Share via

Deleted AWS instances can not be deleted from ARC machine inventory

Tracy Mosley 0 Reputation points
2026-03-11T16:36:07.41+00:00

I have two AWS instances that were previously successfully connected to ARC. We have FULLY removed these EC2 instances on the AWS side (not suspended, not terminated, fully removed). I have deleted them from the ARC inventory several times, and every time the cloud connector rescans, they get added back. Some aspect of the resources must remain on the Azure Defender for the Cloud side. What do I need to do to fully remove any references that may be allowing these bogus references to be re-added?

Azure Arc
Azure Arc

A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 19,695 Reputation points Volunteer Moderator
    2026-03-12T12:59:08.9833333+00:00

    Tracy Mosley hey hey,

    what is happening is that Azure Arc itself is not recreating them randomly, the AWS cloud connector is rediscovering them from whatever it still sees on the AWS side. Even if the ec2 instances are terminated if they still appear in AWS APIs or if there is stale metadata in the connected account scope, Arc will pull them back in during the next scan.

    Look in AWS that those instances are truly gone and not just terminated but still listed in the ec2 console with a terminated state. Also check if there are any leftover hybrid activation resources, IAM roles, or SSM registrations tied to those instance IDs.

    Then in Azure go to Azure Arc > AWS connector and review the connected account configuration. Sometimes the connector scope includes resources that still exist in AWS Config or inventory services so Arc keeps reimporting them. You may need to disconnect and reconnect the AWS account or remove and recreate the AWS connector to force a clean inventory sync.

    See if Defender for Cloud environment settings for that AWS account and make sure there are no lingering resources tracked there. If after confirming they are completely gone in AWS they still reappear, open a support ticket because that usually means the backend connector cache needs to be cleared.

    rgds,

    Alex

    0 comments
  2. Suchitra Suregaunkar 11,150 Reputation points Microsoft External Staff Moderator
    2026-03-11T21:40:44.46+00:00

    Hello Tracy Mosley

    What you are seeing is expected behavior when AWS is connected through the Azure Arc Multicloud Connector (Inventory and/or Arc onboarding solution).

    1. Azure Arc Multicloud Connector performs periodic inventory scans
      • The connector regularly queries AWS APIs and re‑projects discovered resources into Azure.
      • Any resource that still appears discoverable from AWS APIs will be recreated in Azure on the next sync.
    2. Deleting the Arc machine in Azure does not block rediscovery
      • Deleting Microsoft.HybridCompute/machines only removes the Azure representation.
      • On the next scan, if the connector still detects the resource, it is re‑created automatically.
    3. Connector‑based resources are not “owned” by Defender for Cloud
      • Defender for Cloud consumes data from the connector but does not control lifecycle deletion of inventory objects.
      • There is no Defender‑side “cache” or manual purge option for individual machines.

    The most common root cause is even when an EC2 instance is terminated, one or more AWS artifacts can still exist, causing the connector to rediscover it:

    • Instance metadata still visible via AWS APIs for a short or extended period
    • Orphaned Auto Scaling Group, Launch Template, or Spot Fleet references
    • AWS Config / CloudTrail historical records still being returned
    • Organization‑level inventory scan returning stale entries

    Because the Arc Multicloud Connector is source‑of‑truth driven by AWS, Azure will keep recreating the objects until the source is clean.

    Please try below provided workarounds and let us know if it is helpfull or not:

    1. Remove or disable the AWS connector solution

    If these AWS instances should never be managed again:

    1. Go to Azure Arc → Multicloud connectors
    2. Select the AWS connector
    3. Disable the Inventory solution and/or Arc onboarding solution
    4. After disabling, manually delete the Azure resources

    Once the solution is disabled, periodic sync stops, and deleted resources will not be recreated.

    1. Fully remove the AWS connector (cleanest reset)

    If you want a full reset:

    1. Delete the AWS security connector / multicloud connector in Azure
    2. Remove the CloudFormation stack in AWS
    3. Confirm no AWS IAM roles created for Azure Arc remain
    4. Re‑create the connector only if needed

    This clears all discovery paths.

    1. Confirm AWS truly no longer returns the instance:

    Before expecting Azure to stop rediscovering:

    • Verify the instance does not appear in AWS EC2 APIs
    • Check for:
      • Auto Scaling Groups
        • Launch Templates
          • Spot requests
            • AWS Config historical visibility

    If AWS returns it, Azure Arc must re‑add it by design.

    Please have a look into below reference links for more details:

    So, Azure Arc Multicloud Connector treats AWS as the source of truth. Deleting Arc machines in Azure does not prevent rediscovery during periodic scans. To permanently remove these instances, you must either fully remove the AWS connector (or disable the Inventory/Arc onboarding solutions) or ensure the instances and all related artifacts no longer appear in AWS APIs. There is no Defender‑side or Arc‑side manual purge mechanism for individual machines while the connector remains active.

    If the provided information helpful then please click "upvote" it.

    If you have any other queries, then please share us the above requested details.

    Thanks,
    Suchitra.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.