Share via

Cannot delete Azure Virtual Network (VNet), support keeps telling me to remove a resource outside of my subscription

Eric Kimminau 0 Reputation points
2026-06-22T17:47:34.9733333+00:00

This guidance is not applicable. The blocking resource is NOT in our subscription and cannot be accessed or deleted. Evidence: - Subnet shows serviceAssociationLink "legionservicelink" - linkedResourceType = Microsoft.App/environments - allowDelete = false Blocking resource: - /subscriptions/fca8eXXX-60XX-46XX-8eXX-d09bd34a1XXX/resourceGroups/hoboXX_8020f3XX-95b4-4dXX-9fXX-2134e0875XXX/providers/Microsoft.App/managedEnvironments/i020f33095b44d859f582134e0875XXX Observed behavior: - No Microsoft.App/managedEnvironments exist in our subscription - Cannot enumerate or access the above subscription - az containerapp env create fails with ManagedEnvironmentSubnetInUse Conclusion: This is a cross-subscription dependency created by the Microsoft.App resource provider. Request: Please escalate to backend engineering to: - Detach the managedEnvironment from the subnet, OR - Remove the serviceAssociationLink (legionservicelink) This cannot be resolved from the tenant side.- HOW do I delete this resource???

Azure Virtual Network
Azure Virtual Network

An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eric Kimminau 0 Reputation points
    2026-06-23T13:17:38.4433333+00:00

    As an MSDN subscription holder Im now allowed to open a support ticket and escalate. How do I proceed?

    Was this answer helpful?

    0 comments
  2. Eric Kimminau 0 Reputation points
    2026-06-22T18:09:49.5333333+00:00

    az network vnet subnet show --resource-group rg-dev-EntAIAXXX-euXX-XX --vnet-name vnet-dXX-euXX-XX --name snet-dev-pXX-svc-euXX-XX --query "serviceAssociationLinks[].{name:name, link:link, type:linkedResourceType, allowDelete:allowDelete}" --output table

    Name Link AllowDelete

    legionservicelink /subscriptions/4b9403e5-43ae-4551-b028-8c21441b4XXX/resourcegroups/rg-dXX-entaiapXX-euXX-XX/virtualnetworks/vnet-dev-eus2-01/subnets/snXX-dev-pvt-sXX-eus2-XX False

    Was this answer helpful?

    0 comments
  3. Eric Kimminau 0 Reputation points
    2026-06-22T18:07:37.1166667+00:00

    C:\Users\ekimminau\OneDrive\Apex-Code\GitHub> az network vnet subnet show --resource-group rg-dev-EntAIApXX-euXX-XX --vnet-name vnet-dev-eus2-01 --name snet-dev-pvt-svc-eus2-02 --query "serviceAssociationLinks[].{link:link, linkedResourceType:linkedResourceType}" --output table

    Link LinkedResourceType

    /subscriptions/4b940XXX-4XXX-45XX-b0XX-8c21441b4XXX/resourcegroups/rg-dev-entaiaXXX-eXXX-01/virtualnetworks/vnet-dXX-eus2-XX/subnets/snet-dXX-pvt-sXX-eus2-XX Microsoft.App/environments

    Was this answer helpful?

    0 comments
  4. Eric Kimminau 0 Reputation points
    2026-06-22T18:04:23.0533333+00:00

    We have confirmed this is not a normal subnet dependency.

    Evidence:

    • Subnet delegation: Microsoft.App/environments
    • ServiceAssociationLink: legionservicelink
    • allowDelete = false
    • az containerapp env create fails with ManagedEnvironmentSubnetInUse
    • Azure reports the subnet is owned by:

      /subscriptions/fca8eXXX-60XX-46XX-8e17-d09bd34a1XXX/resourceGroups/hobov3_8020f330-95XX-4dXX-9f58-2134e0875XXX/providers/Microsoft.App/managedEnvironments/i020f33095b44d859f582134e0875XXX

    Facts:

    • No Microsoft.App/managedEnvironments exist in our subscription
    • We cannot access that subscription
    • VNet delete fails because subnet delete fails on serviceAssociationLinks/legionservicelink

    Request:

    Please route to the Microsoft.App / Azure networking backend team for manual removal of the serviceAssociationLink or detachment of the managed environment.

    ``

    Was this answer helpful?

  5. AI answer

    2026-06-22T17:48:34.73+00:00

    The subnet and VNet can't be deleted because of a blocking service association link (SAL) of type Microsoft.App/environments with allowDelete = false. This is exactly the kind of cross-service dependency described for subnet deletion failures.

    From the tenant side, the only supported actions are:

    1. Diagnose the blocking resource on the subnet Use the diagnostic Azure CLI command to list service association links on the subnet and confirm the linkedResourceType: 
         az network vnet subnet show \
       --resource-group <resource-group> \
       --vnet-name <vnet-name> \
       --name <subnet-name> \
       --query "serviceAssociationLinks[].{link:link, linkedResourceType:linkedResourceType}" \
       --output table
      This will show the serviceAssociationLinks and the linkedResourceType (in this case Microsoft.App/environments).
    2. Verify no resources from that linked service remain in the subnet The documented guidance for subnet deletion when service association links exist is:
      • Verify that no resources from the linked service are still deployed in the subnet.
      • Wait 10–15 minutes for the platform to clean up the links.
      • Retry the subnet deletion.
      Since the blocking Microsoft.App/managedEnvironments resource is in another subscription that can't be accessed, this step can't be completed from the current subscription.
    3. Escalate via Azure Support with the linkedResourceType and SAL details When service association links persist and can't be cleared by deleting the owning resources, the documented next step is to open an Azure support request and reference the specific linkedResourceType:
      • Open an Azure support request for the affected subscription.
      • Include:
        • The full subnet resource ID.
        • The serviceAssociationLink name (for example, legionservicelink).
        • The linkedResourceType (Microsoft.App/environments).
        • The blocking resource ID that is in the other subscription.
      • Explicitly request backend cleanup of the orphaned service association link or detachment of the Microsoft.App managed environment from the subnet.
      The platform-side cleanup of an orphaned SAL with allowDelete = false is not something that can be performed from the tenant; it must be handled by Azure engineering via the support channel.
    4. Retry subnet and VNet deletion after backend cleanup After support confirms that the SAL has been removed or the dependency cleared, retry:
      • Subnet deletion.
      • Then VNet deletion (following the recommended deletion order if other resources exist).

    If other blocking resources are present (NICs, private endpoints, delegations, Bastion/Firewall, etc.), they must also be removed as described in the subnet/VNet deletion guidance before the VNet can be deleted.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.