How to delete a Front Door resource locked by a domain I don't own

Asked 5/5, 2021 at 8:32 Answered 14/2, 2022 at 8:41

Solved azure azure-resource-manager azure-front-door

Azure Front Door does not allow frontend endpoint deletion if the endpoint's domain still points to the Front Door using a CNAME record. The same holds even when there is just the verification domain (afdverify).

409 Conflict
Cannot delete frontend endpoint "www.example.com" because it is still directly or indirectly (using "afdverify" prefix) CNAMEd to front door "example.azurefd.net". Please remove the DNS CNAME records and try again.

While I hate that there is no way to delete such a frontend, there is a way to deal with that even if the DNS zone cannot be changed by the Front Door owner -- just don't assign the frontend endpoint to any routing rule and don't mind it; it consumes just a bit of developer's attention, which makes it somewhat bearable.

The problem comes with the fact that such a frontend prevents even the deletion of the whole Front Door, which in turn prevents deletion of the whole resource group.

Why is that a problem? Consider that a single subscription is shared by the whole dev team and someone creates a Front Door instance for experiments, uses his own domain and later leaves the team. Now the resource consumes money as there has to be at least one routing rule for the default frontend endpoint and routing rules are paid per time unit, and there is no obvious way to get rid of it.

Is there a way to delete such a Front Door instance besides contacting Microsoft support or asking the owner of the domain to pretty please delete the records pointing to the Front Door?

Grubby answered 5/5, 2021 at 8:32 Comment(4)

I would look into policy to prevent people using any domain if this is an issue with your team. Other i wold create temp subscription and set budget to 1 dollar and move such resources there so they dont waste your money. – Preconception 5/5, 2021 at 23:54

Thanks for the suggestions! I am not familiar with Azure Policy, but I've heard about it and will look into how it could help us. As far as I know, Front Door resource cannot be moved across subscriptions -- but I might be wrong and I will look into it once more. – Grubby 6/5, 2021 at 0:1

Had a look at budgets and their scopes. They can be set on resource group level, too. It seems budgets are notification mechanisms that may have automation attached, but I have no idea how they could be used to actually limit the cost of the resource group in this case. The examples talk about stopping virtual machines, but there is no way to stop Front Door. – Grubby 6/5, 2021 at 0:22

Found a similar Q: https://mcmap.net/q/1923043/-not-able-to-delete-a-custom-domain-in-azure-front-door/2157640 – Grubby 15/2, 2022 at 18:44

We had the same issue. While checking the Microsoft documentation we found that Microsoft has introduced this breaking change (Terraform provider for ARM issue #11231).

But it seems like the CNAME check can be disabled for a subscription via Azure CLI az feature:

az feature register --namespace Microsoft.Network --name BypassCnameCheckForCustomDomainDeletion

First, run the above command and then go to the Front Door resource and try deleting it.

If you need to enable the CNAME check again:

az feature unregister --namespace Microsoft.Network --name BypassCnameCheckForCustomDomainDeletion

If you need to check the status of the feature:

az feature list -o table --query "[?contains(name, 'Microsoft.Network/BypassCnameCheckForCustomDomainDeletion')].{Name:name,State:properties.state}"

Cari answered 14/2, 2022 at 8:41 Comment(6)

It seems that changing register to unregister should revert the effect. learn.microsoft.com/en-us/cli/azure/… Also, I found that this is the way to check the status of the feature registration:

az feature list -o table --query "[?contains(name, 'Microsoft.Network/BypassCnameCheckForCustomDomainDeletion')].{Name:name,State:properties.state}"

– Grubby 15/2, 2022 at 18:38

By 11231, you mean this Terraform issue? github.com/hashicorp/terraform-provider-azurerm/issues/11231 – Grubby 15/2, 2022 at 18:41

Apologies for the unclear answer. I was referring to the Terraform issue github.com/hashicorp/terraform-provider-azurerm/issues/11231 – Cari 15/2, 2022 at 19:33

I took the liberty of editing your answer to include the related info we discussed here. Feel free to edit further. – Grubby 16/2, 2022 at 16:25

Even though I registered the BypassCnameCheckForCustomDomainDeletion feature, I couldn't delete the Custom Domain through either the portal or the CLI. Do you have any other recommendations? – Chalmers 2/1 at 16:32

