Share via

I can't create a new connection in a VirtualNetworkGateway

Kevin Robatel 0 Reputation points
2025-02-21T09:56:13.4533333+00:00

I try to create a 2nd connection on an Virtual Network Gateway and I get an error:

{"code":"DeploymentFailed","target":"<<...>>","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"LinkedAccessCheckFailed","message":"The client with object id '<<...>>' does not have authorization to perform action 'Microsoft.Network/virtualNetworkGateways/write' over scope '/subscriptions/<<...>>/Microsoft.Network/virtualNetworkGateways/<<...>>' or the scope is invalid. For details on the required permissions, please visit 'https://aka.ms/vngwroles'. If access was recently granted, please refresh your credentials."}]}

I check my access:

Service Administrator
Has full access to all resources in the subscription

The SKU is Basic.

I already have one connection of type Site-to-site (IPsec).

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,652 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rohith Vinnakota 2,735 Reputation points Microsoft Vendor
    2025-02-21T20:05:47.14+00:00

    Hi @Kevin Robatel

    Thank for your reply.

    As you shared, I could see that you have Classic Administrators roles in your subscription. Therefore, a Service Administrator can't update or modify an Azure Virtual Network Gateway (VNG). This is likely because the Classic Administrator role does not have permissions in Azure Resource Manager (ARM).

    Reason: Classic Administrator roles (Service Administrator) are tied to the Azure Service Management (ASM/Classic) model, not the latest Azure Resource Manager (ARM) model. Virtual Network Gateways (VPN/ExpressRoute) are ARM resources, so Classic Administrators do not inherit permissions for ARM operations like Microsoft.Network/virtualNetworkGateways/write.

    Next Steps: If you have a classic administrator role, please refer to the complete document below to convert the RBAC role (Owner, Contributor, or Network Contributor) to resolve the permission issues on VNG operations.

    Refer to the document
    https://learn.microsoft.com/en-us/azure/role-based-access-control/classic-administrators?tabs=azure-portal

    I hope this has been helpful!

    Your feedback is important so please take a moment to accept answers. If you still have questions, pleaslet us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.