Jaa


Use port pings instead of ICMP to test Azure VM connectivity

Because the ICMP protocol is not permitted through the Azure load balancer, you will notice that you are unable to ping an Azure VM from the internet, and from within the Azure VM, you are unable to ping internet locations.

Note that while this applies to network traffic going through the external IP (VIP) through configured endpoints, ICMP is not blocked when connecting through an Azure virtual network gateway or ExpressRoute. Also, ICMP will work between internal IPs of VMs in the same virtual network or in the same cloud service.

Also note that while an instance-level public IP lets you communicate directly to a specific VM instead of through the cloud service VIP that can be used for multiple VMs, ICMP is not permitted in that scenario either.

To test connectivity, we instead recommend that you do a port ping. While Ping.exe uses ICMP, other tools such as PsPing, Nmap, or Telnet allow you to test connectivity to a specific TCP port.

For example, trying to ping yahoo.com from within an Azure VM fails as expected with request timed out because ICMP is blocked at the Azure load balancer:

C:\>ping yahoo.com

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 206.190.36.45:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

But using the Sysinternals PsPing tool, which allows you to test connectivity to a specific TCP port, you can successfully test connectivity from within the Azure VM to port 80 on an internet site.

C:\Users\craig\Downloads\PSTools>psping yahoo.com:80

PsPing v2.01 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 206.190.36.45:80:
5 iterations (warmup 1) connecting test:
Connecting to 206.190.36.45:80 (warmup): 53.25ms
Connecting to 206.190.36.45:80: 52.26ms
Connecting to 206.190.36.45:80: 52.14ms
Connecting to 206.190.36.45:80: 52.32ms
Connecting to 206.190.36.45:80: 51.48ms

TCP connect statistics for 206.190.36.45:80:
  Sent = 4, Received = 4, Lost = 0 (0% loss),
  Minimum = 51.48ms, Maximum = 52.32ms, Average = 52.05ms

Note that one exception to this is that ICMP pings will work to bing.com because Azure and Bing are both Microsoft properties.

C:\Users\craig\Downloads\PSTools>psping bing.com

PsPing v2.01 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

Pinging 204.79.197.200 with 32 bytes of data:
5 iterations (warmup 1) ping test:
Reply from 204.79.197.200: 6.85ms
Reply from 204.79.197.200: 2.47ms
Reply from 204.79.197.200: 2.30ms
Reply from 204.79.197.200: 2.95ms
Reply from 204.79.197.200: 2.39ms

Ping statistics for 204.79.197.200:
  Sent = 4, Received = 4, Lost = 0 (0% loss),
  Minimum = 2.30ms, Maximum = 2.95ms, Average = 2.53ms

Testing from on-premises to the Azure VM shows the same behavior. The ICMP traffic is blocked by the Azure load balancer and the ping requests timeout. But if you instead do a port ping, they will succeed (assuming the VM is running, isn't blocking the port in the guest firewall, and the port has a configured endpoint for the VM).

To confirm which ports are opened to the VM with Azure endpoints, in the Azure management portal, go to Virtual Machines, select the VM, then select Endpoints.

C:\>ping CLJun21WS12R2A.cloudapp.net

Pinging CLJun21WS12R2A.cloudapp.net [23.100.76.67] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 23.100.76.67:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>psping CLJun21WS12R2A.cloudapp.net:56972

PsPing v2.01 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 23.100.76.67:56972:
5 iterations (warmup 1) connecting test:
Connecting to 23.100.76.67:56972 (warmup): 60.44ms
Connecting to 23.100.76.67:56972: 61.28ms
Connecting to 23.100.76.67:56972: 63.41ms
Connecting to 23.100.76.67:56972: 63.69ms
Connecting to 23.100.76.67:56972: 60.41ms

TCP connect statistics for 23.100.76.67:56972:
  Sent = 4, Received = 4, Lost = 0 (0% loss),
  Minimum = 60.41ms, Maximum = 63.69ms, Average = 62.20ms

C:\>psping CLJun21WS12R2A.cloudapp.net:5986

PsPing v2.01 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 23.100.76.67:5986:
5 iterations (warmup 1) connecting test:
Connecting to 23.100.76.67:5986 (warmup): 61.49ms
Connecting to 23.100.76.67:5986: 65.29ms
Connecting to 23.100.76.67:5986: 67.08ms
Connecting to 23.100.76.67:5986: 62.70ms
Connecting to 23.100.76.67:5986: 60.99ms

TCP connect statistics for 23.100.76.67:5986:
  Sent = 4, Received = 4, Lost = 0 (0% loss),
  Minimum = 60.99ms, Maximum = 67.08ms, Average = 64.02ms