Unable to create a Service
Problem Statement
The Barracuda Web Application Firewall service creation fails because Microsoft Azure was not able to allocate Private IP to instance.
Reason
Azure service principal details configured on the unit does not have adequate privileges VNET.
The details of the error is available on Azure activity logs.
{ "error":{ "code":"LinkedAuthorizationFailed", "message":"The client '94f4c94a-xxxx-xxxx-xxxx-xxxxxx3e3a5c' with object id '94f4c94a-xxxx-xxxx-xxxx-xxxxxxe3a5c' has permission to perform action 'Microsoft.Network/networkInterfaces/write' on scope '/subscriptions/XXf7137e-xxxx-xxxx-xxxx-xxxxxxe46fb8/resourceGroups/RG-WAF-PRD/providers/Microsoft.Network/networkInterfaces/WAF03P_nic00'; however, it does not have permission to perform action 'Microsoft.Network/virtualNetworks/subnets/join/action' on the linked scope(s) '/subscriptions/78f7137e-01a0-4730-898d-98ac9be46fb8/resourceGroups/RG-VNET/providers/Microsoft.Network/virtualNetworks/VN-PRD-WE/subnets/SN-PRD-WE'." } }In the above error, even though the service principal configured has the IP allocation permissions on NIC "WAF03P_nic00" attached to the VM, it does not have the permissions to make changes to the subnet "SN-PRD-WE" which is configured under a different resource group "RG-VNET".
Solution
- Service Principal should have READ and WRITE permissions for the RESOURCE GROUP where WAF is deployed and the VNET it’s using.
- Configure new service principal on the units.