Hello,
I have an issue deleting a network profile, created by a container deployment.
I've tried the deletion with the cli and in the azure portal.
The deployment and how to delete a network-profile, is mentioned here:
https://docs.microsoft.com/de-de/azure/container-instances/container-instances-vnet
When I try to delete the network profile, I keep getting the message:
C:\Users\clangner>az network profile delete --id /subscriptions/abf141a1-3f7b-4c54-8573-8031188e6aab/resourceGroups/dx_test/providers/Microsoft.Network/networkProfiles/aci-network-profile-dx_container-dx4-net -y
Network profile /subscriptions/abf141a1-3f7b-4c54-8573-8031188e6aab/resourceGroups/dx_test/providers/Microsoft.Network/networkProfiles/aci-network-profile-dx_container-dx4-net is already in use with container nics a86721e0-3ca4-431a-9cde-e85fa9ac1ea8_eth0; cannot update or delete
I understand, that there is a container nic that is using the network profile.
The problem is, there is no exisiting container anymore in my exisiting resource groups.
I've deleted all of them with the following command:
az container delete -g dx_test -n dx4-csb
Do you know, why I can't delete the network profile?
Why is there a network interface from a non-exisiting container?
Is there a possibility to delete this network interface manuellay?
When there are any questions, don't hesitate to ask me.
Thanks in advance.
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Thanks for the feedback! We are currently investigating and will update you shortly.
@clangnerakq Try checking the Network Interfaces section in the portal and try to find the NIC that the error is referring to. Once you delete the NIC you should be able to remove the network profile
@MicahMcKittrick-MSFT Thank you for your answer.
Unfortunatly, there is no network interface i can delete.
The overwiew is empty:
C:\Users\clangner>az network nic list --resource-group dx_test
[]
Do you know, where this NIC could be?
Thanks in advance.
@clangnerakq you should check the resource group that is automatically created when you deploy a container instance. The name resource group name will be something like MC_*
This will be different than the resource group you deployed to but it is generated by the platform so you would need to manually search for it.
@clangnerakq any luck with this?
@MicahMcKittrick-MSFT Thank you for your remider and sorry for my late feedback.
I didn't had luck with it, because I can't see this kind of resource groups.
These are the only one's I can see:
(Some of the following is a bit anonymized)
C:\Users\clangner>az group list
[
{
"id": "/subscriptions/XXXXXXXX/resourceGroups/dx_test",
"location": "westus",
"managedBy": null,
"name": "dx_test",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null
},
{
"id": "/subscriptions/XXXXXXXX2/resourceGroups/dxtest",
"location": "westeurope",
"managedBy": null,
"name": "dxtest",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null
},
{
"id": "/subscriptions/XXXXXXXXXXX/resourceGroups/dx2test",
"location": "westeurope",
"managedBy": null,
"name": "dx2test",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null
}
]
I've searched for nics in every resource group, but didn't find anyone:
C:\Users\clangner>az network nic list -g dx_test
[]
C:\Users\clangner>az network nic list -g dxtest
[]
C:\Users\clangner>az network nic list -g dx2test
[]
Do you now if there is another possibility to search for resource groups or nics?
I'm wondering why the command "az network nic list -g dx_test" didn't show any nics, because there are 5 aci's in this resource groups with two network profiles.
Thanks in advance.
Clemens Langner
Thanks for giving that a go.
At this point I think we should get you in contact with Support to get this resolved.
Do you have the ability to open a technical support ticket? If not, you can email me at [email protected] and provide me with your SubscriptionID and link to this issue. I can enable your subscription for that request.
I will close this and be on the lookout for that email :)
@MicahMcKittrick-MSFT Where you guys able to resolve this. I have the same scenario. I am unable to delete the VNet and do not see any NIC instances or auto generated RG's. Thanks again!
@jdobrzen if I remember correctly there was something the engineering team had to do on the backend to release the resources.
Feel free to email me with the requested information I mentioned in the above comment and we can get you in touch with support as well.
@MicahMcKittrick-MSFT
I have the same issue. Unable to delete VPN or subnet and complaints that there is a NIC connected to the container instance. NIC list is empty in Azure portal and through azure cli. Can I email you please? I have two resource groups stuck like this :)
Having the same problems when removing certain vnets. This issue should remain open and handled publicly, there are not enough resources for us to work around this. I have exhausted every option suggested by support team (PS, ARM, REST), and the NIC is nowhere to be found.
I had to raise a support ticket and the support team took two months to solve this issue. They tried every possible way to delete and finally managed to do a force delete. I had the same issue. NIC is nowhere to be found.
I can confirm this issue is still very much valid. az network nic list -g <name>
shows me empty result.
If anyone sees this please open a support request to get this resolved. If you can't open a request see my above comment and feel free to reach out to me with the requested information.
This is still an issue. Can we re-open this so folks can track progress on an actual fix?
We create and destroy VNets frequently and encounter this problem on roughly 10% of our deployments. Yes, support can resolve it. However, it is a major inconvenience as it always involves 3-4 rounds of back and forth (e.g. try this command...) before they finally take it to the engineering team to do something on the back end.
