How to Enable ICMP/Ping Response on Azure Linux VMs (CentOS 6.6)


10 views

By default, Azure Network Security Groups (NSGs) block inbound ICMP (ping) requests as a security measure. This applies to both Windows and Linux VMs. While the Windows firewall can be configured through GUI, Linux requires command-line configuration.

Here's how to enable ping responses on CentOS 6.6:

# 1. Check current iptables rules
sudo iptables -L

# 2. Add ICMP accept rule (temporary, until reboot)
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

# 3. Make the change persistent
sudo service iptables save
sudo service iptables restart

Even after configuring the VM, you need to allow ICMP at the NSG level:

# Azure CLI command to add ICMP rule
az network nsg rule create \
  --nsg-name YourNSGName \
  --resource-group YourResourceGroup \
  --name AllowPing \
  --access Allow \
  --protocol Icmp \
  --direction Inbound \
  --priority 1000 \
  --source-address-prefixes '*' \
  --destination-address-prefixes '*'

Test from another machine:

ping your-vm-public-ip
  • If ping fails, check both VM firewall and NSG rules
  • For CentOS 7+, use firewalld instead of iptables
  • Consider security implications before enabling ICMP in production

For temporary testing, you can flush all iptables rules (not recommended for production):

sudo iptables -F

By default, Azure's Network Security Groups (NSGs) block ICMP traffic as a security measure. This behavior differs between Windows and Linux VMs since Windows allows ping by default through its firewall rules, while Linux distributions like CentOS require manual configuration at both the OS and Azure infrastructure levels.

First, create an inbound security rule to allow ICMP:

# Azure CLI command to add ICMP rule
az network nsg rule create \
  --resource-group YourResourceGroup \
  --nsg-name YourNSGName \
  --name AllowPing \
  --protocol Icmp \
  --priority 100 \
  --access Allow \
  --direction Inbound \
  --source-address-prefixes "*"

For CentOS 6.6 using iptables:

# Temporary rule (clears after reboot)
iptables -I INPUT -p icmp --icmp-type echo-request -j ACCEPT
service iptables save

# Permanent solution - edit /etc/sysconfig/iptables
# Add this line before the REJECT rules:
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Then restart iptables:
service iptables restart

To test your configuration:

# From another machine:
ping your-vm-public-ip

# On the VM itself, check dropped packets:
grep "ICMP.*DROP" /var/log/messages

If ping still doesn't work:

  • Verify both NSG and OS firewall changes were applied
  • Check that the VM's network interface is associated with the correct NSG
  • Confirm no intermediate network appliances are blocking ICMP

While enabling ping is useful for troubleshooting, consider:

# Limping ping access to specific IPs in iptables:
iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.1.100 -j ACCEPT

# Azure NSG alternative using source IP restriction:
--source-address-prefixes "203.0.113.1/32"