Why can’t I ping my #Azure #IaaS VM? – Part 2

Continued from Part 1

2. I can’t ping an Azure Windows Virtual Machine from another Virtual Machine within the same Virtual Network

Consider two windows machines VM1 (10.0.0.4) and VM2 (10.0.0.5) within the same subnet of the same virtual network on Azure
Screen Shot 2016-05-02 at 3.40.47 PM

For out-of-the-box Azure windows VMs, any attempt to ping one of the VMs from the other will fail, even if they’re on the same subnet.
Screen Shot 2016-05-02 at 2.22.05 PM

The reason? Under incoming connection on the Windows Firewall, incoming ICMP Echo Requests are disabled by default.
Screen Shot 2016-05-02 at 2.24.38 PM

So turning on this setting should enable pings by ICMP right? Well … not so fast my friend:

If you enable file and printer sharing in the Network and Sharing Center, Windows Firewall with Advanced Security automatically enables firewall rules that allow commonly used ICMP packet types. However, this will also enable network features that are not related to ICMP. If you want to enable ICMP only, then create and enable a rule in Windows Firewall to allow inbound ICMP network packets.

Steps to create a rule to allow inbound ICMP requests (keep in mind to reduce the scope – step 10 – to the most secure and granular-ize from there):

1. Open the Group Policy Management Console to Windows Firewall with Advanced Security.
2. In the navigation pane, click Inbound Rules.
3. Click Action, and then click New rule.
4. On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.
5. On the Program page, click All programs, and then click Next.
6. On the Protocol and Ports page, select ICMPv4 or ICMPv6 from the Protocol type list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each.
7. Click Customize.
8. In the Customize ICMP Settings dialog box, do one of the following:
– To allow all ICMP network traffic, click All ICMP types, and then click OK.
– To select one of the predefined ICMP types, click Specific ICMP types, and then select each type in the list that you want to allow. Click OK.
– To select an ICMP type that does not appear in the list, click Specific ICMP types, select the Type number from the list, select the Code number from the list, click Add, and then select the newly created entry from the list. Click OK
9. Click Next.
10. On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click Next.
11. On the Action page, select Allow the connection, and then click Next.
12. On the Profile page, select the network location types to which this rule applies, and then click Next.
13. On the Name page, type a name and description for your rule, and then click Finish.

After either enabling inbound ICMP as shown above, test pings between the two machines. It will work now.
Screen Shot 2016-05-02 at 2.26.01 PM

TLDR; enable inbound ICMP requests on Windows Firewall.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s