Challenge: Delete Virtual Machine in Microsoft Azure

Deleting a virtual machine in Microsoft Azure looks quite simple at first sight: Open the portal, select the VM to be deleted, click on “Delete”, read the confirmation message – and immediately become unsure.

VM Deletion Confirmation Message

Obviously, just deleting the VM resource is not sufficient to delete all resources related to a virtual machine in Azure. What I really like about this hint is the phrase “can be removed manually“. To be more accurate, it means “have to …“.

The reason why I call it a challenge to delete a VM in Azure might become more obvious by looking at the list of resources found after creation of a virtual machine.

Note: This post is part of a series of postings describing several aspects I found noticeable or good to know when I recently created a virtual machine in Microsoft Azure. “Notes and Observations when setting up a Virtual Machine in Microsoft Azure” gives an overview of all parts of the series.

Simplify Deletion at the Time of Creation

Planning the way the required resources will be distributed across different resource groups when setting up a new virtual machine is the key to simplify the deletion of it and all its associated resources. The more resource groups, the harder the proper and complete cleanup.

One of the three things I identified for myself to be useful as upfront activities before creating a virtual machine in Microsoft Azure is to define how to structure resource groups. Because the structure of the resource groups to me is, beside others, the key to ease proper cleanup.

Planning to create a stand-alone VM without recovery, I found it most helpful to put all resources into the same resource group, which is exclusively created for this single VM. When the VM is not needed any more, I just delete the related resource group and I’m done. Making sure all resources will be put into this resource group requires me to pay attention when I create the VM via the portal. In case I let the portal create resources automatically, it happens that it creates additional resource groups. So I have to create all resources by myself (click on the “create new” option where available) while creating the VM, or create the resources upfront and select them instead of letting the portal create new during the VM creation process.

In case I also want to add disaster recovery to this VM, a second exclusive resource group is required to collect all recovery resources for the recovery location. To delete such a VM and all its resources will then mean I have to delete these two VM-specific resource groups only.

For more complex scenarios, I’m afraid the solution will become more complex too. Using tags might be helpful, but it really depends on the individual setup.

Will Disabling Replication clears Resources?

Unfortunately, the answer is No 🙁 Some blob containers used for disk replication will remain within the storage account that was created for replication.

Any Chance in Case Chaos is already in Place?

In July 2015, a user suggested at Azure Feedback to delete VM with all associated resources. In June 2019, only four years later, the Azure IaaS Engineering Team reported “The work is being completed now and we will be able to expose it in a few months.” At the time of writing this post, again one year later, still not available.

Adam Bertram created a script to remove a virtual machine and associated resources. Looking at my list of resources found after creation of a Virtual Machine , I think his script is a good base, but has to be extended in case backup and / or recovery are implemented for the VM too.

If there is just a single VM to be deleted, and there are no other VMs found within your subscription, I think it is not worth to implement a script-based cleanup. In this case I think it is easier and less time consuming to walk through the resources and delete them manually.

When there is a mixture of VMs still required, and others that can be deleted, I am afraid it will become something between hard up to impossible to ensure to delete all non-required resources without impacting the required VMs. E.g. when looking at the blob containers of storage accounts created for recovery, I was not able to figure out which container is related to which virtual machine, in case the same storage account is used for recovery of multiple VMs. Unfortunately, disabling replication on a VM did not removed all related blob containers during my tests.

Cleanup of Backup Data takes 14 Days

As I implemented a backup of my virtual machine, cleaning up all resources took a while longer, or, to be more specific, 14 days. Once a backup of the virtual machine was executed, backup items can be found in the corresponding Recovery Services vault. When you open the vault, stop the backup and delete the data, the status of the items changes to soft deleted. While having items in soft deleted state, you can recover the data. But, as long as there are items in soft deleted state within the vault, it cannot be deleted. So you have to be patient, set a reminder, wait 14 days, and then you will be able to delete the vault and the resource group it belongs to (in case all other resources of that group were already deleted).

Azure will also send two reminder e-mails. The first one arrives two days before the soft-deleted data will be deleted permanently (to give you the chance to recover), and the second three days later (means the day after deletion), telling you the data was finally deleted.

Immediately delete Vault Backups

It is possible to immediately remove deleted data. Matt Hansen’s post showed me how to do it. The setting, to me, is somehow hidden. I would have expected to find it within the Backup Configuration, but it is part of the Security Settings of the vault.

Recovery Service Vault Soft Delete Settings

Before changing the setting, please think twice, especially for production environments.

