![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 47%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAH%3C/text%3E%3C/svg%3E)
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 27%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA9%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 79%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
The subnet and VNet are blocked because the AzureKubernetesService serviceAssociationLink (SAL) is still present and marked with allowDelete: false. This is an orphaned platform-side link similar to the App Service and ACI cases and cannot be removed purely from the client side once it is in this state.
From the available guidance, the only supported resolutions for orphaned SALs are:
- Identify the blocking serviceAssociationLink
- Use Azure CLI to confirm the SAL on the subnet:
az network vnet subnet show \ --resource-group rg-test-dev-networking \ --vnet-name vnet-test-dev \ --name snet-aks-pods \ --query "serviceAssociationLinks[].{link:link, linkedResourceType:linkedResourceType}" \ --output table - This will show the
AzureKubernetesServiceSAL that is blocking deletion.
- Use Azure CLI to confirm the SAL on the subnet:
- Confirm there are no remaining resources using the subnet
- Run the diagnostic-style query to ensure no NICs, private endpoints, or delegations are still present:
az network vnet subnet show \ --resource-group rg-test-dev-networking \ --vnet-name vnet-test-dev \ --name snet-aks-pods \ --query "{delegations:delegations, serviceEndpoints:serviceEndpoints, ipConfigurations:ipConfigurations, privateEndpoints:privateEndpoints, serviceAssociationLinks:serviceAssociationLinks}" - If
ipConfigurationsorprivateEndpointscontain values, those resources must be removed first. If only the SAL remains, the issue is an orphaned SAL.
- Run the diagnostic-style query to ensure no NICs, private endpoints, or delegations are still present:
- Handle orphaned SALs
- For ACI and App Service, the documented pattern is to:
- Explicitly delete the subnet first to avoid cascading delete confusion.
- Then delete the SAL object directly with
az resource deleteoraz restusing the SAL resource ID.
- In the AKS scenario described in the context, when the error message references
serviceAssociationLinks/AppServiceLinkor similar, the guidance is to remove the external service resources and then delete the subnet. However, when the SAL is orphaned andallowDeleteisfalse, platform-side cleanup is required.
- For ACI and App Service, the documented pattern is to:
- When client-side deletion of the SAL fails
- The behavior described (
UnauthorizedClientApplication,SubnetMissingRequiredDelegation,allowDelete: false) matches an orphaned platform state that cannot be fixed from the subscription using normal tools. - In this state, the only path forward is a backend purge of the orphaned SAL by Microsoft Support. This is consistent with the guidance for similar orphaned SAL issues (for example, App Service VNet integration and ACI network profiles) where a backend cleanup is required when direct deletion is blocked.
- The behavior described (
- Recommended next step
- Open an Azure support request for the subscription and reference:
- The full resource ID of the SAL:
.../virtualNetworks/vnet-test-dev/subnets/snet-aks-pods/providers/Microsoft.ContainerService/serviceAssociationLinks/AzureKubernetesService(or the exact ID from the CLI output). - The error codes seen when attempting deletion:
InUseSubnetCannotBeDeleted,UnauthorizedClientApplication,SubnetMissingRequiredDelegation. - That
allowDeleteisfalseand the AKS cluster and any associated resources are already deleted.
- The full resource ID of the SAL:
- Ask support to perform a backend purge of the orphaned
AzureKubernetesServiceserviceAssociationLink so that the subnet, VNet, and resource group can be deleted.
- Open an Azure support request for the subscription and reference:
Once the SAL is removed by support and any remaining NICs or private endpoints are confirmed deleted, subnet and VNet deletion should succeed.
References:
- Troubleshoot failure to delete or modify a virtual network or subnet in Azure
- AKS cluster deletion fails because a public IP address, subnet, or network security group is in use
- A public IP address/subnet/network security group in use can't be deleted
- Failed to delete a virtual network or subnet used by Azure Container Instances
- Subnet deletion blocked by orphaned App Service serviceAssociationLink - Microsoft Q&A