How to Configure SDN Gateway Pools on Windows Server 2016

April 23, 2026
Tutorials
Comment off

How to Set Up Windows Server 2016 Gateway Pools

In a Windows Server 2016 SDN deployment, a Gateway Pool is a logical grouping of RAS Gateway virtual machines managed by the Network Controller. Gateway Pools provide high availability and capacity management for tenant VPN and routing connections. When a tenant requires a gateway connection, the Network Controller automatically selects an available gateway from the pool and provisions the connection on it. If a gateway fails, connections can be redistributed to other gateways in the pool, providing resilience without manual intervention.

This tutorial walks through the configuration of Gateway Pools on Windows Server 2016, covering gateway VM preparation, registration with the Network Controller, pool creation, and capacity planning.

Gateway Pool Types

Windows Server 2016 supports three types of gateway pools. An M+N pool provides redundancy by deploying M active gateways and N standby gateways. When an active gateway fails, a standby automatically takes over. A dedicated pool assigns each tenant their own gateway VM for guaranteed resource isolation. A shared pool allows multiple tenants to use the same gateway VM, maximising hardware utilisation at the cost of resource sharing. Most production deployments use the M+N model for the balance of redundancy and efficiency it provides.

Prerequisites

You need Windows Server 2016 Datacenter edition VMs to serve as gateways, each with at least two NICs (management and external/public). The Network Controller must be deployed and operational. Each gateway VM must have the Remote Access role installed:

Install-WindowsFeature RemoteAccess -IncludeAllSubFeature -IncludeManagementTools

Enable multitenant mode on each gateway VM:

Install-RemoteAccess -MultiTenancy

Step 1 — Register Gateway VMs with the Network Controller

Each gateway VM must be registered as a server object in the Network Controller. Define the server resource for the first gateway VM:

$uri = "https://nc.contoso.com"
$headers = @{ "Content-Type" = "application/json" }

$gw1Body = @{
  properties = @{
    connections = @(@{
      managementAddress = "10.10.55.20"
      credential = @{ resourceRef = "/credentials/GatewayAdminCred" }
      credentialType = "UsernamePassword"
    })
    networkInterfaces = @(
      @{
        resourceId = "GW1-ExternalNIC"
        properties = @{
          ipConfigurations = @(@{
            properties = @{
              privateIPAddress = "192.0.2.10"
              privateIPAllocationMethod = "Static"
              subnet = @{ resourceRef = "/logicalNetworks/PublicVIP/subnets/0" }
            }
          })
        }
      },
      @{
        resourceId = "GW1-InternalNIC"
        properties = @{
          ipConfigurations = @(@{
            properties = @{
              privateIPAddress = "10.10.56.20"
              privateIPAllocationMethod = "Static"
              subnet = @{ resourceRef = "/logicalNetworks/HNVProvider/subnets/0" }
            }
          })
        }
      }
    )
  }
} | ConvertTo-Json -Depth 9

Invoke-RestMethod `
  -Uri "$uri/networking/v1/servers/GW1" `
  -Method Put `
  -Body $gw1Body `
  -Headers $headers `
  -UseDefaultCredentials

Repeat for each additional gateway VM (GW2, GW3, etc.).

Step 2 — Create a Gateway Pool

With the gateway VMs registered, create the Gateway Pool resource that groups them together. Specify the redundancy type, capacity, and which servers belong to the pool:

$poolBody = @{
  properties = @{
    type = "All"
    ipConfiguration = @{
      subnet = @{ resourceRef = "/logicalNetworks/HNVProvider/subnets/0" }
    }
    redundantGatewayCount = 1
    gatewayCapacity = 128
    gatewayVMs = @(
      @{ resourceRef = "/servers/GW1" },
      @{ resourceRef = "/servers/GW2" },
      @{ resourceRef = "/servers/GW3" }
    )
    publicIPAddresses = @(
      @{ resourceRef = "/publicIPAddresses/GW-PublicIP1" }
    )
  }
} | ConvertTo-Json -Depth 6

Invoke-RestMethod `
  -Uri "$uri/networking/v1/gatewayPools/DefaultPool" `
  -Method Put `
  -Body $poolBody `
  -Headers $headers `
  -UseDefaultCredentials

The redundantGatewayCount value of 1 means one gateway is kept in standby for failover (M+1 configuration).

Step 3 — Create a Public IP Address Resource

Gateway connections need public IP addresses for the external VPN endpoints. Register the public IP with the Network Controller:

$pipBody = @{
  properties = @{
    publicIPAllocationMethod = "Static"
    ipAddress = "192.0.2.100"
  }
} | ConvertTo-Json -Depth 3

Invoke-RestMethod `
  -Uri "$uri/networking/v1/publicIPAddresses/GW-PublicIP1" `
  -Method Put `
  -Body $pipBody `
  -Headers $headers `
  -UseDefaultCredentials

Step 4 — Verify the Gateway Pool Status

Check that the gateway pool shows the correct number of active and standby gateways:

Invoke-RestMethod `
  -Uri "$uri/networking/v1/gatewayPools/DefaultPool" `
  -Method Get `
  -UseDefaultCredentials | ConvertTo-Json -Depth 5

Verify individual gateway VMs are in the Healthy state by checking server configuration status from the Network Controller.

Step 5 — Associate Tenant Gateways with the Pool

When provisioning a gateway connection for a tenant, reference the pool rather than a specific gateway VM. The Network Controller will select the appropriate gateway automatically:

$tenantGWBody = @{
  properties = @{
    virtualNetwork = @{ resourceRef = "/virtualNetworks/TenantAVNet" }
    pool = @{ resourceRef = "/gatewayPools/DefaultPool" }
    type = "S2sIpSec"
    ipConfigurations = @(@{
      properties = @{
        privateIPAddress = "10.10.56.100"
        privateIPAllocationMethod = "Static"
        subnet = @{ resourceRef = "/logicalNetworks/HNVProvider/subnets/0" }
      }
    })
  }
} | ConvertTo-Json -Depth 6

Invoke-RestMethod `
  -Uri "$uri/networking/v1/gateways/TenantA-GW" `
  -Method Put `
  -Body $tenantGWBody `
  -Headers $headers `
  -UseDefaultCredentials

Capacity Planning

The gatewayCapacity value in the pool definition represents the maximum number of connections or tunnels the pool can support. Plan capacity based on expected tenant counts and the capabilities of the gateway VMs. Monitor current utilisation by querying the gateways endpoint and reviewing the connectionCount property. Scale the pool by adding additional gateway VM registrations when utilisation approaches the defined capacity.

Conclusion

Gateway Pools in Windows Server 2016 SDN provide automatic load distribution, high availability, and simplified capacity management for tenant gateway connections. By deploying gateway VMs in M+N pools managed by the Network Controller, organisations can ensure that tenant VPN and routing services remain available even when individual gateway VMs fail, while keeping the administrative overhead of managing individual gateway assignments to a minimum.