Technical Tip: Azure VM authorization problem in SDN connector

The SDN connector fails to come up during SDN fabric connections or HA failovers on Azure, which prevents the cluster from failing over, particularly for clusters deployed with the SDN connector.

While debugging Azd-1 or sdncd-1, the following logs could be observed:

2025-01-01 14:12:37 azd api failed, url = https://management.azure.com/subscriptions/123cc3ad4xxxxxx/resourceGroups/NETWORK/providers/Microsoft.Network/publicIPAddresses?api-version=2023-09-01, rc = 403

{"error":{"code":"AuthorizationFailed","message":"The client '0a00f074-xxxxxxx' with object id '0a00f07xxxxxxxxxx' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/read' over scope '/subscriptions/xxcc3ad4xxxxxxxxx/resourceGroups/NETWORK/providers/Microsoft.Network' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

2025-09-01 14:12:37 azd failed to list all public IP for subscription 123cc3ad4-6xxxxxxxxxx

2025-09-01 14:12:37 azd sdn connector Identity: failed to get ip addr list

2025-09-01 14:12:37 azd sdn connector Identity: exit, pid: 5802

2025-09-01 14:12:38 azd api failed, url = https://management.azure.com/subscriptions/4444xxxxyyy28114-44e9-/resourceGroups/networking/providers/Microsoft.Network/publicIPAddresses?api-version=2023-09-01, rc = 404

{"error":{"code":"ResourceGroupNotFound","message":"Resource group 'networking' could not be found."}}

2025-09-01 14:12:38 azd failed to list all public IP for subscription 4445555-44exxxxxxx

The following step can solve the issue:

1. Check that the VM ID has been added in the proper IAM/Entra ID, including managed identity.
2. Verify the VM object has been configured in the correct subscription ID and resource group.
3. Check the secret key in key management if it has expired.
4. If it is necessary, disable IAM roles in the SDN connector settings and configure the Tenant ID and Client ID.