Share via

Cannot disassociate subnets from NAT gateway

Pawel Lewandowski 0 Reputation points Microsoft Employee
2025-12-16T11:07:51.57+00:00

I am trying to delete my NAT gateway, but first I need to disassociate it from its subnets. Whenever I try to do it, I get the error message below. As far as I can tell, I have a Contributor role assigned on Subscription, Resource Group, Databricks & NAT Gateway levels.

Failed to update the NAT Gateway 'nat-gateway'. Error: The client 'live.com#{my email}' with object id '311e05xxxx-acaf-24d95bc5e88c' has permission to perform action 'Microsoft.Network/virtualNetworks/write' on scope 'databricks-rg-pawel25-3lpu5ejyc6lz2/providers/Microsoft.Network/virtualNetworks/workers-vnet'>workers-vnet'; however, it does not have permission to perform action 'Microsoft.Network/networkSecurityGroups/join/action' on the '0' linked scope(s) '' or the linked scope(s) are invalid and is blocked by deny assignments on the '1' linked scope(s) '/subscriptions/6ec844af-cxxxxx-2dc95a74af36/resourceGroups/databricks-rg-pawel25-3lpu5ejyc6lz2/providers/Microsoft.Network/networkSecurityGroups/workers-sg'.

Azure NAT Gateway
Azure NAT Gateway

NAT Gateway is a fully managed service that securely routes internet traffic from a private virtual network with enterprise-grade performance and low latency.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 10,000 Reputation points Microsoft External Staff Moderator
    2025-12-16T14:14:58.2133333+00:00

    Hi @ Pawel Lewandowski •,

    Welcome to Microsoft Q&A Platform

    This behavior is expected and by design when working with Azure Databricks–managed resources.

    When an Azure Databricks workspace is created, Azure automatically provisions a Databricks-managed resource group (MRG). This managed resource group and its associated resources (VNets, subnets, NSGs, disks, NAT Gateway, etc.) are protected by system-generated deny assignments.

    That is why the operation fails with:

    Microsoft.Network/networkSecurityGroups/join/action
    • Even though you have sufficient RBAC permissions, the deny assignment blocks changes such as disassociating a NAT Gateway from a subnet.
    • The deny assignment is not created by an Azure Deployment Stack
    • It cannot be removed or modified manually
    • Assigning higher roles (Contributor/Owner) will not resolve the issue
    • Direct deletion of the Databricks-managed resource group is not supported

    To resolve the issue :

    • Delete the Azure Databricks workspace that created the managed resource group
      • This is the only supported way to remove the deny assignment and the managed RG.
    • If you require full control over networking resources: Recreate the Databricks workspace using a custom VNet configuration.

    Refer the links which are related to same issue:

    Fixing issue of Deny assignment with azure databricks
    Deny assignment modification to allow attach/detach of disks in azure databricks
    Deny Assignments in Azure

    I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    Was this answer helpful?

  2. Andrius Karpas 0 Reputation points
    2025-12-16T11:44:30.82+00:00

    You’re hitting an Azure RBAC + deny assignment conflict when trying to remove the NAT Gateway. Let’s break down what the error is really saying and how you can resolve it:

    🔎 What the error means

    • You have permission:

    Your account (live.com#{email}) can perform Microsoft.Network/virtualNetworks/write on the VNet (workers-vnet).

    • You do not have permission:

    You’re missing Microsoft.Network/networkSecurityGroups/join/action on the NSG (workers-sg). This action is required when Azure tries to detach or reconfigure resources linked to the NSG during NAT Gateway removal.

    • Blocked by deny assignment:

    Even if you had RBAC permissions, there’s a deny assignment on the NSG scope. Deny assignments override RBAC and prevent certain actions — often created by Azure-managed services (like Databricks or policy enforcement).

    ⚙️ Why this happens

    • Databricks-managed resource groups (databricks-rg-*) often have locked-down NSGs with deny assignments to prevent accidental modification.
    • When you try to remove the NAT Gateway, Azure attempts to update the NSG association, but the deny assignment blocks it.you’re hitting an Azure RBAC + deny assignment conflict when trying to remove the NAT Gateway. Let’s break down what the error is really saying and how you can resolve it:

    🔎 What the error means

     - You have permission:  

    Your account (live.com#{email}) can perform Microsoft.Network/virtualNetworks/write on the VNet (workers-vnet).

     - You do not have permission:  

    You’re missing Microsoft.Network/networkSecurityGroups/join/action on the NSG (workers-sg). This action is required when Azure tries to detach or reconfigure resources linked to the NSG during NAT Gateway removal.

     - Blocked by deny assignment:  

    Even if you had RBAC permissions, there’s a deny assignment on the NSG scope. Deny assignments override RBAC and prevent certain actions — often created by Azure-managed services (like Databricks or policy enforcement).

    ⚙️ Why this happens

    • Databricks-managed resource groups (databricks-rg-*) often have locked-down NSGs with deny assignments to prevent accidental modification.
    • When you try to remove the NAT Gateway, Azure attempts to update the NSG association, but the deny assignment blocks it.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.