question

JanNuaman-2253 avatar image
0 Votes"
JanNuaman-2253 asked GitaraniSharmaMSFT-4262 commented

Cannot Delete Azure Firewall

Hi Folks,

I am not able to delete azure firewall, error:
Failed to delete the Azure Firewall 'AZFW01'. Error: Azure Firewall AZFW01 failed to dereference Firewall Policy AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01'>FirewallPoli

When I am trying to remove VNet associations, I am getting below error:
Failed to update the association for the resource 'AZFW01'. Error: Azure Firewall AZFW01 failed to dereference Firewall Policy AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01'>Firew

I tried dealocated, realocate Firewall >> Did not works
I Tried to force delete using powershell >> nothing works
Tried delete RG it self that contain FW + Policy + VNET, it failed with error:
Failed to delete resource group AZ-VNET-RG: Deletion of resource group 'AZ-VNET-RG' did not finish within the allowed time as resources with identifiers 'Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01,Microsoft.Network/azureFirewalls/AZFW01' could not be deleted. The provisioning state of the resource group will be rolled back. The tracking Id is '5672a485-e976-4fdb-8fa9-f890536f7b1b'. Please check audit logs for more details. (Code: ResourceGroupDeletionTimeout) Firewall Policy '/subscriptions/9ddacc47-095f-476e-8bfb-c05da70720a8/resourcegroups/AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01' can not be deleted since there are Azure Firewalls using this policy. (Code: FirewallPolicyHasAzureFirewallReferences, Target: /subscriptions/9ddacc47-095f-476e-8bfb-c05da70720a8/resourceGroups/AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01) The request to delete the resource 'Microsoft.Network/azureFirewalls/AZFW01' failed. subscription id '9ddacc47-095f-476e-8bfb-c05da70720a8', activity id '034b40e3-7874-4b14-b9ad-c37f636f51ce', request correlation id '5672a485-e976-4fdb-8fa9-f890536f7b1b'. (Code: ResourceDeletionFailed, Target: /subscriptions/9ddacc47-095f-476e-8bfb-c05da70720a8/resourceGroups/AZ-VNET-RG/providers/Microsoft.Network/azureFirewalls/AZFW01)

Totally stuck, and I don't want to spend any more money for using Azure Firewall.

Anyone can help?

Thanks,

azure-firewallazure-firewall-manager
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 ·

Hello @JanNuaman-2253 ,

The error says "Azure Firewall AZFW01 failed to dereference Firewall Policy AZ-VNET-RG/providers/Microsoft.Network/firewallPolicies/FirewallPolicy_AZFW01".

Could you confirm if the Azure Firewall "AZFW01" was unlinked from the Azure Firewall policy "FirewallPolicy_AZFW01" before you tried a delete?
If no, then you have to unlink the Azure Firewall first and then try deleting the Azure Firewall & Firewall policy either via portal/PowerShell.

Could you also confirm the Provisioning state of the Azure Firewall and Firewall policy? Are they in succeeded/failed/updating state?

You can check the Provisioning state of the Azure Firewall and Firewall policy by going to it's overview blade in portal as shown below:

183609-image.png

Regards,
Gita


0 Votes 0 ·
image.png (27.6 KiB)

1 Answer

ManuPhilip avatar image
0 Votes"
ManuPhilip answered

I think, there are orphaned links associated with the resources you are trying to delete and because of that, the deletion is not working. We will have the following options
- Update the objects like Network rules collection associated with the firewall


In-order to do that, try the following
Name variables are given on the basis of error messages posted. Still you need to find out NetworkRuleCollectionGroupName and to substitute in the following command. Note that, I am just updating the 'Priority' value to 220 to have a simple update in the rule

 $firewallpolicy = Get-AzFirewallPolicy -Name FirewallPolicy_AZFW01 -ResourceGroupName AZ-VNET-RG
 $networkrulecollectiongroup = Get-AzFirewallPolicyRuleCollectionGroup -Name "NetworkRuleCollectionGroupName" -ResourceGroupName AZ-VNET-RG -AzureFirewallPolicyName FirewallPolicy_AZFW01
    
 Set-AzFirewallPolicyRuleCollectionGroup -Name "NetworkRuleCollectionGroupName" -Priority "220" -FirewallPolicyObject $firewallpolicy -RuleCollection $networkrulecollectiongroup.Properties.RuleCollection

If the above commands works well, try a deletion again
- For any reason, the steps are not helping, we need Microsoft team's support to fix this by deleting the orphaned objects in the backend. If you have a paid subscription, raise a case. Otherwise, shoot an email to AzCommunity@microsoft.com with the details, so that, someone can support you further

--please don't forget to upvote and Accept as answer if the reply is helpful--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.