Unable to remove vnet with serviceAssociationLinks

Question

Unable to remove vnet with serviceAssociationLinks

Patrick Nick 0

I've deployed a VNET with multiple subnets through Terraform alongside a GitHub.Network/networkSettings resource. One of the subnets is delegated to this resource. (I followed https://docs.github.com/en/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization for all this.)

However, upon destroying these resources, Azure blocks the deletion of the VNET because the delegated subnet is still assigned with the serviceAssociationLink (error InUseSubnetCannotBeDeleted). The GitHub.Network/networkSettings resource was successfully removed, leaving the subnet in a bad state. I tried a few things already (unsuccessfully):

deleting the resource group
removing the subnet delegation via CLI -> (error: SubnetMissingRequiredDelegation)
removing the subnet SAL via CLI -> no effect, as expected
re-adding the GH resource -> (error: SubnetInUse)

I found this question, but there is no helpful answer. I don't have a support subscription at the moment.

Is there a way to get out of this situation? Also, how can I avoid it in future?

Patrick Nick 0 Reputation points

2025-05-21T15:07:00.5933333+00:00

Hi @KapilAnanth-MSFT

Thank you for your clarifications. I opened a ticket with GitHub support and am awaiting their answer. I will keep you posted.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2025-05-21T15:19:55.07+00:00

Sure @Patrick Nick ,

Let us know if you need any help from Azure side.

Cheers,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2025-05-23T05:54:46.34+00:00

@Patrick Nick ,

Greetings.

May I ask if there were any developments on this?

If any help is required from Azure side, please do let us know.

Should the issue be resolved, I'd appreciate if you could "Accept the answer" as original posters help the community find answers faster by identifying the correct answer.

Cheers,

Kapil
Patrick Nick 0 Reputation points

2025-05-27T06:35:48.7366667+00:00

Hi @KapilAnanth-MSFT

Unfortunately, GitHub support has not even managed to respond to my support ticket. I pinged them again in the hope for some information.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2025-05-29T08:50:31.19+00:00

@Patrick Nick , Oh, thanks for keeping us posted.

Once again, let us know if anything is required from Azure side.

1 answer

Your answer

Patrick Nick 0 Reputation points

2025-05-21T15:07:00.5933333+00:00

Hi @KapilAnanth-MSFT

Thank you for your clarifications. I opened a ticket with GitHub support and am awaiting their answer. I will keep you posted.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2025-05-21T15:19:55.07+00:00

Sure @Patrick Nick ,

Let us know if you need any help from Azure side.

Cheers,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2025-05-23T05:54:46.34+00:00

@Patrick Nick ,

Greetings.

May I ask if there were any developments on this?

If any help is required from Azure side, please do let us know.

Should the issue be resolved, I'd appreciate if you could "Accept the answer" as original posters help the community find answers faster by identifying the correct answer.

Cheers,

Kapil
Patrick Nick 0 Reputation points

2025-05-27T06:35:48.7366667+00:00

Hi @KapilAnanth-MSFT

Unfortunately, GitHub support has not even managed to respond to my support ticket. I pinged them again in the hope for some information.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2025-05-29T08:50:31.19+00:00

@Patrick Nick , Oh, thanks for keeping us posted.

Once again, let us know if anything is required from Azure side.

Answer 1

Hi Patrick Nick

Thank you for sharing the details of the issue you're facing with the VNET deletion and the lingering Service Association Link (SAL).

It seems you've already tried several approaches without success. Based on similar cases, here are a few additional workarounds that may help resolve the issue:

1.Recreate the GitHub Resource in a New Subnet:

Create a new subnet in the same VNET.
Recreate the GitHub.Network/networkSettings resource and delegate it to the new subnet.
Once it's active, try to reassign the original subnet to it, then disconnect it properly.

2. To delete this SAL from your end,

Create App Service Plan with the same name as the deleted one
Create App Service with the same name as the deleted one
Link App Service with the VNET subnet
Disconnect VNet from App Service -> Networking -> VNet integration -> Disconnect
Delete subnet
Then delete the App Service.