I know it is a preview feature, but this is painful.
The work around for now is still to engage support to get unblocked. But I am reopening this so I can try and find out the current status and what is being done long term to fix this. No ETA on when I will have an update but reopening to keep on my radar and start looking into it
adding @dkkapur for awareness
Same problem for me
Here are some docs that might help delete the blocking resources:
https://docs.microsoft.com/bs-latn-ba/azure/aks/virtual-nodes-cli#remove-virtual-nodes
https://docs.microsoft.com/en-us/rest/api/container-instances/serviceassociationlink/delete
https://docs.microsoft.com/en-us/azure/container-instances/container-instances-vnet#delete-network-resources
The ACI team is aware of this issue and are actively working on a permanent solution. I am working to get an ETA when the fix will ship. Will continue to update this issue as I get more information.
I have been working offline on this issue.
There are different reasons which can lead to this scenario. What we already rolled out is a way to detect this on the back end and we have a monitor for it now. So we automatically informed for this now. But yet container groups which were deleted before we have rolled out our monitor (Mid-September) will not get auto detected. So we will need customers to open a support request to get it sorted out.
When opening a support request, please include in the info you are looking for assistance getting the Network Profile ID corrected.
We can then route your requests to the Azure Container Instance team. Unfortunately there is no way for users to unblock themselves without the engineering team. We are continuing to work on this issue to ensure it does not happen when this feature goes GA.
I will be adding a note to the document with some additional information about this shortly.
I added a note during the cleanup phase of this document explaining that if you get an error deleting the network profile to allow 2-3 days for the platform to auto mitigate the issue then retry the deletion. If that doesn't work, I included steps to open a ticket.
Once the PR merges the changes can be seen on the doc after a few hours.
Once the work fixes have been confirmed and the feature moves to GA we will update the doc again.
@MicahMcKittrick-MSFT
Another data point for you. It looks like we can avoid the problem by manually deleting the container instance in the portal prior to tearing down the rest of the infrastructure (e.g. terraform destroy).
Great! Thanks I will let the engineering team know as well. This might help with a forever fix.
Apologies for bumping a closed issue - but I am still experiencing this same behavior on 2 resource groups. ACI was deployed via template. Ran az group delete
prior to knowing about this issue and the work around. Now I have two groups that can't delete the vnet/subnets because the network profile provides the already in use with container nics; cannot update or delete
error message.
Was a fix pushed to GA?
We are having this same issue and now Azure support is linking to this issue after having us manually run several commands that do not work. Is there a particular way to get to the proper back end group for resolution of this issue?
We are having this same issue and now Azure support is linking to this issue after having us manually run several commands that do not work. Is there a particular way to get to the proper back end group for resolution of this issue?
@js-mode FWIW, I opened a support ticket and I pinged people internally. I have not heard back, but I'll keep shaking the product group tree to get some sort of answer for everyone.
Also, how can one request support to delete the resource manually, if not on a paid support plan? To open technical support tickets, we must have a paid support plan.
I just have experienced this multiple times yesterday (freshly created resource groups) and since you cannot even move the resources which stuck to a "dead-rg" because the network profiles cannot be moved between resource groups. So I need to create a new resource group for every deployment (We are writing Terraform scripts now, and having issues configuring gateway rules so we run them multiple times a day)
Same problem as @NoNameProvided. I am not on a paid plan and therefore not able to delete this resource on my own. Would be glad if someone points me in a direction where I can get help, I dont want to write an email to a random support-channel of microsoft.
Hey - PM for ACI here. This is a known issue caused by a VNet outage ACI has last week. We're currently working on a fix to unblock VNet deletion. Unfortunately there is no way for you to delete the VNet manually on your own at this point.
We will be sending out Azure Health notifications shortly to impacted subscriptions. These updates will continue to be sent out until the issue has been resolved.
Update: if you follow these steps, you should be able to successfully delete your VNet. If these steps do not work for you, please open a support ticket.
Mitigation
Please follow these steps in order
az container delete --id $CG_RESOURCE_ID
az network profile delete --id $NETWORK_PROFILE_ID -y
az network vnet delete --resource-group $RES_GROUP --name $VNET_NAME
This is still not fixed. Once the container group is deleted, the network profile is still left over. After running az network profile delete --id $NETWORK_PROFILE_ID -y
still repeatedly get these errors:
Network profile /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.Network/networkProfiles/aci-network-profile-$RG-vnet is already in use with container nics a76d6805-228d-485c-a40b-27df9aa2b446_eth0; cannot update or delete
Also getting this error:
Failed to delete resource group $RG: Deletion of resource group '$RG' failed as resources with identifiers 'Microsoft.Network/networkProfiles/aci-network-profile-$RG-vnet,Microsoft.Network/virtualNetworks/$RG-vnet' could not be deleted. The provisioning state of the resource group will be rolled back. The tracking Id is 'e2ecf6cd-7b8e-412e-b292-ccfec9030830'. Please check audit logs for more details. (Code: ResourceGroupDeletionBlocked) Network profile /subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.Network/networkProfiles/aci-network-profile-$RG-vnet is already in use with container nics a76d6805-228d-485c-a40b-27df9aa2b446_eth0; cannot update or delete (Code: NetworkProfileAlreadyInUseWithContainerNics, Target: /subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.Network/networkProfiles/aci-network-profile-$RG-vnet) Subnet ContainerSubnet is in use by /subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.Network/networkProfiles/aci-network-profile-$RG-vnet/containerNetworkInterfaceConfigurations/eth0/ipConfigurations/ipconfigprofile and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet. (Code: InUseSubnetCannotBeDeleted, Target: /subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.Network/virtualNetworks/$RG-vnet)
Have had multiple back and forth with Azure support on this and latest update says that the "container team" needs to do something on the backend. Was able to finally delete a single vnet after the Azure team was able to delete container delegations on the backend.
