Azure-docs: Error deleting subnet serviceAssociationLinks AppServiceLink

@yvesgermain Thanks for reaching out! In order to best address your question, could you provide us with the URL of the MS Doc that you were following, if any?

Here a Microsoft article "Unable to delete VNet due to serviceAssociationLinks/AppServiceLink" that resembles my situation:
https://social.msdn.microsoft.com/Forums/en-US/f3fa0fb2-d930-484c-90a5-6860e360d87f/unable-to-delete-vnet-due-to-serviceassociationlinksappservicelink?forum=WAVirtualMachinesVirtualNetwork

Here's an article that resembles my situation :Unable to delete VNet due to serviceAssociationLinks/AppServiceLink : https://social.msdn.microsoft.com/Forums/en-US/f3fa0fb2-d930-484c-90a5-6860e360d87f/unable-to-delete-vnet-due-to-serviceassociationlinksappservicelink?forum=WAVirtualMachinesVirtualNetwork

Here's a link to an article that resembles my situation:

https://social.msdn.microsoft.com/Forums/en-US/f3fa0fb2-d930-484c-90a5-6860e360d87f/unable-to-delete-vnet-due-to-serviceassociationlinksappservicelink?forum=WAVirtualMachinesVirtualNetwork

Unable to delete VNet due to serviceAssociationLinks/AppServiceLink

@yvesgermain Thanks for the response. I've routed this to the appropriate Team to investigate and update.

@yvesgermain This is a known issue, and the only way you will be able to get this deleted is to contact Azure Support. If you do not have a support plan, please Email me at [email protected] with your subscription ID and a link to this post, and I will enable a one-time free support request for you to get the subnet deleted.

We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

Seem to have a related issue, i.e., when I try to delete a subnet, I get an error:

Failed to delete subnet 'xxx'. Error: Subnet xxx is in use by my-resource-group/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/xxx/serviceAssociationLinks/AppServiceLink'>my-vnet/xxx/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.

Is this also something that can only be fixed by making a support call?

@sergevm If you have deleted the App Service and the link, yet the subnet is not able to be deleted, you will need to create a support request.

If you do not have a support plan, please Email me at [email protected] with your subscription ID and a link to this post, and I will enable a one-time free support request for you to get the subnet deleted.

Any idea when this bug is going to be fixed?

I had the same issue. I had the App Service connected to the subnet. I removed the App Service Plan together with App Service which broke my VNet and did not allow to remove the associated subnet. In order to fix the solution:

1. Create App Service Plan with the same name as the deleted one
2. Create App Service with the same name as the deleted one
3. Link App Service with the VNET subnet
4. Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
5. Delete subnet

@blendsdk this might probably help you

@sergevm If you have deleted the App Service and the link, yet the subnet is not able to be deleted, you will need to create a support request.

If you do not have a support plan, please Email me at [email protected] with your subscription ID and a link to this post, and I will enable a one-time free support request for you to get the subnet deleted.

I sent a message to [email protected] but no-one seems to respond.

@frehnejc I created a support request in the Azure portal, and this was fixed by support soon after. Did not have to send a mail.

@frehnejc Thanks for following up! I was able to find your email, and have enabled your subscription for a free support request.

@frehnejc Thanks for following up! I was able to find your email, and have enabled your subscription for a free support request.

Thanks also have issues with Group IP’s unable to delete when there was an azure firewall can I log a ticket on that too?

@frehnejc You can, but it will be easier to ask the engineer to take care of that with the same support request. If the engineer asks you to make a second ticket and you are unable, reply to my Email and I will enable another support request if needed.

i ran into this with container instances and here is what i did to get this deleted when my container instance was removed and i couldn't remove the delegation.

using the az cli with a logged in user to obtain a jwt token

az account get-access-token --resource https://management.azure.com/

then using postman to issue the following calls:

add to the headers: "Authorization: Bearer |accesstoken from cli|"

DELETE  Service Association
 https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01

DELETE Network Profle
 https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkProfiles/{networkProfileName}?api-version=2020-05-01

after this i could remove the delegation using the portal, cli or powershell

In case of an app service, you need to clean up the association under App Service Plan > Networking which will list all the links your net has to any of the apps including slots.
Once you disconnect the vnet from app service and slot you should be then able to set the delegation back to None and unselect the service endpoint and finally be able to delete the subnet respectively.

@dgcaron this worked! Thanks a lot.

@dgcaron,
With your help I was able to remove the VNet using PowerShell.
Thank you very much!

