to get this working with the following PS oneliner command.

Get-AzureRmNetworkSecurityGroup -Name "nsgName" -ResourceGroupName "GroupName" | Add-AzureRmNetworkSecurityRuleConfig -Name "AllowPing" -Description "Allow Ping" -Access "Allow" -Protocol "*" -Direction "Inbound" -Priority 40002 -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange "*" | Set-AzureRmNetworkSecurityGroup
Marco
  • 1,709
  • 3
  • 17
  • 31
Shane
  • 1