我有一个运行CentOS7的Azure VM。
我需要能够ping通VM。请帮助。
我已经在Azure网络安全组中添加了规则,以允许入站和出站ICMP通信。
ping vm时尝试tcpdump,得到以下信息。 ping到达虚拟机。但没有回声。
# tcpdump -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:03:03.542197 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: ICMP echo request, id 1, seq 27, length 40
00:03:08.177717 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: ICMP echo request, id 1, seq 28, length 40
00:03:13.176192 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: ICMP echo request, id 1, seq 29, length 40
00:03:18.179201 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: ICMP echo request, id 1, seq 30, length 40
Ping结果
ping zzz.zzz.zzz.zzz
Pinging zzz.zzz.zzz.zzz with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for zzz.zzz.zzz.zzz:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
在与icmp相关的iptable中找到以下条目:
[0:0] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
[0:0] -A FWDI_public -p icmp -j ACCEPT
[70:4830] -A INPUT_direct -p icmp -m icmp --icmp-type 8 -j ACCEPT
[20:4880] -A IN_public -p icmp -j ACCEPT
默认情况下,Azure拒绝并阻止所有到Azure虚拟机的公共入站流量,并且还包括ICMP流量。您不仅需要在NSG中允许ICMP,而且还需要设置操作系统来响应Ping / ICMP回显请求。请参阅this。
或者,您可以use port pings instead of ICMP to test Azure VM connectivity。