Not Able to delete private azure dns zone even if there is no nested link

[digeler]

Describe the bug Cannot delete private dns zone even if there are no nested links

To Reproduce create global zone and try to delete

Expected behavior zone should be deleted , if there is no nested resources in it.

Environment summary PS C:\Users\digeler> az network private-dns zone show -n documents.azure.com -g polydgeuse1 { "etag": "a69969af-60b0-4490-8059-1906c48b48c9", "id": "/subscriptions/a9f4e502-9188-4e9c-857f-532dd66f5d0c/resourceGroups/polydgeuse1/providers/Microsoft.Network/privateDnsZones/documents.azure.com", "location": "global", "maxNumberOfRecordSets": 25000, "maxNumberOfVirtualNetworkLinks": 1000, "maxNumberOfVirtualNetworkLinksWithRegistration": 100, "name": "documents.azure.com", "numberOfRecordSets": 1, "numberOfVirtualNetworkLinks": 0, "numberOfVirtualNetworkLinksWithRegistration": 0, "provisioningState": "Succeeded", "resourceGroup": "polydgeuse1", "tags": null, "type": "Microsoft.Network/privateDnsZones" }

rllib3.connectionpool : https://management.azure.com:443 "DELETE /subscriptions/a9f4e502-9188-4e9c-857f-532dd66f5d0c/resourceGroups/polydgeuse1/providers/Microsoft.Network/privateDnsZones/documents.azure.com?api-version=2018-09-01 HTTP/1.1" 409 114 msrest.http_logger : Response status: 409 msrest.http_logger : Response headers: msrest.http_logger : 'Cache-Control': 'no-cache' msrest.http_logger : 'Pragma': 'no-cache' msrest.http_logger : 'Content-Length': '114' msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8' msrest.http_logger : 'Expires': '-1' msrest.http_logger : 'x-ms-failure-cause': 'gateway' msrest.http_logger : 'x-ms-request-id': '92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'x-ms-correlation-request-id': '92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'x-ms-routing-request-id': 'GERMANYWESTCENTRAL:20200901T100854Z:92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' msrest.http_logger : 'X-Content-Type-Options': 'nosniff' msrest.http_logger : 'Date': 'Tue, 01 Sep 2020 10:08:54 GMT' msrest.http_logger : Response content: msrest.http_logger : {"error":{"code":"CannotDeleteResource","message":"Can not delete resource before nested resources are deleted."}} msrest.exceptions : Can not delete resource before nested resources are deleted. cli.azure.cli.core.util : Can not delete resource before nested resources are deleted. Can not delete resource before nested resources are deleted.

[yonzhan]

network

[haroldrandom]

Based on the error output, I think the service protect deletion from this situation while there is nested resource linked to it.

And, the docs says:

Private DNS zone cannot be deleted unless all virtual network links to it are removed.

Could you please check whether there are some resources linked to it and remove them first?

If you insist that the nested resource should be deleted automatically, I will mark this issue as Service Attention to let service guy help.

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

[haroldrandom]

@digeler Also, you could provide feedback in the page https://docs.microsoft.com/en-us/azure/dns/private-dns-overview through that feedback button

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dnssuppgithub.

[nezuko-cc]

Hi I experienced the same issue that I can't delete my prirvate dns zone which has no nested resources(no vnet link, only the automatically created SOA record) I am wondering is it a known bug? And is there any plan on fixing it? Wondering if we should file an azure support ticket to get some help deleting it?

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dnssuppgithub.

Issue Details

---

Describe the bug Cannot delete private dns zone even if there are no nested links

To Reproduce create global zone and try to delete

Expected behavior zone should be deleted , if there is no nested resources in it.

