Skip to main content
  1. Posts/

How to Remove Subnet Delegations associated with an Azure Virtual Network(VNET) Subnet

··288 words·2 mins·
DevOps Azure

I was giving Azure Container Instances a try and it seemed to work okay. However, I launched the container in a VNET with a subnet that was empty but was supposed to be used for an Azure Cache for Redis deployment. Buried in the docs, Azure mentions a limitation that containers launched from an Azure Container Instances in a VNET, must be deployed to a subnet that cannot contain other resource types.

To deploy container groups to a subnet, the subnet can’t contain other resource types. Remove all existing resources from an existing subnet prior to deploying container groups to it, or create a new subnet.

So why is this a problem? The subnet was now delegated to be used by Azure Container Instances. Trying to find an empty subnet from a pre-allocated VNET with no overlaps can be quite a challenge, and the subnet was originally dedicated to Azure Cache for Redis, which also needs a dedicated subnet. When I tried to deploy the cache, I got the error message:

The subnet is delegated to the service(s) : Microsoft.ContainerInstance/containerGroups

I tried to remove the subnet delegation (read more about subnet delegation) using the steps mentioned in the docs but this also failed with another cryptic message about serviceAssociationLinks being present.

Trying to find details about serviceAssociationLinks lead to a dead end. Finally, I came across this GitHub issue which explains how you can delete the service association link using the Azure CLI.

az rest --method delete --uri<subscription id>/resourceGroups/<resource group>/providers/Microsoft.Network/virtualNetworks/<vnet name>/subnets/<subnet name>/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default?api-version=2018-10-01

once the Service association links were deleted, I was able to remove the Subnet delegation using Azure CLI

az network vnet subnet update --resource-group <resource group name> --name <subnet name> --vnet-name <vnet name> --remove delegations
Sathyajith Bhat
Sathyajith Bhat
Author, AWS Container Hero and DevOps Specialist.


Securing your workloads on Azure
··72 words·1 min
Talks Security Azure
I had the privilege of being able to talk about what you can do to improve your Azure account security and improve the security posture of your workloads running on Azure as part of Microsoft For Startups’ Highway to a 100 Unicorns - Scale Up Thursdays webinar series. You can catch the video on demand by registering over at The slides are available on SpeakerDeck as well on my Talks section.
Running Folding@Home on AWS with AWS CDK
··440 words·3 mins
DevOps Aws AWS CDK Folding@Home
Folding@Home(aka FAH) is a distributed computing project. To quote from their website, FAH is a distributed computing project for simulating protein dynamics, including the process of protein folding and the movements of proteins implicated in a variety of diseases. Folding@Home involves you donating your spare computing power by running a small client on your computer. The client then contacts the Folding@Home Work Assignment server, gets some workunits and runs them, You can choose to have it run when only when your system is idle, or have it run all the time.
Setting up a secure Docker image scanning solution with Anchore and Drone CI
··616 words·3 mins
DevOps Anchore Container Security Containers Docker
A while back I had done a round up of a few container scanning solutions and had mentioned I wanted to take another look at Anchore. The past few days, I’ve been playing a bit with Anchore - this time, integrating it with Drone CI. Drone is a “Container-Native, Continuous Delivery Platform” built using Go. It makes use of a YAML file, .drone.yml to define and execute the pipeline. End Goal # For this project, we will be integrating Drone and Anchore.