In Azure PS, the cmdlets are Get-AzProviderFeature, Register-AzProviderFeature, and Unregister-AzProviderFeature. Register-AzProviderFeature -FeatureName "BypassCnameCheckForCustomDomainDeletion" -ProviderNamespace "Microsoft.Network" – Grubby 14/2 at 3:16

On 5th April 2021 I received email from Microsoft that a following change was introduced in Azure:

On 9 April 2021, we're updating Azure Front Door and Content Delivery Network to help prevent dangling DNS entries and the security risks they create. At that time, we'll start requiring the removal of canonical name (CNAME) records for Azure Front Door and Content Delivery Network resource endpoints from DNS before the resources can be deleted.

To delete Azure Front Door or Content Delivery Network resources, you must first remove the resource endpoint CNAME records from DNS starting on 9 April 2021.

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, please create a support request.

If you do not own that domain at all the best you can do is to contact Microsoft through Support Plan or your CSP provider and ask for deletion or removal of the domain from your front door instance.

Goldsberry answered 7/5, 2021 at 20:24 Comment(3)

I've found very similar wording in the tutorial for adding custom domain to Front Door on MS Docs, in the "Clean up resources" section.

To prevent dangling DNS entries and the security risks they create, starting from April 9th 2021, Azure Front Door requires removal of the CNAME records to Front Door endpoints before the resources can be deleted. Resources include Front Door custom domains, Front Door endpoints or Azure resource groups that has Front Door custom domain(s) enabled.

– Grubby 9/5, 2021 at 23:34

The same constraint is applied to custom domains of CDN and probably elsewhere too. – Grubby 9/5, 2021 at 23:35

@Grubby + Miq... Thank you so much! This was exactly my issue for my storage account with a static website and CDN. I couldn't delete the CDN without first removing the CNAME records from my registrar. The initial issue was caused because you can only use a wildcard certificate on one and only one CDN domain endpoint. We had already used that certificate once! So to solve, purchase a separate certificate for each subdomain or use the Microsoft managed certificates. learn.microsoft.com/en-us/azure/frontdoor/… – Tormentil 19/7, 2021 at 22:30

We had the same issue. While checking the Microsoft documentation we found that Microsoft has introduced this breaking change (Terraform provider for ARM issue #11231).

But it seems like the CNAME check can be disabled for a subscription via Azure CLI az feature:

az feature register --namespace Microsoft.Network --name BypassCnameCheckForCustomDomainDeletion

First, run the above command and then go to the Front Door resource and try deleting it.

If you need to enable the CNAME check again:

az feature unregister --namespace Microsoft.Network --name BypassCnameCheckForCustomDomainDeletion

If you need to check the status of the feature:

az feature list -o table --query "[?contains(name, 'Microsoft.Network/BypassCnameCheckForCustomDomainDeletion')].{Name:name,State:properties.state}"

Cari answered 14/2, 2022 at 8:41 Comment(6)

It seems that changing register to unregister should revert the effect. learn.microsoft.com/en-us/cli/azure/… Also, I found that this is the way to check the status of the feature registration:

az feature list -o table --query "[?contains(name, 'Microsoft.Network/BypassCnameCheckForCustomDomainDeletion')].{Name:name,State:properties.state}"

– Grubby 15/2, 2022 at 18:38

By 11231, you mean this Terraform issue? github.com/hashicorp/terraform-provider-azurerm/issues/11231 – Grubby 15/2, 2022 at 18:41

Apologies for the unclear answer. I was referring to the Terraform issue github.com/hashicorp/terraform-provider-azurerm/issues/11231 – Cari 15/2, 2022 at 19:33

I took the liberty of editing your answer to include the related info we discussed here. Feel free to edit further. – Grubby 16/2, 2022 at 16:25

I had same issue, but it was fixed. like this recreate dns zone, add CNAME record for it. Like in your case afdverify.example.com CNAME , then go frontdoor resource, delete it. I think so it will helps to you

Fraze answered 9/5, 2021 at 6:34 Comment(1)

This fixed for me too. To clarify, the reason I could not delete the front door was because the afdverify CNAME pointing to anything was missing. I added a CNAME record: afdverify -> anything.com After waiting a few minutes, I was able to delete the front door. The FD delete error message is misleading. – Peplum 19/1, 2022 at 16:51

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags