Share via

Azure VM cannot traceroute to Internet destination?

SWiZ 35 Reputation points
2026-06-15T08:55:17.4266667+00:00

Hi Everyone,

Just wanted to check — has anyone experienced issues with traceroute not working on Azure VMs? We've tried it on Windows, Linux, and FortiGate on Azure, but it doesn't seem to work on any of them.

Does anyone know if there's an official Microsoft documentation explaining why traceroute is disabled on Azure? And is there a way to enable it or any workaround available?

Thanks!

User's imageUser's image

Azure Virtual Machines
Azure Virtual Machines

An Azure service that is used to provision Windows and Linux virtual machines.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Taylor - COREZENN 980 Reputation points Volunteer Moderator
    2026-06-16T16:45:54.7533333+00:00

    Hi @SWiZ

    Thank you for reaching out to Microsoft Q&A. I understand you are attempting to use tracert on a Azure VM.

    There is no Azure-wide switch that simply turns on tracert for every VM. In Azure, tracert is typically limited by ICMP behavior on the path in use, and Microsoft documents two important constraints:

    So, if traceroute appears to fail, the first thing to verify is whether your VM is using a path that permits ICMP and whether the relevant NSG rule allows it. If ICMP is not viable in your design, use Azure Network Watcher connection troubleshoot or TCP/UDP-based connectivity tests instead: https://learn.microsoft.com/azure/network-watcher/connection-troubleshoot-overview

    Please Upvote (Thumbs-up) and Accept as answer if the response was helpful. This will be help other community members find relevant help as well.

    Best regards, Andrew S Taylor

    Was this answer helpful?

    0 comments
  2. Sina Salam 29,846 Reputation points Volunteer Moderator
    2026-06-16T14:57:39+00:00

    Hello SWiZ,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that your Azure VM cannot traceroute to Internet destination.

    Regarding your question. YES! Azure VM traceroute is unsupported and unreliable for Internet destination LIKE on-premises.

    Internet traceroute from Azure VMs is not a reliable or supported way to diagnose Internet path hops. There is no Azure switch to enable full Internet traceroute for Windows, Linux, or FortiGate VMs. The behavior you experienced is expected because Azure outbound methods and Internet intermediate devices do not guarantee ICMP/TTL-expired responses, and some Azure outbound mechanisms do not support ICMP at all. NAT Gateway supports TCP/UDP only and does not support ICMP; default outbound access also does not support ICMP pings.

    Therefore, use Network Watcher Connection Troubleshoot, Next Hop, NSG diagnostics/IP Flow Verify, packet capture, and TCP port tests against the real application port. If real TCP/UDP traffic succeeds, traceroute failure alone is not a network outage. So, change the diagnostic method, not by enabling traceroute.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.