Environment summary PS C:\Users\digeler> az network private-dns zone show -n documents.azure.com -g polydgeuse1 { "etag": "a69969af-60b0-4490-8059-1906c48b48c9", "id": "/subscriptions/a9f4e502-9188-4e9c-857f-532dd66f5d0c/resourceGroups/polydgeuse1/providers/Microsoft.Network/privateDnsZones/documents.azure.com", "location": "global", "maxNumberOfRecordSets": 25000, "maxNumberOfVirtualNetworkLinks": 1000, "maxNumberOfVirtualNetworkLinksWithRegistration": 100, "name": "documents.azure.com", "numberOfRecordSets": 1, "numberOfVirtualNetworkLinks": 0, "numberOfVirtualNetworkLinksWithRegistration": 0, "provisioningState": "Succeeded", "resourceGroup": "polydgeuse1", "tags": null, "type": "Microsoft.Network/privateDnsZones" }

rllib3.connectionpool : https://management.azure.com:443 "DELETE /subscriptions/a9f4e502-9188-4e9c-857f-532dd66f5d0c/resourceGroups/polydgeuse1/providers/Microsoft.Network/privateDnsZones/documents.azure.com?api-version=2018-09-01 HTTP/1.1" 409 114 msrest.http_logger : Response status: 409 msrest.http_logger : Response headers: msrest.http_logger : 'Cache-Control': 'no-cache' msrest.http_logger : 'Pragma': 'no-cache' msrest.http_logger : 'Content-Length': '114' msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8' msrest.http_logger : 'Expires': '-1' msrest.http_logger : 'x-ms-failure-cause': 'gateway' msrest.http_logger : 'x-ms-request-id': '92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'x-ms-correlation-request-id': '92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'x-ms-routing-request-id': 'GERMANYWESTCENTRAL:20200901T100854Z:92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' msrest.http_logger : 'X-Content-Type-Options': 'nosniff' msrest.http_logger : 'Date': 'Tue, 01 Sep 2020 10:08:54 GMT' msrest.http_logger : Response content: msrest.http_logger : {"error":{"code":"CannotDeleteResource","message":"Can not delete resource before nested resources are deleted."}} msrest.exceptions : Can not delete resource before nested resources are deleted. cli.azure.cli.core.util : Can not delete resource before nested resources are deleted. Can not delete resource before nested resources are deleted.

Author:	digeler
Assignees:	haroldrandom
Labels:	Network - DNS, Service Attention, feature-request
Milestone:	Backlog

[gro1m]

I also ran into this problem today.

[0papen0]

Had this exact problem today. I tried deleting the resource-group in which the DNS zone was located and that actually finished successfully. But I imagine not everyone can afford to delete the whole resource-group...

[jessicalavoie]

hi, same issue here. It seems that if you try to move the resource somewhere else you can see that there still a linked vnet (even though its not currently visible). The only solution i found so far is to wait.....and retry and wait.

[helltone]

Hey, Have same situation, created private dns zone, tried to link it to vnet(it failed, because vnet already have dns zone with auto-registration).

Now Iam trying to create empty zone, but it throws: "Can not delete resource before nested resources are deleted."

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dnssuppgithub.

Issue Details

---

Describe the bug Cannot delete private dns zone even if there are no nested links

To Reproduce create global zone and try to delete

Expected behavior zone should be deleted , if there is no nested resources in it.

Environment summary PS C:\Users\digeler> az network private-dns zone show -n documents.azure.com -g polydgeuse1 { "etag": "a69969af-60b0-4490-8059-1906c48b48c9", "id": "/subscriptions/a9f4e502-9188-4e9c-857f-532dd66f5d0c/resourceGroups/polydgeuse1/providers/Microsoft.Network/privateDnsZones/documents.azure.com", "location": "global", "maxNumberOfRecordSets": 25000, "maxNumberOfVirtualNetworkLinks": 1000, "maxNumberOfVirtualNetworkLinksWithRegistration": 100, "name": "documents.azure.com", "numberOfRecordSets": 1, "numberOfVirtualNetworkLinks": 0, "numberOfVirtualNetworkLinksWithRegistration": 0, "provisioningState": "Succeeded", "resourceGroup": "polydgeuse1", "tags": null, "type": "Microsoft.Network/privateDnsZones" }

