It is not possible to remove Load Balancer due to Deny Assignment

Question

It is not possible to remove Load Balancer due to Deny Assignment

DimaH 0

hi

I have faced a problem when deleting Load Balancer and Public IP resources in one of my resource groups. The error looks like this:

Failed to delete load balancer 'lb-name'. Error: The client '******@SomeOrg.onmicrosoft.com' with object id '6744e94e-f29a-4f37-ad20-0c5e30960f44' has permission to perform action 'Microsoft.Network/loadBalancers/delete' on scope 'ME_RGname/providers/Microsoft.Network/loadBalancers/lb-name'>lb-name'; however, the access is denied because of the deny assignment with name 'Container Apps Managed Resource Group Deny Assignment 56db925f-38fa-42ba-a169-dda25d628198' and Id '56db925f38fa42baa169dda25d628198' at scope '/subscriptions/XXXYYY/resourceGroups/ME_RGname/providers/Microsoft.Network/loadBalancers/lb-name'.

The main problem is that Deny assignment is in read-only mode and even if you have subscription owner or global administrator rights, there is no way to delete it.

The same Deny assignment is assigned to the resource group in which Load Balancer is located and is inherited by all nested resources, including Public IP.

I have already attempted to remove these resources using Azure deployment stacks, but it didn't help as the error keeps recurring.

Do you have any ideas how to remove these resources?

1 answer

Your answer

Answer 1

TP 118.5K

Hi,

Certain Azure services create a resource group containing managed infrastructure resources. You can't delete these resources directly, rather, you must delete the resource that requires them and they will be automatically deleted.

By default, when you create Azure Container Apps Workload profiles environment deployed into your own virtual network, a resource group starting with ME_ is created to contain infrastructure resources (Azure Load Balancer is one of the resources).

If Container Apps is the reason the resources exist and you no longer need it, you may consider deleting so that the related managed resource group (and its resources) will be removed. Please make certain you are no longer using before deleting.

Managed resources

https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=workload-profiles-env%2Cazure-cli#managed-resources

Please click Accept Answer and upvote if the above was helpful. If something is unclear please add a comment below.

Thanks.

-TP

DimaH 0 Reputation points

2025-04-25T05:46:18.3033333+00:00

Thanks for the quick response TP.

Azure Container Apps that my resource group was associated with was in another subscription, but now it is deleted with all resources. So in fact my problematic resources have no parent now.
TP 118.5K Reputation points

2025-04-25T06:05:10.3866667+00:00

Azure Container Apps that my resource group was associated with was in another subscription, but now it is deleted with all resources. So in fact my problematic resources have no parent now.

Based on your description you will need to open support case so that engineer can delete the resource group, load balancer, and public IP address from the backend. The Deny assignments are system protected.

Do you have Standard level support or higher? Standard lets you create technical support case in Azure portal.

In the meantime you could delete the rules from the load balancer so that charges won't continue to accrue.
DimaH 0 Reputation points

2025-04-25T06:13:59.51+00:00

Yes, I have already removed the load balancing rules. but the support plan is Basic (to my regret).
TP 118.5K Reputation points

2025-04-25T06:27:00.18+00:00

Yes, I have already removed the load balancing rules. but the support plan is Basic (to my regret).

You could upgrade to Developer support, which costs less than Standard. Once you have Developer support, you can post a new question here, since that is where support is provided for Developer level.

When Microsoft Employee or External Staff responds you can explain that you need engineer to delete ME_* resource group and its contents from the backend.

Article below explains how Priority Community Support for Developer support plan works:

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/priority-community-support

If you upgrade to Standard you can go ahead and create case yourself via the portal.

Whichever plan you choose, you could set it to not auto-renew so that you only pay for 1 month, assuming you don't need it going forward.
G Sree Vidya 905 Reputation points Microsoft External Staff

2025-04-28T07:02:51.95+00:00

Hi DimaH

I wanted to follow up and check if you had the opportunity to review the information provided by TP in our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.
G Sree Vidya 905 Reputation points Microsoft External Staff

2025-04-29T05:24:45.2966667+00:00

Hi DimaH

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

Share via

It is not possible to remove Load Balancer due to Deny Assignment

1 answer

Your answer