0

Ping is working fine on an Azure VM which has a public IP address. (ping 8.8.8.8 works fine in this case)

But I am not able to ping on an Azure VM which has only a private IP address. (ping 8.8.8.8 is not coming through in this case)

Is this is a limitation from Azure side? If yes, is there anyway to overcome this?

Kate Orlova
  • 3,225
  • 5
  • 11
  • 35
penchal kumar
  • 1
  • 1
  • 1
  • 1
    Private IP means that VM is in accessible publicly. You can only ping within the virtual network. you will have to allow ICMP traffic on your firewall rules – Imran Arshad Aug 01 '19 at 22:44

2 Answers2

1

ICMP works on layer 3. When you don't associate a Public IP address to a VM, when it initiates an outbound connection to Internet, it does a SNAT with a Psudorandom VIP. Since ICMP doesn't have a port, it gets dropped by the platform.

Hope this helps!

msrini-MSIT
  • 1,444
  • 1
  • 7
  • 11
  • thanks. makes more sense now !! If we set up a public load balancer by adding the azure VM in the backend pool as described in [link] ( https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#lb ) then would it help to make a ping from azure VM to outside world. – penchal kumar Aug 02 '19 at 17:24
  • For Load balancer you need to create rules. But in the rules you need to specify ports. So, ICMP won't work with LB. If you desperately need ICMP to work, then assign a Public IP to the VM. The recommended method of testing connectivity in Azure is using layer 4 connectivity tools like telnet, TCPPing,etc. – msrini-MSIT Aug 03 '19 at 08:23
0

It's an ICMP traffic restriction that you can ping within a VNet but can't ping outside of Azure if you have an Azure VM without a public Ip address. To test connectivity, instead, recommend that you do a port ping. While Ping.exe uses ICMP, other tools such as PsPing, Nmap, or Telnet allow you to test connectivity to a specific TCP port. Read more details here.

I test it even I remove the windows firewall or NSG about this Azure VM. enter image description here

Although you can not ping outside, you can still search it online like www.google.com. From this FAQ, Actually, All services deployed within a VNet can connect outbound to the internet. To learn more about outbound internet connections in Azure, see Outbound connections.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • If my reply could help you, you could check mark refer to [this](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work), thanks. – Nancy Aug 02 '19 at 02:51
  • Thanks Nancy !! I am trying to create azure image for an application which has an embedded ping operation. So checking to see if we can make a ping operation from azure VM which has only private IP. If it doesn't work out then only way is to find alternatives for ping operations as part of application. – penchal kumar Aug 02 '19 at 21:05
  • If you just use for test ping, you can deploy another VM2 with public IP in the same subnet with this VM1, then you can ping from the VM2 with public IP to the VM1 only with private IP. Or use other tools such as PsPing, Nmap, or Telnet for test networking connectivity. – Nancy Aug 05 '19 at 06:09
  • Alternatively, you could try to create a public basic LB with private instances, refer to [this](https://stackoverflow.com/questions/54705070/azure-load-balancer-standard-sku-how-to-enable-outbound-icmp-traffic-make-p), please let me know if PING outside works on your side in this scenario. – Nancy Aug 05 '19 at 08:45
  • tried creating virtual machine scale set as you said in above post but still ping is not going through !! Any ideas if gateway/firewall can help in making ping to outside world !! – penchal kumar Aug 07 '19 at 17:54
  • As the [doc](https://blogs.msdn.microsoft.com/mast/2014/06/22/use-port-pings-instead-of-icmp-to-test-azure-vm-connectivity/): `ICMP is not blocked when connecting through an Azure virtual network gateway or ExpressRoute. Also, ICMP will work between internal IPs of VMs in the same virtual network or in the same cloud service.` So, you could deploy a [VPN gateway](https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways) in the same VNet as the Azure VM, then you should ping outside of Azure in this case. Please let me know if this works. – Nancy Aug 09 '19 at 08:10
  • Do you still have any question? – Nancy Aug 20 '19 at 05:37