Failed to delete a virtual network or subnet used by Azure Container Instances

This article discusses errors that occur when you delete a virtual network (VNet) or subnet used by Azure Container Instances (ACI) and provides workarounds.

Symptoms

• When you delete a subnet used by ACI, you receive errors that resemble the following ones:

  Failed to delete subnet '<subnet-name>'.
  Error: 'Subnet /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name> requires any of the following delegations
  [Microsoft.ContainerInstance/containerGroups] to reference service association link /
  subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>/serviceAssociationLinks/acisal.'
  

  Subnet <subnet-name> is in use by /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/networkProfiles/aci-network-profile-<network-profile-name>/containerNetworkInterfaceConfigurations/eth0/ipConfigurations/ipconfigprofile and cannot be deleted. 
  In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.
  

  Failed to delete subnet '<subnet-name>'. 
  Error: Subnet <subnet-name> is in use by /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/networkProfiles/aci-network-profile-<network-profile-name>/containerNetworkInterfaceConfigurations/eth0/ipConfigurations/ipconfigprofile/aci-network-profile-<network-profile-name>/eth0/ipconfigprofile and cannot be deleted. 
  In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.
  

• When you delete a VNet used by ACI, you receive the following error:

  Failed to delete virtual network '<vnet-name>'. 
  Error: 'Subnet /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name> requires any of the following delegations [Microsoft.ContainerInstance/containerGroups] to reference service association link 
  /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>/serviceAssociationLinks/acisal.'
  

Cause 1: A Service Association Link blocks the deletion of the VNET/subnet

The subnet delegation required by ACI must reference a residual Service Association Link, which prevents the deletion of the VNet or subnet used by ACI.

Workaround: Delete the Service Association Link

1. Navigate to the subnet in the Azure portal.

2. Change the subnet delegation to None.

3. Delete network profiles using the az network profile delete command to make sure that no network profiles are linked to the subnet.

4. If the command in step 3 fails, there might be a lingering network profile. To delete a lingering network profile, use the following command:

   az network profile delete --id resourceIdOfNetworkProfile
   

5. If network profiles still block the subnet update, try to set the subnet delegation to None again.

6. If the previous steps don't help, try to delete the Service Association Link via the Azure CLI using a specified API version, such as version 2018-10-01:

   az resource delete --ids /subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default --api-version 2018-10-01
   

Cause 2: Network profiles block the deletion of the VNet/subnet

When you remove the container group, the network profile created by ACI during the container group creation might not be properly deleted. This results in something remaining within the VNet or subnet, which blocks certain delete operations.

Workaround 1: Delete the network profile of the container group from the Azure portal

After deleting all ACI container groups, follow these steps:

1. Go to the resource group.
2. Select Show hidden types. By default, network profiles are hidden in the Azure portal.
3. Select the network profile related to the container group.
4. Select Delete.
5. Delete the VNet or subnet.

Workaround 2: Delete the network profile of the container group via Azure CLI

After deleting all ACI container groups, follow these steps:

1. Get the network profile ID:

   NetworkProfile=$(az network vnet subnet show -g $RES_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME -o tsv --query ipConfigurationProfiles[].id)
   

2. Delete the network profile:

   az network profile delete --ids $NetworkProfile --yes
   

3. Delete the subnet:

   az network vnet subnet delete --resource-group $RES_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME
   

4. Delete the VNet:

   az network vnet delete --resource-group $RES_GROUP --name $SUBNET_NAME
   

Workaround 3: Update the containerNetworkInterfaceConfigurations property via Azure CLI

If deleting the network profile through the Azure portal and Azure CLI fails, update the network profile property containerNetworkInterfaceConfigurations to an empty list:

1. Get the network profile ID:

   NETWORK_PROFILE_ID=$(az network profile list --resource-group <resource-group-name> --query [0].id --output tsv)
   

2. Update the network profile:

   az resource update --ids $NETWORK_PROFILE_ID --set properties.containerNetworkInterfaceConfigurations=[]
   

3. Delete the network profile and the subnet.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.