Share via

Unable to ping VM to VM with traffic routed through the Firewall.

Yashas Manjunath 186 Reputation points
2025-07-15T07:42:21.6733333+00:00

I have a 2 spokes and a hub. the rote tables in the spoke are configured to route the traffic through the firewall. 0.0.0.0/0 . I have VM's in both the spokes and i want to ping one from the other. This is not successfull. I have allowed all protocal from all sources and destinations in the network rule on the firewall. The spoke networks are peered to the hub Vnet. The peering configurations look as below. There are no NSG's associated with the Vnets. So there should be no other factors bloking this. On the logs on the firewall I can see the the ICMP is getting allowed by my network rule/firewall policy.

Screenshot 2025-07-14 at 12.19.56

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
0 comments
Accepted answer
  1. Marcin Policht 53,675 Reputation points MVP Volunteer Moderator
    2025-07-15T08:11:23.0133333+00:00

    Assuming that a UDR is configured in both spokes to route the traffic via Azure Firewall, check the OS-level firewall. Windows OS by default blocks ICMP inbound

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VIVEK DWIVEDI 185 Reputation points Microsoft Employee
    2025-07-15T08:45:32.9066667+00:00

    Hi @Yashas Manjunath,

    1. I hope both spoke VNET's suibnet has route table associated pointed 0.0.0.0/0 to FW IP. Please re-verify.
    2. If it windows OS please disable OS level firewall for testing or create appropriate rule in OS firewall to allow the traffic.
    3. You can also try tcp based ping tool like psping (https://learn.microsoft.com/en-us/sysinternals/downloads/pstools) to test the tcp connectvity.
    4. For Linux based OS, firewalls generally don't stop icmp also there are various tools that can testing via tcp based tool.

    I hope this helps.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.