Technical Tip: Public IP gets disassociated in Azure after configuring and enabling SDN configuration in FortiGate
| Description | This article describes the reason for public IP disassociation in Azure due to incorrect FortiGate SDN config. |
| Scope | FortiGate-Azure. |
| Solution | This issue could happen when there is a misconfiguration in SDN configuration -> Config NIC -> Config IP.
For example, if the SDN connector configuration is as below:
config system sdn-connector end
This SDN config can cause the public IP disassociation in the Azure portal for the FortiGate instance because there is a typo in the ipconfig.
From the azd log, it found public IP 'co-cnx3-fgt-pip-ext01' in ipconfig 'ipconfig01':
2025-10-01 19:37:08 found pub ip co-cnx3-fgt-pip-ext01 in resource group co-cnx3-fwl-rg-01
While in the SDN config, the ipconfig name is written as 'ipconfig1':
config nic end end
From the azd daemon's perspective, it is asked to associate the public IP 'co-cnx3-fgt-pip-ext01' to 'ipconfig1'. So it removes the public IP from 'ipconfig01' first, then tries to associate it with 'ipconfig1'. Since 'ipconfig1' does not exist so the association failed and leaves the public IP disassociated. This disassociation will result in issues like the VPN tunnel going down and losing access to FortiGate over a public IP. To gain access again, the public IP has to be associated with the Azure portal.
To fix this issue, change the ipconfig name in the SDN configuration in FortiGate to 'ipconfig01' instead of 'ipconfig1'. |