Adding Gateway to VM Network As Tenant Administrator

I’ve been exploring VMM PowerShell cmdlets recently especially related to Network Virtualization. I was thinking of blogging about adding Gateway, NAT Connection and VPN connection to VM Network but I was too occupied with work. Today on the TechNet VMM Forum I’ve saw a question on how to add Gateway to a VM Network as Tenant Administrator. Apparently if you go as Tenant Administrator to the properties of the VM Network you will not see an UI for adding Gateway:


My guess the reason behind this is that the usual UI for this option was built for the Administrator role. The Administrator can see all Network Services of type Gateway and has full access to them. On the other hand Tenant Administrator does not have access to those objects. Tenant Administrator has access only to objects in its own scope which what that Tenant Administrator has created. To this problem there are a couple of solutions:

  • Give your tenants the Azure Pack experience. They will be able to access Azure Pack Tenant Portal and add Gateways (NAT Connection and VPN Connections) on their own.
  • Contact administrator and ask him/her to add a Gateway to your VM Network.
  • Add Gateway on your own trough PowerShell

The third option is easy also. You fire up PowerShell. Get the VM Network you want to add Gateway to a variable like this:

$VMnetwork=Get-SCVMNetwork -Name  VMNetwork66

And than you add Gateway to your VM Network like this:

$GatewayName = $VMnetwork.Name + “_Gateway”

Add-SCVMNetworkGateway -VMNetwork $VMnetwork –Name $GatewayName



After this you have your Gateway added to VM Network. As a Tenant Administrator VMM does not allow you to see available Gateways so it will choose automatically the first that has enough resources.

After that you can easily add NAT Connection for example:

$NATConnectionName=$VMnetwork.Name + “_NATConnection”

$Gateway=Get-SCVMNetworkGateway -VMNetwork $VMnetwork –Name $NATConnectionName


After adding the Gateway you can also use Add-SCVPNConnection to add S2S VPN.

Also with Administrator role you have the option to add Gateway, NAT Connection and VPN Connection on behalf of the Tenant Administrator by using –OnBehalfOfUser and  -OnBehalfOfUserRole paramaters. I’ve covered in the past how to execute those.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.