rllib3.connectionpool : https://management.azure.com:443 "DELETE /subscriptions/a9f4e502-9188-4e9c-857f-532dd66f5d0c/resourceGroups/polydgeuse1/providers/Microsoft.Network/privateDnsZones/documents.azure.com?api-version=2018-09-01 HTTP/1.1" 409 114 msrest.http_logger : Response status: 409 msrest.http_logger : Response headers: msrest.http_logger : 'Cache-Control': 'no-cache' msrest.http_logger : 'Pragma': 'no-cache' msrest.http_logger : 'Content-Length': '114' msrest.http_logger : 'Content-Type': 'application/json; charset=utf-8' msrest.http_logger : 'Expires': '-1' msrest.http_logger : 'x-ms-failure-cause': 'gateway' msrest.http_logger : 'x-ms-request-id': '92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'x-ms-correlation-request-id': '92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'x-ms-routing-request-id': 'GERMANYWESTCENTRAL:20200901T100854Z:92920106-a73e-461a-8dd0-e320966bcdc5' msrest.http_logger : 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' msrest.http_logger : 'X-Content-Type-Options': 'nosniff' msrest.http_logger : 'Date': 'Tue, 01 Sep 2020 10:08:54 GMT' msrest.http_logger : Response content: msrest.http_logger : {"error":{"code":"CannotDeleteResource","message":"Can not delete resource before nested resources are deleted."}} msrest.exceptions : Can not delete resource before nested resources are deleted. cli.azure.cli.core.util : Can not delete resource before nested resources are deleted. Can not delete resource before nested resources are deleted.

Author:	digeler
Assignees:	msyyc
Labels:	Network - DNS, Service Attention, feature-request
Milestone:	Backlog

[BMeyn]

As a workaround you can move the private dns zone into a new ressource group and than just delete the new created ressource group

[RichardNixon52]

@BMeyn unfortunately this solution does not work for me, it's not possible to move the DNS zone, stuck in some faulty state now.

[lordhits]

@BMeyn 's solution works. When deleting the resource group, it highlighted an additional resource type that i did not see in my original resource group and i think this is the "nested resource" it's complaining about. It's this type: Microsoft.Network/privateDnsZones/virtualNetworkLinks

[frehnejc]

This also happens in the Portal the error is:

[93420]

Same issue for me. Since 6 month, is there any offical fix from Azure ?

[yonzhan]

network service team should look into this.

[montaro]

What worked for me is to delete first the Virtual network links before trying to delete the zone.

[antonmatsiuk]

What worked for me is to delete first the Virtual network links before trying to delete the zone.

@montaro Thank you! That worked for me as well

[seanyao1]

I'm in the same situation.

[fidelcasto]

I had the same issue this morning. The problem was that the vnet link was in a bad state. For some reason it was not showing up the in the portal. I had to add the vnet link to the private dns zone and delete it once again to be able to delete the private dns zone.

[ozesati]

FIX! Go into resource group where you are trying to delete private DNS. Check off the "show hidden types". A vnet link for private dns will show up now. Delete that first, then delete private dns. Done.

[dcnsakthi]

Delete the attached "microsoft.network/privatednszones/virtualnetworklinks" (hidden) resources to delete the "Private DNS zone".

[lordisp]

I have the following error:

'xxx' does not have authorization to perform action 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete' over scope 'yyy'

However, the provider-operation Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete does not exist. Any ideas?

[fidelcasto]

does

You need to be assigned contributor role in the IAM menu of the ressource you want to delete.

[lordisp]

You need to be assigned contributor role in the IAM menu of the ressource you want to delete.

@fidelcasto I your answer is a replay to my post, I don't want to assign the contributor role. Insead I'm working on a custom role for a service-principal in azure-devops pipeline. However the failed provider-operation does not exist.

[MartinJoeWilco]

FIX! Go into resource group where you are trying to delete private DNS. Check off the "show hidden types". A vnet link for private dns will show up now. Delete that first, then delete private dns. Done.

Excellent fix!

For my Azure subscription the view has changed/updated: Indeed go to the resource group, click on "Manage View" click on "Show Hidden Types"

[edgreenberg-mri]

[dcnsakthi](https://github.com/dcnsakthi) commented [on Jan 24](https://github.com/Azure/azure-cli/issues/15010#issuecomment-1019893921)
Delete the attached "microsoft.network/privatednszones/virtualnetworklinks" (hidden) resources to delete the "Private DNS zone".

This resolved the issue for me.