Azure CLI command 'az network vnet subnet delete' says a resource is being used when its not. RRS feed

  • Question

  • Hey there,

    I was deleting some vnets from azure and everything was going alright til I hit this point. 

    Subnet container-subnet is in use by  and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See

    Now you might think I put two spaces between 'by' and 'and' but I did not. Azure CLI is telling me a subnet is being used by a resource but it's not telling me which. It got me curious so I went to the subnet in specific to see what was going on. 

    To my surprise this was the result:

      "addressPrefix": "IP",
      "addressPrefixes": null,
      "delegations": [
          "actions": [
          "etag": "W/\"572906ae-378d-4d82-8e01-f18f63d3a50a\"",
          "id": "/subscriptions/**ID**/resourceGroups/**RG**/providers/Microsoft.Network/virtualNetworks/*VNETNAME*/subnets/**SUBNETNAME*/delegations/Microsoft.ContainerInstance.containerGroups",
          "name": "Microsoft.ContainerInstance.containerGroups",
          "provisioningState": "Succeeded",
          "resourceGroup": "**RG**",
          "serviceName": "Microsoft.ContainerInstance/containerGroups",
          "type": "Microsoft.Network/virtualNetworks/subnets/delegations"
      "etag": "W/\"572906ae-378d-4d82-8e01-f18f63d3a50a\"",
      "id": "/subscriptions/**ID**/resourceGroups/**RG**/providers/Microsoft.Network/virtualNetworks/**VNETNAME**/subnets/**SUBNETNAME*",
      "ipConfigurationProfiles": null,
      "ipConfigurations": null,
      "name": "container-subnet",
      "natGateway": null,
      "networkSecurityGroup": null,
      "privateEndpoints": null,
      "provisioningState": "Succeeded",
      "purpose": null,
      "resourceGroup": "**RG**",
      "resourceNavigationLinks": null,
      "routeTable": null,
      "serviceAssociationLinks": [
          "allowDelete": false,
          "etag": "W/\"572906ae-378d-4d82-8e01-f18f63d3a50a\"",
          "id": "/subscriptions/**ID**/**RG**/providers/Microsoft.Network/virtualNetworks/**VNETNAME**/subnets/**SUBNATENAME**/serviceAssociationLinks/acisal",
          "link": null,
          "linkedResourceType": "Microsoft.ContainerInstance/containerGroups",
          "locations": [],
          "name": "acisal",
          "provisioningState": "Succeeded",
          "resourceGroup": "**RG**",
          "type": "Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks"
      "serviceEndpointPolicies": null,
      "serviceEndpoints": null,
      "type": "Microsoft.Network/virtualNetworks/subnets"

    Now I am not an expert in network and I have to point out that this vnet and subnet were set up by another person so I do not really understand why did he set up this. In my understanding this "Microsoft.ContainerInstance.containerGroups" delegation is in all subnets created in azure, aside from this no delegations are being used. 

    The question then -> Why does CLI not let me delete the subnet?

    Any help is appreciated,

    Thank you.

    • Edited by David Bros Monday, August 12, 2019 12:27 PM
    Monday, August 12, 2019 11:02 AM


All replies

  • Use the command az network vnet subnet show -g {rg} -n {subnetname} --vnet-name {vnet}  to get the detailed information. If any service is using this subnet, it would be listed as service information under the ipConfigurations.

    For Reference:

     az network vnet subnet show --help

        az network vnet subnet show : Show details of a subnet.

        --expand            : Expands referenced resources.

    Resource Id Arguments
        --ids               : One or more resource IDs (space-delimited). If provided, no other
                              'Resource Id' arguments should be specified.
        --name -n           : The subnet name.
        --resource-group -g : Name of resource group. You can configure the default group using `az
                              configure --defaults group=<name>`.
        --subscription      : Name or ID of subscription. You can configure the default subscription
                              using `az account set -s NAME_OR_ID`.
        --vnet-name         : The virtual network (VNet) name.

    Global Arguments
        --debug             : Increase logging verbosity to show all debug logs.
        --help -h           : Show this help message and exit.
        --output -o         : Output format.  Allowed values: json, jsonc, table, tsv, yaml.  Default:
        --query             : JMESPath query string. See for more information and
        --verbose           : Increase logging verbosity. Use --debug for full debug logs.

        Show the details of a subnet associated with a virtual network.
            az network vnet subnet show -g MyResourceGroup -n MySubnet --vnet-name MyVNet

    • Proposed as answer by Ben.Paul Monday, August 12, 2019 12:29 PM
    • Edited by Ben.Paul Tuesday, August 13, 2019 7:59 AM syntax corrrections
    Monday, August 12, 2019 12:29 PM
  • Hey there TheBZone, thanks for the quick answer, but I get 

    az: error: unrecognized arguments: --vnet-name container-vnet --subnet container-subnet 

    Do you know if there is another workaround?


    Monday, August 12, 2019 1:54 PM
  • The correct syntax is 

    az network vnet subnet show -g MyResourceGroup -n MySubnet --vnet-name MyVNet

    This won't necessarily tell you exactly how to delete the subnet. In the case of a VM connected to a subnet, this command will show the network interface, but that interface can't be deleted until the VM is.

    If you have Network Watcher running, it creates a map of the network that makes it easier to see what is connected to a subnet even if it is several layers deep. The caveat here is that all the resources must be in the same Azure region. 

    az network watcher show-topology [--location]

    Monday, August 12, 2019 5:37 PM
  • Sorry for the syntax errors. Corrected :)
    Tuesday, August 13, 2019 7:59 AM
  • Hey there! Thanks for the fast answer.

    While this is super useful I run into another problem...

    This is the output of my subnet watcher 


    az network watcher show-topology -g rg-container --vnet container-vnet --subnet container-subnet -l westeurope


      "createdDateTime": "2019-08-13T08:16:12.902935+00:00",
      "id": "id",
      "lastModified": "2019-02-12T08:32:49.629893+00:00",
      "resources": [
          "associations": [],
          "id": "/subscriptions/id/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/container-vnet/subnets/container-subnet",
          "location": "westeurope",
          "name": "container-subnet",
          "properties": {},
          "resourceGroup": "rg-container"

    As you see the subnet is not using anything, and still it will tell me it is and won't let me delete it :P 

    Any idea why it keeps telling me that?

    Thanks for the answer! The watcher is really cool to use!

    Tuesday, August 13, 2019 8:19 AM
  • Refer to similar thread:

    MS personnel states there that :

    "There are some rare situations where a subnet is unable to be deleted with normal means, and it must be done by support.

    If you are not able to see any resources in that subnet, your best bet is to open a support request."

    Hope this helps.

    • Edited by Ben.Paul Tuesday, August 13, 2019 8:49 AM
    • Proposed as answer by Ben.Paul Tuesday, August 13, 2019 8:49 AM
    • Marked as answer by David Bros Tuesday, August 13, 2019 9:59 AM
    Tuesday, August 13, 2019 8:48 AM
  • Thanks, I think this might be one of this rare cases. I will contact Microsoft Support then. Thanks for the help!

    Tuesday, August 13, 2019 9:59 AM