Worst part is that this ticket has been closed and Azure states that the issue has been mitigated, yet still we need to open individual support tickets for each resource group.
If anyone has a root cause or instructions on how to remove these vnets without requiring Azure support, that would be really appreciated.
Hi @js-mode - thanks for bringing this to our attention. Unfortunately there are the only mitigation steps we can recommend for customers to attempt independently at this time. Can you please tag me in your most recent open ticket or have your support engineer loop me into an email (email in GitHub bio)?
I'm apparently experiencing the same problem after trying to delete an AKS cluster with the virtual-nodes addon enabled.
az network profile delete
is failing with: Network profile %id is already in use with container nics %guids.
However, az network nic list
does not show any related nics nor does az container list
show any containers :astonished:
Hello, Everyone.
I had the same issue and me help below steps to remove aci subnet and vnet with trash container nic:
1st - find name of problem network pdofile by command - > az network profile list --query [].name -o tsv
2nd - create resource by terraform -> resource "azurerm_network_profile" "example" with the same network profile name and problem subnet id.
3rd - after terraform successfully create network profile, remove it by -> az network profile delete --id ...(you can find id by az network profile list --query [].id -o tsv)
4th - go to portal and change subnet delegate from container to none, after save I could delete subnet and vnet.
Hope it help you as me!
@JedenFalls could you possibly share your Terraform file (with the PII obfuscated of course)?
@JedenFalls could you possibly share your Terraform file (with the PII obfuscated of course)?
first I found by command az network profile list --query [].name -o tsv name of phantom network profile(which I can't delete), e.g it was aci-network-profile-my-container
when I go to terrafom(because az cli doesn't have command to create network-profile separate from the container group) and done terraform apply for below resource:
resource "azurerm_network_profile" "error-container" {
name = "aci-network-profile-my-container"
location = "location of phantom network profile"
resource_group_name = "rg of phantom network profile"
container_network_interface {
name = "error-nic"
ip_configuration {
name = "error-subnet"
subnet_id ="aci subnet id of problem vnet, you can find it by az network vnet subnet list --
resource-group $vnetRg --vnet-name $vnetName --query [].id -o tsv"
}
}
}
in my case terraform successfully recreated network profile without container binding, after that I could remove it by az network profile delete --id .... and after that azure portal allowed me to delete my subnet and vnet.
@JedenFalls I can confirm that your solution works. I had to import the resource status before applying the configuration you propose, but after applying it az network profile delete --id ...
worked and I was able to delete the affected subnet. Thank you!
The workaround that worked for me is to update the containerNetworkInterfaceConfigurations
property in Network profile properties to an empty list:
# Get network profile ID
NETWORK_PROFILE_ID=$(az network profile list --resource-group <reource-group-name> --query [0].id --output tsv)
az resource update --ids $NETWORK_PROFILE_ID --set properties.containerNetworkInterfaceConfigurations=[]
And then I was able to delete the network profile and subsequently the subnet.
The workaround that worked for me is to update the
containerNetworkInterfaceConfigurations
property in Network profile properties to an empty list:# Get network profile ID NETWORK_PROFILE_ID=$(az network profile list --resource-group <reource-group-name> --query [0].id --output tsv) az resource update --ids $NETWORK_PROFILE_ID --set properties.containerNetworkInterfaceConfigurations=[]
And then I was able to delete the network profile and subsequently the subnet.
This worked for me and saved me the hassle of raising a support case, thanks!!!
@rudolphjacksonm Glad that helped! :)
list all profile list
az network profile list
delete one by one
az network profile delete --name profilename --resource-group rsggroup
You can delete the subnet and vnet after doing above steps
Below are PowerShell commands to update the existing profile and delete it.
New-AzNetworkProfile -ResourceGroupName [rg name] -Location [location] -name [existing profile name]
Remove-AzNetworkProfile -ResourceGroupName [rg name] -name [existing profile name]
Thank you @rudolphjacksonm! That worked for me :)
@krhynerson this worked for us! Thank you!
@BhargaviAnnadevara-MSFT Thank you!
Most helpful comment
The workaround that worked for me is to update the
containerNetworkInterfaceConfigurations
property in Network profile properties to an empty list:And then I was able to delete the network profile and subsequently the subnet.