TLDR – The Default security lists when you create a new network thing in Oracles OCI do not allow IMCP ECHO requests / pings. You must allow IMCP type 8 as a separate line item rule (Max level secure) or create a single ICMP rule to allow ALL to allow pings.
Disclaimer – I work for Oracle in the cloud support group, this post is my point of view and not Oracles, but I work there so respect to the company.
Why are pings not working
When you create a new network thing with in your Oracle OCI tenant the default security list does not permit ICMP pings (Echo requests). Reasoning is based on secure by default logic. If you answer ping requests your thing is more discoverable making a target for testing. On the Internet it’s safer to hide until you’ve configured things for max level security.
Pings are a great trouble shooting tool if you want to know if a network thing is working or not. Over the last month I’ve worked many cases where customers have configured a complicated network thing, tested with a ping which failed. The ping failed not because their setup was wrong, but it failed because they forgot to allow Ping requests.
Enabling Ping requests
If you want to test with Ping requests you’ll need to modify the Ingress rules on the security list associated with the VCN, Subnet, network device, thing, what ever, to allow ICMP packets. Allowing ICMP traffic is not required, it’s an option. Please only take this option if you understand the possible impact. The following directions cover enabling ICMP requests for a subnet.
- From the hamburger button (three lines in the top left corner of the web console) Select Networking, Virtual Cloud Networks, then select one of your VCNs
- From the VCN Details screen select Security Lists from the list on the left.
- Select the security list you wish to modify. Your Default security list should look like the following image. It allows SSH over port 22, and some ICMP types required for Oracle networking within the instance.
- Click on Edit All Rules
- The most secure method to allow ping requests is to add an ICMP rule scoped to the IP range you’ll be testing from. For this tutorial we’re going to allow pings from all networks(0.0.0.0/0). Click the +Another Ingress Rule button to add an additional rule to the security list. Configure the rule as follows:
- Source: 0.0.0.0/0
- IP Protocol: ICMP
- Type Code: 8 (Type code definitions)
- After creating the rule in step 5 click Save Security List Rules. You should now be able to ping things.