Cannot Delete Azure Firewall

Question

Hi Folks,

I am not able to delete azure firewall, error:
Failed to delete the Azure Firewall 'AZFW01'. Error: Azure Firewall AZFW01 failed to dereference Firewall Policy AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01'>FirewallPoli

When I am trying to remove VNet associations, I am getting below error:
Failed to update the association for the resource 'AZFW01'. Error: Azure Firewall AZFW01 failed to dereference Firewall Policy AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01'>Firew

I tried dealocated, realocate Firewall >> Did not works
I Tried to force delete using powershell >> nothing works
Tried delete RG it self that contain FW + Policy + VNET, it failed with error:
Failed to delete resource group AZ-VNET-RG: Deletion of resource group 'AZ-VNET-RG' did not finish within the allowed time as resources with identifiers 'Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01,Microsoft.Network/azureFirewalls/AZFW01' could not be deleted. The provisioning state of the resource group will be rolled back. The tracking Id is '5672a485-e976-4fdb-8fa9-f890536f7b1b'. Please check audit logs for more details. (Code: ResourceGroupDeletionTimeout) Firewall Policy '/subscriptions/9ddacc47-095f-476e-8bfb-c05da70720a8/resourcegroups/AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01' can not be deleted since there are Azure Firewalls using this policy. (Code: FirewallPolicyHasAzureFirewallReferences, Target: /subscriptions/9ddacc47-095f-476e-8bfb-c05da70720a8/resourceGroups/AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01) The request to delete the resource 'Microsoft.Network/azureFirewalls/AZFW01' failed. subscription id '9ddacc47-095f-476e-8bfb-c05da70720a8', activity id '034b40e3-7874-4b14-b9ad-c37f636f51ce', request correlation id '5672a485-e976-4fdb-8fa9-f890536f7b1b'. (Code: ResourceDeletionFailed, Target: /subscriptions/9ddacc47-095f-476e-8bfb-c05da70720a8/resourceGroups/AZ-VNET-RG/providers/Microsoft.Network/azureFirewalls/AZFW01)

Totally stuck, and I don't want to spend any more money for using Azure Firewall.

Anyone can help?

Thanks,

Answer 1

I think, there are orphaned links associated with the resources you are trying to delete and because of that, the deletion is not working. We will have the following options

• Update the objects like Network rules collection associated with the firewall

In-order to do that, try the following
Name variables are given on the basis of error messages posted. Still you need to find out NetworkRuleCollectionGroupName and to substitute in the following command. Note that, I am just updating the 'Priority' value to 220 to have a simple update in the rule

$firewallpolicy = Get-AzFirewallPolicy -Name FirewallPolicy_AZFW01 -ResourceGroupName AZ-VNET-RG
$networkrulecollectiongroup = Get-AzFirewallPolicyRuleCollectionGroup -Name "NetworkRuleCollectionGroupName" -ResourceGroupName AZ-VNET-RG -AzureFirewallPolicyName FirewallPolicy_AZFW01

Set-AzFirewallPolicyRuleCollectionGroup -Name "NetworkRuleCollectionGroupName" -Priority "220" -FirewallPolicyObject $firewallpolicy -RuleCollection $networkrulecollectiongroup.Properties.RuleCollection

If the above commands works well, try a deletion again

• For any reason, the steps are not helping, we need Microsoft team's support to fix this by deleting the orphaned objects in the backend. If you have a paid subscription, raise a case. Otherwise, shoot an email to AzCommunity@microsoft.com with the details, so that, someone can support you further

---

--please don't forget to upvote and Accept as answer if the reply is helpful--