![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 49%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHD%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 74%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Hello,
Welcome to Microsoft Q&A,
Azure creates Service Association Links (SALs) to lock subnets when certain PaaS services integrate with them (like App Services, Network Profiles, Container Instances, etc.). These links block subnet deletion to prevent data corruption or orphaned configurations.
When "allowDelete": false, you're not allowed to remove the link yourself unless the owning service explicitly allows it. This often occurs when the parent resource is already deleted or orphaned, with no API path to cleanly remove it.
Common Fixes
- Identify the SAL Dependency
az network vnet subnet show \
--resource-group <RG>
--vnet-name <VNet>
--name <Subnet>
--query serviceAssociationLinks
Identify which service type is linked (e.g., `Microsoft.Web`, `Microsoft.DBforMySQL`, `Microsoft.ContainerInstance`, etc.)[Microsoft Learn](https://learn.microsoft.com/en-us/answers/questions/5513807/unable-to-delete-subnet-due-to-service-association)
1. Remove Associated PaaS Resource or Recreate It
- If the SAL was from an App Service or App Service Plan that has already been deleted, try recreating it (with the same name) in the same resource group, reintegrating it with the subnet, and then removing the VNet integration to allow SAL cleanup.
- This has worked for App Services, as demonstrated in a shared resolution:
1. Change Subnet Delegation to None In the Azure Portal, navigate to the subnet and change its delegation to None. This helps remove any enforced link. [Microsoft Learn](https://learn.microsoft.com/en-us/answers/questions/2260899/unable-to-delete-vnet-due-to-serviceassociationlin)
1. Delete Hidden Network Profiles List any existing network profiles and remove them (if applicable):
```dockerfile
az network profile list --resource-group <RG> az network profile delete --ids <network-profile-id>
SALs from Container Instances or other services may leave behind hidden network profiles.
- Attempt Direct Deletion via CLI If the SAL references a specific provider path, try deleting it directly:
Or for Container Instances:az resource delete \ --ids "/subscriptions/<subId>/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>/subnets/<subnet>/providers/Microsoft.Web/serviceAssociationLinks/AppServiceLink" \ --api-version 2022-05-01az resource delete \
--ids "/subscriptions/<subId>/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>/subnets/<subnet>/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default"
--api-version 2018-10-01
If none of the above methods are effective, that's likely because the SAL was created by a service that no longer exists, or it's otherwise orphaned. The only way to resolve the issue currently is to open a support ticket, so manual removal by the Microsoft backend is required.
*Please Upvote and accept the answer if it helps!!*
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)