2

Is it still impossible today in 2022 to perform traceroutes from a Linux VM in Azure ? I've configured NSG so that ICMP and UDP traffic is allowed.

thierryn
  • 21
  • 1
  • 3

2 Answers2

6

Ping VM without Public IP

VMs in Azure without a Public IP get to the Internet via a NAT address using an Azure load balancer managed by the fabric. Because the ICMP protocol is not permitted through the Azure load balancer, you will notice that you are unable to ping an Azure VM from the internet, and from within the Azure VM, you are unable to ping internet locations.

To test connectivity, we instead recommend that you do a port ping. While Ping.exe uses ICMP, other tools such as PsPing, Nmap, or Telnet allow you to test connectivity to a specific TCP port.

https://learn.microsoft.com/en-us/archive/blogs/mast/use-port-pings-instead-of-icmp-to-test-azure-vm-connectivity

Ping VM with Public IP

I do want to note there are some articles out on the Internet saying you CAN Ping an Azure VM and there is one thing these articles have in common but they don't really elaborate on it and it is this. You can ping a VM if it is assigned an Azure Public IP (pip). This is because when using a pip you are bypassing the Azure Load balancer for Internet connectivity.

You need to allow ICMP on the NSG and ensure the VM has no Host level firewalls blocking ICMP.

Tracert

Tracert over UDP will not be allowed in Azure but you can get around this by using a tool like NMap which can do the traceroute over TCP.

C:\Users\test>nmap -sS -p 80 -Pn --traceroute www.google.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-21 15:26 Coordinated Universal Time
Nmap scan report for www.google.com (172.253.122.147)
Host is up (0.0020s latency).
Other addresses for www.google.com (not scanned): 172.253.122.104 172.253.122.103 172.253.122.99 172.253.122.106 172.253.122.105
rDNS record for 172.253.122.147: bh-in-f147.1e100.net

PORT   STATE SERVICE
80/tcp open  http

TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 ... 26 27 2.00 ms bh-in-f147.1e100.net (172.253.122.147)

Nmap done: 1 IP address (1 host up) scanned in 9.65 seconds

Ken W - Zero Networks
  • 3,533
  • 1
  • 13
  • 18
  • In fact, I'm using static public IP addresses with my VM. I can ping that IP from outside and can ping external resources from the VM. What I cannot do is a traceroute from the VM. From an NSG point of view, I allow all UDP and ICMP traffic – thierryn Feb 21 '22 at 13:17
0

Please be sure that the PIP you assigned is

  • SKU: Standard
  • Routing preference: Internet

That made all the difference for tracert to work.

Marconi Poveda
  • 11
  • 2