About roles and permissions for Azure Virtual WAN
The Virtual WAN hub utilizes multiple underlying resources during both creation and management operations. Because of this, it's essential to verify permissions on all involved resources during these operations.
Azure built-in roles
You can choose to assign Azure built-in roles to a user, group, service principal, or managed identity such as Network contributor, which support all the required permissions for creating the gateway. For more information, see Steps to assign an Azure role.
Custom roles
If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes. For more information, see Steps to create a custom role .
To ensure proper functionality, check your custom role permissions to confirm user service principals, and managed identities operating the VPN gateway have the necessary permissions. To add any missing permissions listed here, see Update a custom role.
Permissions
When creating or updating the resources below, add the appropriate permissions from the following list:
Virtual hub resources
| Resource | Required Azure permissions |
|---|---|
| virtualHubs | Microsoft.Network/virtualNetworks/peer/action Microsoft.Network/virtualWans/join/action |
| virtualHubs/hubVirtualNetworkConnections | Microsoft.Network/virtualNetworks/peer/action Microsoft.Network/virtualHubs/routeMaps/read Microsoft.Network/virtualHubs/hubRouteTables/read |
| virtualHubs/bgpConnections | Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read |
| virtualHubs/hubRouteTables | Microsoft.Network/securityPartnerProviders/read Microsoft.Network/virtualHubs/hubVirtualNetworkConnections/read Microsoft.Network/networkVirtualAppliances/read Microsoft.Network/azurefirewalls/read |
| virtualHubs/routingIntent | Microsoft.Network/securityPartnerProviders/read Microsoft.Network/networkVirtualAppliances/read Microsoft.Network/azurefirewalls/read |
ExpressRoute gateway resources
| Resource | Required Azure permissions |
|---|---|
| expressroutegateways | Microsoft.Network/virtualHubs/read Microsoft.Network/virtualHubs/hubRouteTables/read Microsoft.Network/virtualHubs/routeMaps/read Microsoft.Network/expressRouteGateways/expressRouteConnections/read Microsoft.Network/expressRouteCircuits/join/action |
| expressRouteGateways/expressRouteConnections | Microsoft.Network/virtualHubs/hubRouteTables/read Microsoft.Network/virtualHubs/routeMaps/read Microsoft.Network/expressRouteCircuits/join/action |
VPN resources
| Resource | Required Azure permissions |
|---|---|
| p2svpngateways | Microsoft.Network/virtualHubs/read Microsoft.Network/virtualHubs/hubRouteTables/read Microsoft.Network/virtualHubs/routeMaps/read Microsoft.Network/vpnServerConfigurations/read |
| p2sVpnGateways/p2sConnectionConfigurations | Microsoft.Network/virtualHubs/hubRouteTables/read Microsoft.Network/virtualHubs/routeMaps/read |
| vpngateways | Microsoft.Network/virtualHubs/read Microsoft.Network/virtualHubs/hubRouteTables/read Microsoft.Network/virtualHubs/routeMaps/read Microsoft.Network/vpnGateways/vpnConnections/read |
| vpnsites | Microsoft.Network/virtualWans/read |
NVA resources
NVAs (Network Virtual Appliances) in Virtual WAN are typically deployed through Azure managed applications or directly via NVA orchestration software. For more information on how to properly assign permissions to managed applications or NVA orchestration software, see instructions here.
| Resource | Required Azure permissions |
|---|---|
| networkVirtualAppliances | Microsoft.Network/virtualHubs/read |
| networkVirtualAppliances/networkVirtualApplianceConnections | Microsoft.Network/virtualHubs/routeMaps/read Microsoft.Network/virtualHubs/hubRouteTables/read |
For more information, see Azure permissions for Networking and Virtual network permissions.
Roles scope
In the process of custom role definition, you can specify a role assignment scope at four levels: management group, subscription, resource group, and resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.
These scopes are structured in a parent-child relationship, with each level of hierarchy making the scope more specific. You can assign roles at any of these levels of scope, and the level you select determines how widely the role is applied.
For example, a role assigned at the subscription level can cascade down to all resources within that subscription, while a role assigned at the resource group level will only apply to resources within that specific group. Learn more about scope level For more information, see Scope levels.
Note
Allow sufficient time for Azure Resource Manager cache to refresh after role assignment changes.
Additional services
To view roles and permissions for other services, see the following links: