BhargaviAnnadevara
commented
4 years ago @yvesgermain Thanks for reaching out! In order to best address your question, could you provide us with the URL of the MS Doc that you were following, if any?
Closed yvesgermain closed 4 years ago
BhargaviAnnadevara
commented
4 years ago @yvesgermain Thanks for reaching out! In order to best address your question, could you provide us with the URL of the MS Doc that you were following, if any?
yvesgermain
commented
4 years ago Here a Microsoft article "Unable to delete VNet due to serviceAssociationLinks/AppServiceLink" that resembles my situation: https://social.msdn.microsoft.com/Forums/en-US/f3fa0fb2-d930-484c-90a5-6860e360d87f/unable-to-delete-vnet-due-to-serviceassociationlinksappservicelink?forum=WAVirtualMachinesVirtualNetwork
yvesgermain
commented
4 years ago Here's an article that resembles my situation :Unable to delete VNet due to serviceAssociationLinks/AppServiceLink : https://social.msdn.microsoft.com/Forums/en-US/f3fa0fb2-d930-484c-90a5-6860e360d87f/unable-to-delete-vnet-due-to-serviceassociationlinksappservicelink?forum=WAVirtualMachinesVirtualNetwork
yvesgermain
commented
4 years ago Here's a link to an article that resembles my situation:
Unable to delete VNet due to serviceAssociationLinks/AppServiceLink
BhargaviAnnadevara
commented
4 years ago @yvesgermain Thanks for the response. I've routed this to the appropriate Team to investigate and update.
sergevm
commented
4 years ago Seem to have a related issue, i.e., when I try to delete a subnet, I get an error:
Failed to delete subnet 'xxx'. Error: Subnet xxx is in use by my-resource-group/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/xxx/serviceAssociationLinks/AppServiceLink'>my-vnet/xxx/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.
Is this also something that can only be fixed by making a support call?
TravisCragg-MSFT
commented
4 years ago @sergevm If you have deleted the App Service and the link, yet the subnet is not able to be deleted, you will need to create a support request.
If you do not have a support plan, please Email me at azcommunity@microsoft.com with your subscription ID and a link to this post, and I will enable a one-time free support request for you to get the subnet deleted.
blendsdk
commented
4 years ago Any idea when this bug is going to be fixed?
ybutkevych
commented
4 years ago I had the same issue. I had the App Service connected to the subnet. I removed the App Service Plan together with App Service which broke my VNet and did not allow to remove the associated subnet. In order to fix the solution:
@blendsdk this might probably help you
frehnejc
commented
4 years ago @sergevm If you have deleted the App Service and the link, yet the subnet is not able to be deleted, you will need to create a support request.
If you do not have a support plan, please Email me at azcommunity@microsoft.com with your subscription ID and a link to this post, and I will enable a one-time free support request for you to get the subnet deleted.
I sent a message to azcommunity@microsoft.com but no-one seems to respond.
sergevm
commented
4 years ago @frehnejc I created a support request in the Azure portal, and this was fixed by support soon after. Did not have to send a mail.
TravisCragg-MSFT
commented
4 years ago @frehnejc Thanks for following up! I was able to find your email, and have enabled your subscription for a free support request.
frehnejc
commented
4 years ago @frehnejc Thanks for following up! I was able to find your email, and have enabled your subscription for a free support request.
Thanks also have issues with Group IP’s unable to delete when there was an azure firewall can I log a ticket on that too?
TravisCragg-MSFT
commented
4 years ago @frehnejc You can, but it will be easier to ask the engineer to take care of that with the same support request. If the engineer asks you to make a second ticket and you are unable, reply to my Email and I will enable another support request if needed.
dgcaron
commented
4 years ago i ran into this with container instances and here is what i did to get this deleted when my container instance was removed and i couldn't remove the delegation.
using the az cli with a logged in user to obtain a jwt token
az account get-access-token --resource https://management.azure.com/then using postman to issue the following calls:
add to the headers: "Authorization: Bearer |accesstoken from cli|"
DELETE Service Association
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01
DELETE Network Profle
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkProfiles/{networkProfileName}?api-version=2020-05-01after this i could remove the delegation using the portal, cli or powershell
hassant
commented
4 years ago In case of an app service, you need to clean up the association under App Service Plan > Networking which will list all the links your net has to any of the apps including slots. Once you disconnect the vnet from app service and slot you should be then able to set the delegation back to None and unselect the service endpoint and finally be able to delete the subnet respectively.
imduchy
commented
4 years ago @dgcaron this worked! Thanks a lot.
Marc013
commented
4 years ago @dgcaron, With your help I was able to remove the VNet using PowerShell. Thank you very much!
[string]$ResourceGroupName = 'MyResourceGroupName'
[string]$VirtualNetworkName = 'VNetName'
[string]$SubnetName = 'SubnetName'
$CurrentAzureContext = Get-AzContext
$AzureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$ProfileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($AzureRmProfile)
$Token = $ProfileClient.AcquireAccessToken($CurrentAzureContext.Tenant.TenantId)
[string]$AccessToken = $Token.AccessToken
[string]$ManagementEp = $CurrentAzureContext.Environment.ResourceManagerUrl
[string]$NetworkProfileName = (Get-AzNetworkProfile -ResourceGroupName $ResourceGroupName).Name
[string]$Uri1 = "$($ManagementEp)subscriptions/$($CurrentAzureContext.Subscription.Id)/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VirtualNetworkName/subnets/$SubnetName/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01"
[string]$Uri2 = "$($ManagementEp)subscriptions/$($CurrentAzureContext.Subscription.Id)/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/networkProfiles/$($NetworkProfileName)?api-version=2020-05-01"
Invoke-RestMethod -Method Delete -Uri $Uri1 -Headers @{"Authorization" = ("Bearer " + $AccessToken) }
Invoke-RestMethod -Method Delete -Uri $Uri2 -Headers @{"Authorization" = ("Bearer " + $AccessToken) }
terasaka
commented
4 years ago I had the same issue. I had the App Service connected to the subnet. I removed the App Service Plan together with App Service which broke my VNet and did not allow to remove the associated subnet. In order to fix the solution:
- Create App Service Plan with the same name as the deleted one
- Create App Service with the same name as the deleted one
- Link App Service with the VNET subnet
- Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
- Delete subnet
@blendsdk this might probably help you
@ybutkevych this worked for me! Thanks a lot.
ClassyCircuit
commented
4 years ago I had the same issue. I had the App Service connected to the subnet. I removed the App Service Plan together with App Service which broke my VNet and did not allow to remove the associated subnet. In order to fix the solution:
- Create App Service Plan with the same name as the deleted one
- Create App Service with the same name as the deleted one
- Link App Service with the VNET subnet
- Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
- Delete subnet
@blendsdk this might probably help you
Whoever is experiencing the same issue in the future, follow these steps, I just tried them out and it fixed my problem.
jannekeskitalo
commented
4 years ago @dgcaron, thanks for doing the API docs digging :) Here's a bash-script for the cleanup:
#!/bin/bash
# Requires "httpie" command line tool
# Set variables with your identifiers...
subscriptionId=""
resourceGroupName=""
virtualNetworkName=""
subnetName=""
# To get the profile name, try subnet delete with CLI or portal and check the error message
# Should be something like this:
networkProfileName="aci-network-profile-vnet-foo-01-subnet-bar-01"
token=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv)
http DELETE https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName}/subnets/${subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01 \
"Authorization: Bearer ${token}"
http DELETE https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkProfiles/${networkProfileName}?api-version=2020-05-01 \
"Authorization: Bearer ${token}"
boonwj
commented
4 years ago @jannekeskitalo's solution worked out well for me. But I didn't have httpie in my environment, so the following is the same implementation with curl instead.
#!/bin/bash
# Set variables with your identifiers...
subscriptionId=""
resourceGroupName=""
virtualNetworkName=""
subnetName=""
# To get the profile name, try subnet delete with CLI or portal and check the error message
# Should be something like this:
networkProfileName="aci-network-profile-vnet-foo-01-subnet-bar-01"
token=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv)
curl -H "Authorization: Bearer ${token}" -X DELETE https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName}/subnets/${subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01
curl -H "Authorization: Bearer ${token}" -X DELETE https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkProfiles/${networkProfileName}?api-version=2020-05-01
flobeier
commented
4 years ago @dgcaron Thank you very much! Due to your help I was able to remove the subnet delegation.
@jannekeskitalo @boonwj
I think the simplest solution is to just use az rest like so:
az rest --method delete --uri https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01
drmanhatin
commented
4 years ago i ran into this with container instances and here is what i did to get this deleted when my container instance was removed and i couldn't remove the delegation.
using the az cli with a logged in user to obtain a jwt token
az account get-access-token --resource https://management.azure.com/then using postman to issue the following calls:
add to the headers: "Authorization: Bearer |accesstoken from cli|"
DELETE Service Association https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01 DELETE Network Profle https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkProfiles/{networkProfileName}?api-version=2020-05-01after this i could remove the delegation using the portal, cli or powershell
This worked, thanks!
SemMulder
commented
4 years ago @TravisCragg-MSFT would it be possible to get this fixed properly instead of forcing all these people to contact support?
CYoderDev
commented
3 years ago The az cli command doesn't seem to work for AppServiceLinks. It runs successfully, but the link does not delete.
Can we get an actual fix for this? If you don't provide a way to disconnect the vnet in the case where an app service and the ASP are deleted, then you are likely going to be generating quite a few support tickets for us in non-production environments where deleting entire resource groups and deploying again is more common.
IOrlandoni
commented
3 years ago Why is this closed? This is an existing bug/problem/issue.
Isszul
commented
3 years ago Still broken!
thiagofborn
commented
3 years ago 
That helped me.
AdamRiddick
commented
3 years ago I hit this issue testing an ARM template deployment against my personal subscription. After deleting the resource group I was left only with the VNet, Subnet and AppServiceLinks, which I couldn't see - They really should be exposed better.
Following @ybutkevych 's approach worked, but this needed doing per connected resource, which is pretty droll.
As I'd already deleted the resource group, none of the connected services existed anymore, apart from the AppServiceLinks. To workaround this, I re-deployed the ARM template against the resource, disconnected them from the subnet, and then I was able to delete the subnet and subsequently the vnet.
I did try contacting the support email above, but as yet have had no response - this isn't a good model for resolving this issue.
I had the same issue. I had the App Service connected to the subnet. I removed the App Service Plan together with App Service which broke my VNet and did not allow to remove the associated subnet. In order to fix the solution:
- Create App Service Plan with the same name as the deleted one
- Create App Service with the same name as the deleted one
- Link App Service with the VNET subnet
- Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
- Delete subnet
@blendsdk this might probably help you
iSeiryu
commented
3 years ago The recommended solution does not work for me. I cannot attach the existing subnet to a newly created app service/plan with the same name because it is already delegated. I cannot delete nor deploy things to the existing RG because it is in deprovisioning state. Looking for a working solution.
The scripts above don't work either: the first call to serviceAssociationLinks returns Internal Server Error without any logs or additional details.
andycoderapptio
commented
2 years ago i ran into this with container instances and here is what i did to get this deleted when my container instance was removed and i couldn't remove the delegation.
using the az cli with a logged in user to obtain a jwt token
az account get-access-token --resource https://management.azure.com/then using postman to issue the following calls:
add to the headers: "Authorization: Bearer |accesstoken from cli|"
DELETE Service Association https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01 DELETE Network Profle https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkProfiles/{networkProfileName}?api-version=2020-05-01after this i could remove the delegation using the portal, cli or powershell
I've tried this but get the error "UnauthorizedClientApplication", seems like they are blocking any clients other than the portal app for this API?
omerf-hmcts
commented
1 year ago default?api-version=2018-10-01
This did not work for me.
omerf-hmcts
commented
1 year ago Is there anyway to delete it without opening a ticket to Microsoft?
iSeiryu
commented
1 year ago The only way I could solve this is by opening a ticket to Microsoft. They had to remove it on their end.
askpatrickw
commented
1 year ago https://github.com/Azure/azure-cli/issues/21637 should be re-opened to fix this in AZ-CLI
mittaus
commented
1 year ago i ran into this with container instances and here is what i did to get this deleted when my container instance was removed and i couldn't remove the delegation. using the az cli with a logged in user to obtain a jwt token
az account get-access-token --resource https://management.azure.com/then using postman to issue the following calls: add to the headers: "Authorization: Bearer |accesstoken from cli|"
DELETE Service Association https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01 DELETE Network Profle https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkProfiles/{networkProfileName}?api-version=2020-05-01after this i could remove the delegation using the portal, cli or powershell
I've tried this but get the error "UnauthorizedClientApplication", seems like they are blocking any clients other than the portal app for this API?
when run it:
$token=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv)
Invoke-RestMethod -Method Delete -Uri https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName}/subnets/${subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01 -Headers @{"Authorization" = ("Bearer " + $token) }return the error:
Invoke-RestMethod : {"error":{"code":"InvalidAuthenticationToken","message":"The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be
present. If you are accessing as application please make sure service principal is properly created in the tenant."}}
At line:1 char:1
+ Invoke-RestMethod -Method Delete -Uri https://management.azure.com/su ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
pappasG
commented
1 year ago please use the last step to delete the service connection.
nige6
commented
1 year ago in the case of App Services make sure that any slots you have also have been disconnected
vjmanda
commented
1 year ago Same issue.
{
"error": {
"code": "InUseSubnetCannotBeDeleted",
"message": "Subnet snet-xxx is in use by /subscriptions/xxx/resourceGroups/rg-xxx/providers/Microsoft.Network/virtualNetworks/vnet-xxx/subnets/snet-xxx/serviceAssociationLinks/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.",
"details": []
}
}I cannot delete the subnet / vNet as there I have an orphaned serviceAssociationLink. I checked the rest API documentation and the only operation available is list.
The only way to resolve this seems to be to open a support ticket which I can't do as I have a basic support plan.
Please reopen this as its still happening.
ddaniels-andmore
commented
1 year ago This should not be closed. It is an active problem and needs to be resolved by Azure internally.
durist
commented
1 year ago I ran into exactly this issue as well; this issue is definitely not fixed and took almost a week to get resolved. While Microsoft support was responsive and attempted to be helpful, it took the involvement of three different groups to get the AppServiceLink deleted. I'm in the process of doing devops development for AKS using Pulumi, and so am creating and tearing down infrastructure multiple times per day. It took a while before I triggered this bug (maybe a race condition?) but it makes development and testing with any infrastructure-as-code solution unworkable, so I will probably need to be looking at other platforms for my application. This really needs to get fixed.
CornerstoneII
commented
1 year ago This bug is still present
tigertiburon
commented
1 year ago I'm getting this error as well. I had an Web app + Database and didn't realize that I had to disconnect the subnet from the vnet before deleting the resource group. Not I can't delete the subnet or vnet. I've tried recreating but it either fails because the resource already exists or unable to assign the subnet due to it being assigned already. Any chance of getting a one-time support ticket?
teedeeuk17
commented
1 year ago This is happening for me as well tried the last couple of days using cli powershell and resources.azure com and no joy. I have a basic plan support and looks like more people will have the issue of not able to purge vnet resources in their tenant or subscription. I also agree Any chance of getting a one-time support ticket? this is a bug that needs to be fixed on the backend
JerinJoyMozanta
commented
1 year ago @teedeeuk17 @tigertiburon please try below methods, it worked for me.
Deleting the App Service plan or web app before disconnecting the VNet integration If you deleted the web app or the App Service plan without disconnecting the VNet integration first, you will not be able to do any update/delete operations on the virtual network or subnet that was used for the integration with the deleted resource. A subnet delegation 'Microsoft.Web/serverFarms' will remain assigned to your subnet and will prevent the update/delete operations.
In order to update/delete the subnet or virtual network again you need to re-create the VNet integration and then disconnect it:
Re-create the App Service plan and web app (it is mandatory to use the exact same web app name as before). Navigate to the 'Networking' blade on the web app and configure the VNet integration. After the VNet integration is configured, select the 'Disconnect' button. Delete the App Service plan or web app. Update/Delete the subnet or virtual network.
alpaBuddhabhatti
commented
1 year ago I had the same issue. I had the App Service connected to the subnet. I removed the App Service Plan together with App Service which broke my VNet and did not allow to remove the associated subnet. In order to fix the solution:
- Create App Service Plan with the same name as the deleted one
- Create App Service with the same name as the deleted one
- Link App Service with the VNET subnet
- Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
- Delete subnet
@blendsdk this might probably help you
Hi what will happen if i do not know exact name of App Service Plan, App services etc. In this case how can I delete subnet?
Jcparkyn
commented
1 year ago in the case of App Services make sure that any slots you have also have been disconnected
Thanks @nige6, this fixed the problem for me.
ddaniels-andmore
commented
1 year ago This needs to be re-opened until Microsoft can properly fix the process on the backend.
Sulien
commented
1 year ago This bug has been around for how many years now? Agree with above -- should stay open until the issue is resolved.
When trying to delete a subnet in Azure, I get the following message: Failed to save subnet 'devops-subnet'. Error: 'Subnet GumSite-rg-devops/providers/Microsoft.Network/virtualNetworks/Devopsvnet/subnets/devops-subnet'>Devopsvnet/devops-subnet requires any of the following delegation(s) [Microsoft.Web/serverFarms] to reference service association link /subscriptions/**/resourceGroups/GumSite-rg-devops/providers/Microsoft.Network/virtualNetworks/Devopsvnet/subnets/devops-subnet/serviceAssociationLinks/AppServiceLink.'
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.