[string]$ResourceGroupName = 'MyResourceGroupName'
[string]$VirtualNetworkName = 'VNetName'
[string]$SubnetName = 'SubnetName'

$CurrentAzureContext = Get-AzContext
$AzureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
$ProfileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($AzureRmProfile)
$Token = $ProfileClient.AcquireAccessToken($CurrentAzureContext.Tenant.TenantId)
[string]$AccessToken = $Token.AccessToken
[string]$ManagementEp = $CurrentAzureContext.Environment.ResourceManagerUrl

[string]$NetworkProfileName = (Get-AzNetworkProfile -ResourceGroupName $ResourceGroupName).Name

[string]$Uri1 = "$($ManagementEp)subscriptions/$($CurrentAzureContext.Subscription.Id)/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VirtualNetworkName/subnets/$SubnetName/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01"
[string]$Uri2 = "$($ManagementEp)subscriptions/$($CurrentAzureContext.Subscription.Id)/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/networkProfiles/$($NetworkProfileName)?api-version=2020-05-01"

Invoke-RestMethod -Method Delete -Uri $Uri1 -Headers @{"Authorization" = ("Bearer " + $AccessToken) }

Invoke-RestMethod -Method Delete -Uri $Uri2 -Headers @{"Authorization" = ("Bearer " + $AccessToken) }

I had the same issue. I had the App Service connected to the subnet. I removed the App Service Plan together with App Service which broke my VNet and did not allow to remove the associated subnet. In order to fix the solution:

1. Create App Service Plan with the same name as the deleted one
2. Create App Service with the same name as the deleted one
3. Link App Service with the VNET subnet
4. Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
5. Delete subnet

@blendsdk this might probably help you

@ybutkevych this worked for me! Thanks a lot.

I had the same issue. I had the App Service connected to the subnet. I removed the App Service Plan together with App Service which broke my VNet and did not allow to remove the associated subnet. In order to fix the solution:

1. Create App Service Plan with the same name as the deleted one
2. Create App Service with the same name as the deleted one
3. Link App Service with the VNET subnet
4. Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
5. Delete subnet

@blendsdk this might probably help you

Whoever is experiencing the same issue in the future, follow these steps, I just tried them out and it fixed my problem.

@dgcaron, thanks for doing the API docs digging :) Here's a bash-script for the cleanup:

#!/bin/bash
# Requires "httpie" command line tool

# Set variables with your identifiers...
subscriptionId=""
resourceGroupName=""
virtualNetworkName=""
subnetName=""

# To get the profile name, try subnet delete with CLI or portal and check the error message
# Should be something like this:
networkProfileName="aci-network-profile-vnet-foo-01-subnet-bar-01"

token=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv)
http DELETE https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName}/subnets/${subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01 \
"Authorization: Bearer ${token}"

http DELETE https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkProfiles/${networkProfileName}?api-version=2020-05-01 \
"Authorization: Bearer ${token}"

@jannekeskitalo's solution worked out well for me. But I didn't have httpie in my environment, so the following is the same implementation with curl instead.

#!/bin/bash

# Set variables with your identifiers...
subscriptionId=""
resourceGroupName=""
virtualNetworkName=""
subnetName=""

# To get the profile name, try subnet delete with CLI or portal and check the error message
# Should be something like this:
networkProfileName="aci-network-profile-vnet-foo-01-subnet-bar-01"

token=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv)

curl -H "Authorization: Bearer ${token}" -X DELETE https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName}/subnets/${subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01
curl -H "Authorization: Bearer ${token}" -X DELETE https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkProfiles/${networkProfileName}?api-version=2020-05-01

@dgcaron Thank you very much! Due to your help I was able to remove the subnet delegation.

@jannekeskitalo @boonwj

I think the simplest solution is to just use az rest like so:

az rest --method delete --uri https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01

i ran into this with container instances and here is what i did to get this deleted when my container instance was removed and i couldn't remove the delegation.

using the az cli with a logged in user to obtain a jwt token

az account get-access-token --resource https://management.azure.com/

then using postman to issue the following calls:

add to the headers: "Authorization: Bearer |accesstoken from cli|"

DELETE  Service Association
 https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01

DELETE Network Profle
 https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkProfiles/{networkProfileName}?api-version=2020-05-01

after this i could remove the delegation using the portal, cli or powershell

This worked, thanks!

@TravisCragg-MSFT would it be possible to get this fixed properly instead of forcing all these people to contact support?

The az cli command doesn't seem to work for AppServiceLinks. It runs successfully, but the link does not delete.

Can we get an actual fix for this? If you don't provide a way to disconnect the vnet in the case where an app service and the ASP are deleted, then you are likely going to be generating quite a few support tickets for us in non-production environments where deleting entire resource groups and deploying again is more common.

Why is this closed? This is an existing bug/problem/issue.