Share via

A community member has associated this post with a similar question:
**Title:** Orphaned AzureKubernetesService serviceAssociationLink blocking subnet and VNet deletion after AKS cluster is gone

Only moderators can edit this content.

Orphaned AzureKubernetesService serviceAssociationLink on subnet after AKS deletion — cannot delete subnet or VNet

Abdul Hameed A 0 Reputation points
2026-04-05T06:57:13.1033333+00:00

Title: Orphaned AzureKubernetesService serviceAssociationLink blocking subnet and VNet deletion after AKS cluster is gone

Subscription ID:

Problem:

I am unable to delete a subnet or its parent VNet because of a stale serviceAssociationLinks/AzureKubernetesService that remained after the AKS cluster was deleted. There is no AKS cluster, no node pools, and no related resources remaining in the subscription.

Error:


InUseSubnetCannotBeDeleted: Subnet snet-aks-pods is in use by ...serviceAssociationLinks/AzureKubernetesService and cannot be deleted.

What I have already tried:

  • az network vnet subnet delete — blocked by the error above
  • az network vnet delete — same error
  • az group delete on the resource group — fails with the same error
  • az rest --method DELETE on the SAL resource directly — returns UnauthorizedClientApplication
  • PowerShell $subnet.ServiceAssociationLinks.Clear() + Set-AzVirtualNetwork — same 400 error
  • az resource delete --ids on the SAL — failed
  • az group delete --force-deletion-types — did not help

Ask:

Can an Azure engineer please clear the orphaned serviceAssociationLinks/AzureKubernetesService from the backend so I can delete the subnet and VNet? This appears to be a platform-level stale reference that cannot be removed through any client-side tooling.

Azure Kubernetes Service
Azure Kubernetes Service

An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-05T06:57:27.5033333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The subnet is blocked by an orphaned serviceAssociationLinks/AzureKubernetesService, which is a known class of issue where a service association link (SAL) remains after the service (here, AKS) is deleted. Client-side tools (Azure CLI, PowerShell, direct az rest DELETE) generally cannot remove such orphaned SALs when the platform marks them as non-deletable (allowDelete=false) or when backend ownership is required.

    Supported remediation from the available guidance is:

    1. Verify that no AKS or other resources are still using the subnet
      • Use the diagnostic/inspection commands on the subnet to confirm what is present:
        • Check delegations: 
                 az network vnet subnet show \
         --resource-group rg-test-dev-networking \
         --vnet-name vnet-test-dev \
         --name snet-aks-pods \
         --query "delegations[].{name:name, service:serviceName}" \
         --output table
        • Check service association links (this will show the AzureKubernetesService SAL): 
                 az network vnet subnet show \
         --resource-group rg-test-dev-networking \
         --vnet-name vnet-test-dev \
         --name snet-aks-pods \
         --query "serviceAssociationLinks[].{link:link, linkedResourceType:linkedResourceType}" \
         --output table
        • Check for NICs/IP configurations that might also block deletion: 
                 az network vnet subnet show \
         --resource-group rg-test-dev-networking \
         --vnet-name vnet-test-dev \
         --name snet-aks-pods \
         --query "ipConfigurations[].id" \
         --output tsv
      • If any NICs or other resources are listed, delete or detach them first (for NICs: az network nic delete --resource-group <rg> --name <nic-name>), then retry subnet deletion.
    2. Follow the documented SAL cleanup pattern
      • For service association links in general, the documented process is:
        1. Ensure all resources from the linked service are deleted.
        2. Wait 10–15 minutes for the platform to clean up the SALs automatically.
        3. Retry subnet deletion.
        4. If the SAL persists, open an Azure support request referencing the linkedResourceType.
      • In this case, the linkedResourceType is AzureKubernetesService (AKS). Since AKS is already deleted and the SAL is still present after client-side attempts, this falls into the “persisting SAL” scenario that requires backend intervention.
    3. Engage Azure Support to remove the orphaned SAL
      • The platform documentation explicitly states that if service association links remain after resource deletion and do not clear after waiting, the next step is to open an Azure support request and reference the specific linkedResourceType.
      • Include in the support request:
        • The full SAL resource ID: /subscriptions/6aad4f09-475d-4494-94a4-b31a01f55b5d/resourceGroups/rg-test-dev-networking/providers/Microsoft.Network/virtualNetworks/vnet-test-dev/subnets/snet-aks-pods/serviceAssociationLinks/AzureKubernetesService
        • The error code and message (InUseSubnetCannotBeDeleted and the message showing the SAL).
        • Confirmation that the AKS cluster and related resources are deleted and that client-side deletion attempts for the SAL have failed.
      • Backend engineering/support can then purge the orphaned AzureKubernetesService serviceAssociationLink so that the subnet and VNet can be deleted.

    This aligns with the general guidance for orphaned SALs (for example, App Service SALs) where, if purge/cleanup via CLI or re-creation is not possible or fails, the remaining resolution is a platform-side cleanup by Microsoft Support.

    References: