Azure Firewall Policy cannot be deleted, because it is in Provisioning state Updating

Question

Hi,

I already deleted all dependent resources (firewall, ipgroups, etc.) so the firewall policy is the only resource in my resource group.
It is in Provisioning state "updating" for 3 days and noting happens.
Is there a way to force the delete, even if the resource is in updating mode?
Remove-AzFirewallPolicy with the -force parameter does not work.

Accepted Answer

Hello @Marius ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

As long as the resource is in "updating" state, you won't be able to force delete it. It either needs to fail or succeed.
I would request you to perform a GET-PUT operation on the Firewall policy via the below Azure CLI commands:

To perform a GET operation:
az network firewall policy show --name policyname --resource-group resourcegroupname

To perform a PUT operation:
az network firewall policy update --name policyname --resource-group resourcegroupname

Refer : https://video2.skills-academy.com/en-us/cli/azure/network/firewall/policy?view=azure-cli-latest#az-network-firewall-policy-show

NOTE : Azure PowerShell commands will not help in performing a PUT operation, so please use Azure CLI from the Azure portal CloudShell to perform these operations.

Once the PUT operation is done, check if the Firewall policy gets updated to either "failed" or "succeeded" state. Once it reaches either of the states, you can try deleting the Azure firewall policy.

If the state of your Firewall policy still remains at "updating" or you are unable to delete the policy post the GET-PUT operation, then it would need to be fixed from the backend. So, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Hope this helps!

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer

So (and thanks @GitaraniSharma-MSFT for your support in this thread!), I wound up opening a very long running and very frustrating support ticket.

I tried the GET/PUT multiple times, no effect. I asked my support engineer if deallocating/reallocating the firewall to the hub would help AND if I would retain my public IP addresses (because firewall in VWAN doesn't allow BYOIP) which I reference externally already. He said no problem, go for it. It didn't work. Went back and forth on this for about 10 days. Ultimately, in my case, the problem was that the Terraform provider allowed me to add a rule with a duplicate name, without an error message. Once I resolved that, it STILL didn't work. The support engineer then came back and said, "yeah, you deallocated the firewall, so you lost your IP", and I wound up tearing it all down and rebuilding.

So, check the little things. If you use Terraform, you may find, as I did, that there are some situations in which the azurerm provider will let you do something the portal won't. Maybe it's ultimately an ARM problem, who knows.