When soft delete functionality has been disabled, also an e-mail notification is sent by Azure.

I had items in soft deleted state before I disabled it. Still, deleting the vault was not possible due to these items. So I undeleted the backup item, manually deleted the backup data, and then was able to also delete the vault – without waiting another 14 days.

Soft Delete on Storage Accounts

It is also possible to enable soft delete on storage accounts. By default, it is disabled. For blobs, the setting can be found below “Blob service” / “Data Protection”. For file shares, it is “File service” / “Soft delete”.

Struggle to delete Recovery and Backup Resource Groups

When cleaning up all the resources created for the VM build for this post series, I thought I just have to delete all resource groups (as there were no other), and that’s it.

So I first deleted the resource group containing the “main” virtual machine, without any issues. But when I tried to delete the Azure Site Recovery resource group, it failed. This is the error message:

Failed to delete resource group rg-name-asr: Deletion of resource group ‘rg-name-asr’ failed as resources with identifiers ‘Microsoft.Compute/disks/vm-name_osdisk_1_7c479f64cfd0469f81a98392d1f97a42-ASRReplica,Microsoft.Compute/disks/vm-name_DataDisk_0-ASRReplica’ could not be deleted. The provisioning state of the resource group will be rolled back. … There is an active shared access signature outstanding for disk vm-name_osdisk_1_7c479f64cfd0469f81a98392d1f97a42-ASRReplica. Call EndGetAccess before attaching or deleting the disk. … There is an active shared access signature outstanding for disk vm-name_DataDisk_0-ASRReplica. Call EndGetAccess before attaching or deleting the disk. …

Well, using the portal to delete the disks (by deleting the owning resource group), I was wondering how to call EndGetAccess via the UI.

Looking at the disks, I noticed that the delete button was disabled and saw the following hint in the portal:

SA URL blocks Disk deletion

I canceled the export for both disks. Now the delete button was enabled. So I deleted the disks and was able to also delete the related resource group.

But that was not the last error I ran into. The next one popped up when I tried to delete the resource group that contained the Recovery Services Vault created for the VM backup. This was the error message:

Failed to delete resource group rg-name: Deletion of resource group ‘rg-name‘ failed as resources with identifiers ‘Microsoft.RecoveryServices/vaults/vault-name‘ could not be deleted. The provisioning state of the resource group will be rolled back. … Please check audit logs for more details. (Code: ResourceGroupDeletionBlocked) Vault cannot be deleted as there are existing resources within the vault. : vm-name Please ensure all containers have been unregistered from the vault and all private endpoints associated with the vault have been deleted, and retry operation. For more details, see https://aka.ms/AB-AA4ecq5 (Code: ServiceResourceNotEmptyWithBackendMessage, …)

Looking at the backup items of the vault it turned out that the already deleted VM was still listed here. Kind of make sense, to be able to restore the VM in case of accidentally deletion. As I did not needed the backup any more, I stopped the backup and deleted the backup data.

Unfortunately, I forgot to disable soft delete before deleting the backup. The result was the next error message:

Failed to delete resource group rg-name: Deletion of resource group ‘rg-name‘ failed as resources with identifiers ‘Microsoft.RecoveryServices/vaults/vault-name‘ could not be deleted. The provisioning state of the resource group will be rolled back. … Please check audit logs for more details. (Code: ResourceGroupDeletionBlocked) Recovery Services vault cannot be deleted as there are backup items in soft deleted state in the vault. The soft deleted items are permanently deleted after 14 days of delete operation. Please try vault deletion after the backup items are permanently deleted and there is no item in soft deleted state left in the vault. For more information, refer https://aka.ms/SoftDeleteCloudWorkloads. The registered items are : vm-name Please ensure all containers have been unregistered from the vault and all private endpoints associated with the vault have been deleted, and retry operation. For more details, see https://aka.ms/AB-AA4ecq5 (Code: ServiceResourceNotEmptyWithBackendMessage, …)

OK, as I didn’t wanted to way another 14 days to complete the housekeeping, I disabled soft delete, undeleted all items in soft deleted state, deleted them again, and immediately I was also able to delete the Recovery Services Vault.

Links

Resources found after Creation of a Virtual Machine in Microsoft Azure
Notes and Observations when setting up a Virtual Machine in Microsoft Azure
Upfront Activities before creating a Virtual Machine in Microsoft Azure
Azure Feedback “Delete VM with all associated resources
Adam Bertram’s “ How to Remove an Azure Virtual Machine and Cleanup with PowerShell
Matt Hansen’s “Delete Azure Recovery Vault Backups Immediately