At what scope/s Network Contributor Role is needed to add backend vms to a Load Balancer

Shridhar Srinivasan 215 Reputation points
2023-07-29T05:27:35.38+00:00

I have Resource Group named RG1 with VM1, VM2, VM3

I have Resource Group named RG2 with Load Balancer LB1

Will I need network contributor role on both Resource Groups ?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,022 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
600 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
387 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 45,406 Reputation points Microsoft Employee
    2023-07-31T15:48:03.5133333+00:00

    Hello @Shridhar Srinivasan ,

    I understand that you would like to know at what scope/s Network Contributor Role is needed to add backend VMs from one resource group to a Load Balancer in another resource group.

    I setup a lab and below are the roles that were needed to get this done:

    • I have Resource Group named "LBRG" with Load Balancer "mylb-lb".
    • I have Resource Group named "newrg" with a "VM".

    And, I added the below roles:

    Added Network Contributor Role on the load balancer resource group:

    enter image description here

    The "Network Contributor" role on the LB resource group will provide the below permissions to manage the Load balancer and its backend:

    enter image description here

    enter image description here

    Added Network Contributor and Virtual Machine Contributor Roles on the Resource Group "newrg" where VM/VMs are deployed:

    enter image description here

    The Network Contributor role on the resource group scope will allow the user to see and manage Microsoft.Network resources such as Vnets & NICs.

    At this point, the user will be able to add a backend pool to the load balancer but only with IP address option. If the user knows the IP address of the VM that needs to be added to the backend pool then yes, it will work.

    But if the user needs to use the NIC option to select the VMs in the backend pool, then it will not work. So, the user will need the Virtual Machine Contributor role as well on the Resource group.

    This is already explained in my other thread: https://learn.microsoft.com/en-us/answers/questions/1288486/network-contributor

    So, to conclude:

    You need the below roles:

    • Resource Group named RG1 with VM1, VM2, VM3 - Both Network Contributor and Virtual Machine Contributor Roles on this RG.
    • Resource Group named RG2 with Load Balancer LB1 - Network Contributor role on this RG.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    4 people found this answer helpful.

0 additional answers

Sort by: Most helpful