Delete network profiles: if there are any lingering network profiles tied to your subnet, you need to delete them. Use the Azure CLI with the command:
```
   az network profile delete --resource-group <resource-group-name> --name <network-profile-name>
```
Replace <resource-group-name> and <network-profile-name> with your actual resource group and network profile names.
Delete the Service Association Link: If the previous steps don’t work, you can attempt to delete the Service Association Link using the Azure CLI. Here's the command:

az resource delete --ids /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default --api-version 2018-10-01

Make sure to replace the placeholders with your actual subscription ID, resource group, VNET name, and subnet name.

Reason for this Error: The VNET integration feature must set locks on subnets in the Network Resource Provider, we set these locks by putting a structure called a Service Association Link(SAL) onto the Subnet,

Is there a way to get out of this situation? Also, how can I avoid it in future?

In your Terraform configuration, ensure the subnet delegation is removed before destroying the subnet.- Always disconnect the subnet from the service before deleting the service.

I hope the above steps help, if you need any suggestions from GitHub try to contact the GitHub support team for the assistance.

Patrick Nick 0 Reputation points

2025-05-19T09:35:35.3066667+00:00

Hi @G Sree Vidya

Thank you for your assistance. Unfortunately, these steps didn't work for me:

I was able to create a separate subnet and a new GitHub.Network/networkSettings resource. However, it doesn't seem to be possible to reassign it. The resource property SubNetId is immutable.

I found these articles as well. However, my subnet was never associated with an Azure App Service. Thus, I cannot recreate it this way.

There are not network profiles in my account.

This tip seems to be for links with ContainerInstances. I tried adapting it to my use case but I had no success.

In your Terraform configuration, ensure the subnet delegation is removed before destroying the subnet.- Always disconnect the subnet from the service before deleting the service.

I'm pretty sure I followed the process outlined here: https://docs.github.com/en/organizations/managing-organization-settings/configuring-private-networking-for-github-hosted-runners-in-your-organization#deleting-a-subnet

This suggest to delete the network settings, which should automatically remove the SAL (lock), which didn't happen in this case. Only then can the delegation be removed.

I saw in other support requests that it is possible to receive a one-time free support ticket from Microsoft. I'm quite sure that GitHub support cannot help me with this issue. Would this case eligible for it?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2025-05-20T05:16:33.6233333+00:00

@Patrick Nick ,

Greetings.

May I ask if you have an open ticket with Github Support?

Did they confirm that this SAL can only be deleted by Azure support?

Please note that how a VNet Integration works is as follows:

The PaaS Service creates a "lock" on the VNet's subnet.

i.e., in case of an App Service - the Resource Provider(RP) would be "Microsoft.Web", and Azure Database for MySQL Flexible Server should be "Microsoft.DBforMySQL"

See : Resource providers for Azure services

This RP is the one responsible for creating and managing the "lock", which we call as Service Association Link or SAL.

And only this RP can delete the SAL - Azure VNET's RP (Microsoft.Network has no control over it)

If you were using an Azure PaaS, we could internally check with the appropriate PaaS team and work on deleting the SAL.

Since in your case, as the resource is outside Azure (GitHub.Network) - I am afraid we will not be able to assist with the deletion of this SAL.

I suggest you check with Github support team or forums dedicated to Github to get this addressed.

Once the SAL is deleted, you should be able to delete the VNET (subnet) without any issue.

Wrt, "how can I avoid it in future?"

Generally, with Azure PaaS Services, deleting the VNET Integration from the PaaS configuration page before deleting the PaaS Service makes sure the SAL is removed.

I believe it's same for Github. However, please verify this in dedicated forums.

NOTE : Currently, Github is not supported in Q&A.

Hope this clarifies.

Cheers,

Kapil

Share via

Unable to remove vnet with serviceAssociationLinks

1 answer

Your answer