How to Remotely Ping Microsoft Azure VMs

In this post, I’ll explain why you can’t use Ping with Azure virtual machines via the Internet, and how you can use an alternative (PSPing) that is actually more useful.

Pinging an Microsoft Azure VM

Imagine that you’re an IT pro that has just gotten your hands on Azure for the first time. I have a pretty good idea of what you’re going to try to do:

1. Deploy a virtual machine in Azure.
2. Probably run a broadband speed test from the Azure virtual machine for laughs and giggles.
3. Try to ping the Azure virtual machine from a remote location.

The first step should go pretty well, and the second step should make you wonder about how you can use all that bandwidth. And you’ll be left scratching your head on step three because no matter what you do with Azure endpoints or NAT rules, you won’t be able to ping that virtual machine over the Internet.
There’s a reason for this. The following diagram depicts this simple example. Someone has deployed an Azure virtual machine. The only possible connection to that virtual machine is via the Internet. Any traffic entering the virtual network must pass through a load balancer, and this balancer is filtering ICMP traffic.
Note: Ping uses the ICMP protocol to measure the latency of the connection between a local machine and a remote machine. Any connections exceeding a default latency are deemed to be unavailable.
So this means that we cannot use Ping to verify that the virtual machine is actually online on the Internet.

Why PING to Azure VMs fails (Image Credit: Aidan Finn)

• You have a network connection, VPN or ExpressRoute, that bypasses the load balancer, and
• The firewall in the guest OS of the Azure virtual machine allows inbound ICMP traffic.

Free Tool: PsPing

There’s another way to verify that your virtual machine is online, and that is to use PsPing, a tool from Microsoft SysInternals, available in the free PsTools suite.
PsPing is similar to Ping in that it verifies connectivity to a remote machine using a command line interface. Where PsPing differs is that it doesn’t use ICMP; instead, you define which TCP port to target. That’s where the added value comes in — instead of doing an ICMP test to a standardized destination service that has little to do with your business, you will target a service that means something to your business.
The following simple example will use PsPing to target HTTP (TCP 80) on a remote machine via a cloud service endpoint (Service Manager):

psping demopetriaf.cloudapp.net:80

The above command will execute one warmup ping to TCP 80 on the destination address, and then run an additional four tests by default, reporting the latency of each ping, and then summarizing the results, much the same way that Ping would have done. So, we lose nothing, but we gain something by being able to test against a TCP port that we care about.

Using PowerShell’s Test-NetConnection cmdlet

Another alternative is to use a tool you have built into your operating system: PowerShell. Windows 8.1 and Window Server 2012 R2 added the Test-NetConnection cmdlet, which can be used similarly to PsPing.
The following example will verify that the RDP port that NATs to a virtual machine is listening:

Test-NetConnection demopetriaf.cloudapp.net -Port 60058

So all is not lost if you cannot ping your Azure virtual machines over the Internet. Far from it, because you’re going to be forced to use either a more powerful tool, like PsPing, or one that you can wrap clever scripts around, such as Test-NetConnection.