Unable to delete VNet due to serviceAssociationLinks/AppServiceLink

Kien_NDM 116 Reputation points
2020-10-27T01:28:29.92+00:00

Hi,

I have deployed an Azure system including virtual networks and app services. Then, when doing virtual network deletion, I had some problems. I got the message and the subnet uses the above vnet. Then I delete the subnet and get the message that there are app services using the above subnet. In fact, there are no app services at all. When using the command below:

az network vnet subnet list --resource-group [...] --vnet-name [...]

As a result, I discovered that 1 [Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks] cannot be deleted.

Remove-AzureRmVirtualNetwork : Subnet snet-bo is in use by /subscriptions/[..id...]/resource
Groups/Disabled/providers/Microsoft.Network/virtualNetworks/vnet-drug/subnets/snet-bo/serviceAssociationLinks/AppServic
eLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See
aka.ms/deletesubnet.
StatusCode: 400
ReasonPhrase: Bad Request
OperationID : 'bbc8987b-ffd1-420e-80c7-5913ef43b069'
At line:1 char:1

  • Remove-AzureRmVirtualNetwork -Name vnet-drug -ResourceGroupName disab ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : CloseError: (:) [Remove-AzureRmVirtualNetwork], NetworkCloudException
  • FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.RemoveAzureVirtualNetworkCommand

Please support, thank you.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,204 questions
Accepted answer
  1. suvasara-MSFT 10,011 Reputation points
    2020-10-28T10:31:48.677+00:00

    @Kien_NDM , Apologies for the delay in response. This is a known issue, and the only way you will be able to get this deleted is to contact Azure Support. If you do not have a support plan, please Email me at with your subscription ID and a link to this post, and I will enable a one-time free support request for you to get the subnet deleted.

    Workaround:

    1. Create App Service Plan with the same name as the deleted one
    2. Create App Service with the same name as the deleted one
    3. Link App Service with the VNET subnet
    4. Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
    5. Delete subnet

    Reason for this Error:
    The new VNET integration feature (Regional Vnet Integration) must set locks on subnets in the Network Resource Provider, we set these locks by putting a structure called a Service Association Link onto the Subnet, which is a privileged operation that only Microsoft.Web and some other internal Azure services have access to, this ends up being odd cases where these locks don't get cleaned up. The result is that the customer will have a subnet that cannot be deleted or used because a Service Association Link still exists on the subnet.
    Azure App Service and Azure Networking Product Group keep working on to fix the issue completely.

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    11 people found this answer helpful.

8 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcel Dutt 0 Reputation points
    2023-08-08T12:22:57.3266667+00:00

    If you experience this behavior with Function Apps and possibly Terraform: if you have deployment slots and delete the slot before the connection to the VNET has been severed, it will be impossible to disconnect. This may happen with Terraform if you have set the app setting "WEBSITE_VNET_ROUTE_ALL" = 1. Workaround: Recreate the slot with the same name. Set "WEBSITE_VNET_ROUTE_ALL" = 0 and then disconnect from the VNET in the Network blade of the function app in the portal. Then proceed with whatever you wanted to do (in portal or via Terraform).

    0 comments
  2. Giovani Decusati 0 Reputation points
    2023-12-27T06:00:08.9033333+00:00

    Hi team,

    I'm having the same problem. The solution above doesn't works as per as I'm not able to select the subnet for enabling VNET integration.

    Remove-AzVirtualNetwork -ResourceGroupName MyRG-Name xxxx

    Remove-AzVirtualNetwork: Subnet xxx-web is in use by /subscriptions/xxxx-c0e3-4b89-be00-0524b96b7b0f/resourceGroups/xxxxx/providers/Microsoft.Network/virtualNetworksxxxx/subnets/xxx-web/serviceAssociationLinks/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.

    StatusCode: 400

    ReasonPhrase: Bad Request

    ErrorCode: InUseSubnetCannotBeDeleted

    ErrorMessage: Subnet xxxxx-web is in use by /subscriptions/xxxxxx-c0e3-4b89-be00-0524b96b7b0f/resourceGroups/xxxxx/providers/Microsoft.Network/virtualNetworks/xxxx/subnets/xxxx-web/serviceAssociationLinks/AppServiceLink and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.

    OperationID : 9223cb66-265d-4e7e-885e-33de6d52d5e2

    0 comments
  3. Michel Hernandez 0 Reputation points
    2024-01-05T11:57:04.4333333+00:00

    Hello Team,

    For those that the workaround didn't work make sure you are using the 'Gateway-based integration' to link the subnet with the App Service again. This will allow you to set up the Virtual Network Integration again. Once is done, you can 'Disconnect' and perform the delete operation.

    Hope this helps.

    0 comments
  4. David Zheng 0 Reputation points
    2024-01-10T00:15:20.63+00:00

    Therefore, the current problem is that the administrative privileges of serviceAssociationLinks cannot be changed by the delete command.

    We can only overwrite the original link by reconnecting the same serviceAssociationLinks type and then delete it.

    0 comments