AKS resource deletion blocked due to cross-subscription VM Scale Set dependency

Question

AKS resource deletion blocked due to cross-subscription VM Scale Set dependency

Ben Divsalar 0

We are unable to delete an AKS-managed Network Security Group because Azure reports it is still in use by multiple Virtual Machine Scale Sets. However, the VM Scale Sets referenced in the error message exist in a different subscription that is not visible or accessible to our current tenant/account.
Error received:

Cannot delete network security group ... since it is in use by virtual machine scale set ...
(Code: NetworkSecurityGroupInUseByVirtualMachineScaleSet)

The error references VM Scale Sets under subscription ID:

When attempting to switch to this subscription using Azure CLI, we receive:

This indicates that the AKS managed infrastructure (VMSS) is owned by a subscription or tenant that we do not currently have access to, while the Network Security Group exists in our visible subscription.

Shraddha Pandey 540 Reputation points Microsoft External Staff Moderator

2025-12-15T13:20:37.5866667+00:00
Hey @Ben Divsalar ,

it sounds like you're running into an issue where you're unable to delete an AKS-managed Network Security Group (NSG) because it's being referenced by Virtual Machine Scale Sets (VMSS) that exist in a different subscription. This can indeed be a bit tricky, especially since you don't have access to that subscription.

Here's what you can try to resolve the situation:

Identify Dependencies: Since the NSG cannot be deleted due to its association with VMSS, you need to identify any dependencies that might be holding onto it. The following command can help you check for dependent resources:
az network nsg show --name <nsg-name> --resource-group <resource-group-name>

Check for Locked Resources: Sometimes resources can be locked, which prevents deletion. You can check for any locks on the NSG by going to the Azure portal, navigating to the NSG, and then checking the "Locks" section. If you find a lock, it could be set to Delete, which you might need to remove.

Use the Activity Log: Inspect the Azure Activity Log for more information on why the NSG is considered in use. This log can provide clues on the resources that are holding onto the NSG:
az monitor activity-log list --resource-group <resource-group-name> --start-time <time>

Reach out to Support: Since the dependent VMSS is in a different subscription, if you don't have access to that subscription, you may need to contact Azure support for assistance. They can help verify the ownership of those resources and assist you in resolving the dependency issue.

Policy/Permission Check: Ensure there are no policies preventing the deletion of resources in your current subscription. Lack of permissions may also prevent certain actions, so confirming that you have the right roles is vital.

These steps should help you in identifying the cause of the block and potentially resolving the issue. Unfortunately, if the VMSS is indeed owned by another subscription and you can't access it, you may need to rely on support for further assistance.

Hope this helps! If you have more details or get stuck at any step, feel free to ask!

References:

Troubleshoot LoadBalancerInUseByVirtualMachineScaleSet or NetworkSecurityGroupInUseByVirtualMachineScaleSet error code

A public IP address/subnet/network security group in use cannot be deleted

Resolve issues with failed delete operations on an Azure Kubernetes Service

Azure Activity Log - How to access and use

2 answers

Your answer

Answer 1

Hi Shraddha

I ran the cli command and noticed there are three networkInterfaces in different subscription under my NSG listed below. When I go to netword interfaces in portal, it says I dont have access where I am the admin. I dont know who's this subscription: fdd74609-b664-49fe-8877-97471142250f

"networkInterfaces": [

{

  "id": "/subscriptions/fdd74609-b664-49fe-8877-97471142250f/resourceGroups/MC_BLUECLIFF-0EA529F0-RG_BLUECLIFF-0EA529F0_UKSOUTH/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/AKS-SYSTEMPOOL-41551473-VMSS/VIRTUALMACHINES/0/NETWORKINTERFACES/AKS-SYSTEMPOOL-41551473-VMSS",

  "resourceGroup": "MC_BLUECLIFF-0EA529F0-RG_BLUECLIFF-0EA529F0_UKSOUTH"

},

{

  "id": "/subscriptions/fdd74609-b664-49fe-8877-97471142250f/resourceGroups/MC_BLUECLIFF-0EA529F0-RG_BLUECLIFF-0EA529F0_UKSOUTH/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/AKS-SYSTEMPOOL-41551473-VMSS/VIRTUALMACHINES/1/NETWORKINTERFACES/AKS-SYSTEMPOOL-41551473-VMSS",

  "resourceGroup": "MC_BLUECLIFF-0EA529F0-RG_BLUECLIFF-0EA529F0_UKSOUTH"

},

{

  "id": "/subscriptions/fdd74609-b664-49fe-8877-97471142250f/resourceGroups/MC_BLUECLIFF-0EA529F0-RG_BLUECLIFF-0EA529F0_UKSOUTH/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/AKS-SYSTEMPOOL-41551473-VMSS/VIRTUALMACHINES/25/NETWORKINTERFACES/AKS-SYSTEMPOOL-41551473-VMSS",

  "resourceGroup": "MC_BLUECLIFF-0EA529F0-RG_BLUECLIFF-0EA529F0_UKSOUTH"

}

],

Answer 2

It seems Azure is creating this RG for internal use by CAE. Removed all Container Apps and Container App Environment, then this MC_..._ resource group has been removed. I create the Container again (using Bicep) a new MC_ names are creating with two public IP, NSG and Load balancer.

Surprisingly when I ran "az network nsg show" command, it is now showing networkInterfaces for the creating nsg in different subscription and only two NI this time

"networkInterfaces": [

{

  "id": "/subscriptions/ec506cc4-04f0-4919-9c24-d6e44c975089/resourceGroups/MC_SALMONBAY-F31C6596-RG_SALMONBAY-F31C6596_UKSOUTH/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/AKS-SYSTEMPOOL-33427451-VMSS/VIRTUALMACHINES/0/NETWORKINTERFACES/AKS-SYSTEMPOOL-33427451-VMSS",

  "resourceGroup": "MC_SALMONBAY-F31C6596-RG_SALMONBAY-F31C6596_UKSOUTH"

},

{

  "id": "/subscriptions/ec506cc4-04f0-4919-9c24-d6e44c975089/resourceGroups/MC_SALMONBAY-F31C6596-RG_SALMONBAY-F31C6596_UKSOUTH/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/AKS-SYSTEMPOOL-33427451-VMSS/VIRTUALMACHINES/1/NETWORKINTERFACES/AKS-SYSTEMPOOL-33427451-VMSS",

  "resourceGroup": "MC_SALMONBAY-F31C6596-RG_SALMONBAY-F31C6596_UKSOUTH"

}

],

Shraddha Pandey 540 Reputation points Microsoft External Staff Moderator

2025-12-16T10:28:10.3233333+00:00

Hi Ben Divsalar, Has the issue been resolved, or do you still need any further assistance?

Thank You!

Share via

AKS resource deletion blocked due to cross-subscription VM Scale Set dependency

References:

2 answers

Your answer