Merge pull request #8128 from MicrosoftDocs/users/sdanie/454783

MDP VNET Delete lock note

Author: prmerger-automator[bot]

docs/managed-devops-pools/configure-networking.md

@@ -159,6 +159,11 @@ resource managedDevOpsPools 'Microsoft.DevOpsInfrastructure/pools@2025-01-21' =
 
 * * *
 
+> [!IMPORTANT]
+> Don't put a **Delete** lock on the virtual network when updating your pools. During a pool update operation, Managed DevOps Pools creates a [Service Association Link (SAL)](/rest/api/virtualnetwork/service-association-links/list) on the subnet. If an update fails, Managed DevOps Pools attempts to clean the SAL, but if there is a **Delete** lock, you'll get an `InUseSubnetCannotBeDeleted` error, and Managed DevOps Pools won't be able to delete the SAL, leaving the subnet in a locked state (undeletable). To resolve the issue, remove the **Delete** lock, and retry the update operation.
+>
+> For more information, see [Lock your Azure resources to protect your infrastructure - Considerations before applying your locks](/azure/azure-resource-manager/management/lock-resources#considerations-before-applying-your-locks).
+
 ## Restricting outbound connectivity
 
 If you have systems in place on your network (NSG, Firewall, etc.) that restrict outbound connectivity, certain endpoints need to be allowlisted in order to fully support Managed DevOps pools. These endpoints are divided into globally required endpoints (necessary on any Managed DevOps pools machine) and endpoints required for certain scenarios. All endpoints are HTTPS, unless otherwise stated.