none
Windows Azure Connect - Connected but cannot PING

    Question

  • Hi,

    I have just had a chance to play with the Windows Azure Connect. I followed the steps in this page

    http://msdn.microsoft.com/en-us/library/gg508836.aspx

    I created a web role and installed the endpoint software on one of my local machine and then added a group to let them connected. All well done but when I tried the PING to test my connection I found that I cannot PING the azure instance from my local PC, and from azure instance I cannot ping back to my PC. From the PING message I can see the IPv6 address had been resolved but all message are time-out.

    Below is the PING message in my local machine.

    C:\Users\ziyanxu>ping RD00155D380E3C

     

    Pinging RD00155D380E3C [2a01:111:3f00:1085:4877:53dc:513:edf6] with 32 bytes of

    data:

    Request timed out.

    Request timed out.

    Request timed out.

    Request timed out.

     

    Ping statistics for 2a01:111:3f00:1085:4877:53dc:513:edf6:

        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    Thursday, December 09, 2010 8:15 AM

Answers

  • Hi Shaun,

    You will need to create a firewall rule to allow ICMP incoming on your Azure roles.

    To do this automatically for all of your Azure role instances, you can create a <Startup> task (http://msdn.microsoft.com/en-us/library/gg456327.aspx).

    1) Create a .cmd file (let's say "EnablePing.cmd") and cut/paste the below lines to the file

    Echo Enable ICMP

    netsh advfirewall firewall add rule name="ICMPv6" dir=in action=allow enable=yes protocol=icmpv6

    exit /b 0

    2) In your ServiceDefinition.csdef file, insert the following lines:

     

    <Startup>

    <Task commandLine="EnablePing.cmd" executionContext="elevated" taskType="simple"/>

    </Startup>


    3) Build and deploy your Azure role



    Jason Chen, Windows Azure PM
    Saturday, December 11, 2010 6:05 AM
    Moderator

All replies

  • Hi Shaun,

    First of all, you lucky ____! ;-) I've been waiting for the invite for quite some time now and I still haven't received my access mail.

    Since I haven't got the chance to play with this I can't be sure, but I can imagine that ICMP traffic is blocked somewhere along the line to prevent DoS attacks. This would explain why PING times out.

    Can you share a folder locally and connect to it from your Role?

     


    With regards,

    Patriek
    If this reply is of help to you, please don't forget to mark it as an answer.
    Thursday, December 09, 2010 8:58 AM
  • Hi,

    I would confirm the imagination of Patriek :) PING is a very common attack vector and I would be surprised to see an internet-facing server which will response to a PING. It is disabled (filtered) for all Azure (Compute) services.

    Thursday, December 09, 2010 9:39 AM
  • From the tutorial cited (my emphasis):

    "As an example, if you have configured the Windows firewall on your local machines and Azure VM’s to allow “ping” (ICMP) traffic you can exercise Connect’s network connectivity very easily. From a local machine, ping your Azure VM’s as shown below. If you have setup TS access to your Azure role, you can login and ping back to a local machine."

    Thursday, December 09, 2010 6:27 PM
  • Could you please let me know how I can identify weather the ICMP had been blocked in my machine and Azure VM? I'm pretty sure I can PING my machine from home.
    Friday, December 10, 2010 2:54 AM
  • Hi Shaun,

    You could peform a TRACERT as you would perfrom a PING (so tracert <ip-address>). You can then see at what point the ICMP package is dropped (somewhere between the node that replied the last and your target machine).

     


    With regards,

    Patriek
    If this reply is of help to you, please don't forget to mark it as an answer.
    Friday, December 10, 2010 5:11 AM
  • Hi Shaun,

    You will need to create a firewall rule to allow ICMP incoming on your Azure roles.

    To do this automatically for all of your Azure role instances, you can create a <Startup> task (http://msdn.microsoft.com/en-us/library/gg456327.aspx).

    1) Create a .cmd file (let's say "EnablePing.cmd") and cut/paste the below lines to the file

    Echo Enable ICMP

    netsh advfirewall firewall add rule name="ICMPv6" dir=in action=allow enable=yes protocol=icmpv6

    exit /b 0

    2) In your ServiceDefinition.csdef file, insert the following lines:

     

    <Startup>

    <Task commandLine="EnablePing.cmd" executionContext="elevated" taskType="simple"/>

    </Startup>


    3) Build and deploy your Azure role



    Jason Chen, Windows Azure PM
    Saturday, December 11, 2010 6:05 AM
    Moderator