Search code examples
azureazure-resource-managerazure-front-door

How to delete a Front Door resource locked by a domain I don't own

Azure Front Door does not allow frontend endpoint deletion if the endpoint's domain still points to the Front Door using a CNAME record. The same holds even when there is just the verification domain (afdverify).

409 Conflict
Cannot delete frontend endpoint "www.example.com" because it is still directly or indirectly (using "afdverify" prefix) CNAMEd to front door "example.azurefd.net". Please remove the DNS CNAME records and try again.

While I hate that there is no way to delete such a frontend, there is a way to deal with that even if the DNS zone cannot be changed by the Front Door owner -- just don't assign the frontend endpoint to any routing rule and don't mind it; it consumes just a bit of developer's attention, which makes it somewhat bearable.

The problem comes with the fact that such a frontend prevents even the deletion of the whole Front Door, which in turn prevents deletion of the whole resource group.

Why is that a problem? Consider that a single subscription is shared by the whole dev team and someone creates a Front Door instance for experiments, uses his own domain and later leaves the team. Now the resource consumes money as there has to be at least one routing rule for the default frontend endpoint and routing rules are paid per time unit, and there is no obvious way to get rid of it.

Is there a way to delete such a Front Door instance besides contacting Microsoft support or asking the owner of the domain to pretty please delete the records pointing to the Front Door?

Solution

  • We had the same issue. While checking the Microsoft documentation we found that Microsoft has introduced this breaking change (Terraform provider for ARM issue #11231).

    But it seems like the CNAME check can be disabled for a subscription via Azure CLI az feature:

    az feature register --namespace Microsoft.Network --name BypassCnameCheckForCustomDomainDeletion

    First, run the above command and then go to the Front Door resource and try deleting it.

    If you need to enable the CNAME check again:

    az feature unregister --namespace Microsoft.Network --name BypassCnameCheckForCustomDomainDeletion

    If you need to check the status of the feature:

    az feature list -o table --query "[?contains(name, 'Microsoft.Network/BypassCnameCheckForCustomDomainDeletion')].{Name:name,State:properties.state}"