diff --git a/Makefile b/Makefile
index 6e6cc33b322..fd0a3ad8d77 100644
--- a/Makefile
+++ b/Makefile
@@ -83,14 +83,26 @@ ensure-aro-image:
 		$(MAKE) build-local-rp-image; \
 	fi
 
+setup:
+	@bash ./setup_resources.sh $(KEY_NAME) $(KEY_VERSION)
+
 cluster:
-	set -a; source .env; set +a; \
-	if [ -z "${CLUSTER}" ]; then \
+	@set -a; source .env; set +a; \
+	if [ -z "$$CLUSTER" ]; then \
 		read -p "Enter the cluster name: " CLUSTER; \
 	fi; \
-	echo "Using CLUSTER: ${CLUSTER}"; \
+	echo "Using CLUSTER: $$CLUSTER"; \
+	export CLUSTER=$$CLUSTER; \
 	CGO_ENABLED=0 go run ./hack/cluster/cluster.go create
 
+delete-cluster:
+	@set -a; source .env; set +a; \
+	if [ -z "$$CLUSTER" ]; then \
+		read -p "Enter the cluster name to delete: " CLUSTER; \
+	fi; \
+	echo "Deleting CLUSTER: $$CLUSTER"; \
+	export CLUSTER=$$CLUSTER; \
+	CGO_ENABLED=0 go run ./hack/cluster/cluster.go delete
 
 e2e: ensure-aro-image
 	@podman run --rm -d --name aro-e2e $(ARO_IMAGE) e2e
@@ -113,7 +125,7 @@ client: generate
 	hack/build-client.sh "${AUTOREST_IMAGE}" 2020-04-30 2021-09-01-preview 2022-04-01 2022-09-04 2023-04-01 2023-07-01-preview 2023-09-04 2023-11-22 2024-08-12-preview
 
 ci-rp: fix-macos-vendor
-	docker build . -f Dockerfile.ci-rp --ulimit=nofile=4096:4096 --build-arg REGISTRY=$(REGISTRY) --build-arg VERSION=$(VERSION) --no-cache=$(NO_CACHE)
+	docker build . -f Dockerfile.ci-rp --ulimit=nofile=4096:4096 --build-arg REGISTRY=$(REGISTRY) --build-arg VERSION=$(VERSION) --no-cache=$(NO_CACHE) -t $(ARO_IMAGE)
 
 # TODO: hard coding dev-config.yaml is clunky; it is also probably convenient to
 # override COMMIT.
diff --git a/hack/cluster/cluster.go b/hack/cluster/cluster.go
index fd822d32dd2..3e9ea758483 100644
--- a/hack/cluster/cluster.go
+++ b/hack/cluster/cluster.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/exec"
 	"strings"
 
 	"github.com/davecgh/go-spew/spew"
@@ -37,11 +38,17 @@ func run(ctx context.Context, log *logrus.Entry) error {
 		return err
 	}
 
-	vnetResourceGroup := os.Getenv("RESOURCEGROUP") // TODO: remove this when we deploy and peer a vnet per cluster create
-	if os.Getenv("CI") != "" {
-		vnetResourceGroup = os.Getenv(Cluster)
-	}
 	clusterName := os.Getenv(Cluster)
+	vnetName := fmt.Sprintf("%s-vnet", clusterName)
+	subnetName := fmt.Sprintf("%s-subnet", clusterName)
+	resourceGroup := os.Getenv("RESOURCEGROUP")
+	location := os.Getenv("LOCATION")
+
+	// Create a new VNet
+	err = createVNet(log, resourceGroup, vnetName, subnetName, location)
+	if err != nil {
+		return err
+	}
 
 	osClusterVersion := os.Getenv("OS_CLUSTER_VERSION")
 	if osClusterVersion == "" {
@@ -58,18 +65,48 @@ func run(ctx context.Context, log *logrus.Entry) error {
 
 	switch strings.ToLower(os.Args[1]) {
 	case "create":
-		return c.Create(ctx, vnetResourceGroup, clusterName, osClusterVersion)
+		err = c.Create(ctx, resourceGroup, clusterName, osClusterVersion)
+		if err != nil {
+			// If cluster creation fails, delete the created VNet
+			deleteVNet(log, resourceGroup, vnetName)
+		}
+		return err
 	case "createapp":
 		return c.CreateApp(ctx, clusterName)
 	case "deleteapp":
 		return c.DeleteApp(ctx)
 	case "delete":
-		return c.Delete(ctx, vnetResourceGroup, clusterName)
+		err = c.Delete(ctx, resourceGroup, clusterName)
+		if err == nil {
+			// If cluster deletion succeeds, delete the created VNet
+			deleteVNet(log, resourceGroup, vnetName)
+		}
+		return err
 	default:
 		return fmt.Errorf("invalid command %s", os.Args[1])
 	}
 }
 
+func createVNet(log *logrus.Entry, resourceGroup, vnetName, subnetName, location string) error {
+	_, err := exec.Command("az", "network", "vnet", "create", "--resource-group", resourceGroup, "--name", vnetName, "--address-prefix", "10.0.0.0/16", "--subnet-name", subnetName, "--subnet-prefix", "10.0.0.0/24", "--location", location).Output()
+	if err != nil {
+		log.Errorf("Failed to create VNet: %v", err)
+		return err
+	}
+	log.Infof("Created VNet %s in resource group %s", vnetName, resourceGroup)
+	return nil
+}
+
+func deleteVNet(log *logrus.Entry, resourceGroup, vnetName string) error {
+	_, err := exec.Command("az", "network", "vnet", "delete", "--resource-group", resourceGroup, "--name", vnetName).Output()
+	if err != nil {
+		log.Errorf("Failed to delete VNet: %v", err)
+		return err
+	}
+	log.Infof("Deleted VNet %s in resource group %s", vnetName, resourceGroup)
+	return nil
+}
+
 func main() {
 	log := utillog.GetLogger()
 
diff --git a/setup_resources.sh b/setup_resources.sh
index 1dafc8e653b..5d0b941644f 100755
--- a/setup_resources.sh
+++ b/setup_resources.sh
@@ -1,54 +1,51 @@
 #!/bin/bash
 
-# Ensure Azure CLI is installed and the user is logged in
-if ! command -v az &> /dev/null; then
-    echo "Azure CLI (az) could not be found. Please install it and log in using 'az login'."
-    exit 1
-fi
-
-if ! az account show &> /dev/null; then
-    echo "Azure CLI is not logged in. Please log in using 'az login'."
-    exit 1
-fi
-
-# Set the Azure subscription
-az account set --subscription "ARO SRE Team - InProgress (EA Subscription 2)"
-
 # Load environment variables from .env file
 set -a
 source .env
 set +a
 
-# Set cluster-specific environment variables with fallback defaults
-RESOURCEGROUP="${1:-v4-westeurope}"
-DATABASE_ACCOUNT_NAME="${USER}-aro-${LOCATION}"
-KEYVAULT_PREFIX="${USER:0:20}-kv-${LOCATION:0:4}"  # Ensure valid key vault name length
-
-# Use arguments or fallback to environment variables
-KEY_NAME="${2:-$KEY_NAME}"
-KEY_VERSION="${3:-$KEY_VERSION}"
+# Check if az CLI is installed
+if ! command -v az &> /dev/null
+then
+    echo "az CLI could not be found. Please install it to proceed."
+    exit 1
+fi
 
-# Prompt for key name and key version if not set
-if [ -z "$KEY_NAME" ]; then
-    read -p "Enter the key name for the disk encryption set: " KEY_NAME
+# Validate az CLI connectivity
+if ! az account show &> /dev/null
+then
+    echo "az CLI is not connected. Please login using 'az login' and try again."
+    exit 1
 fi
 
-if [ -z "$KEY_VERSION" ]; then
-    read -p "Enter the key version for the disk encryption set: " KEY_VERSION
+# Get the key name and key version from the arguments
+KEY_NAME=${1}
+KEY_VERSION=${2}
+
+# Ensure KEY_NAME and KEY_VERSION are provided
+if [ -z "$KEY_NAME" ] || [ -z "$KEY_VERSION" ]; then
+    echo "Usage: $0 <KEY_NAME> <KEY_VERSION>"
+    exit 1
 fi
 
+# Set cluster-specific environment variables
+RESOURCEGROUP=${RESOURCEGROUP:-"v4-westeurope"}
+DATABASE_ACCOUNT_NAME="${USER}-aro-${LOCATION}"
+KEYVAULT_PREFIX="${USER}-aro-${LOCATION}"
+
 # Create resource group
 echo "Ensuring resource group $RESOURCEGROUP in $LOCATION..."
-az group show --name "$RESOURCEGROUP" &>/dev/null
+az group show --name "$RESOURCEGROUP" &> /dev/null
 if [ $? -ne 0 ]; then
-  az group create --name "$RESOURCEGROUP" --location "$LOCATION" --tags createdAt=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+  az group create --name "$RESOURCEGROUP" --location "$LOCATION"
 else
   echo "Resource group $RESOURCEGROUP already exists."
 fi
 
 # Create virtual network
 echo "Ensuring virtual network dev-vnet in resource group $RESOURCEGROUP..."
-az network vnet show --resource-group "$RESOURCEGROUP" --name dev-vnet &>/dev/null
+az network vnet show --resource-group "$RESOURCEGROUP" --name dev-vnet &> /dev/null
 if [ $? -ne 0 ]; then
   az network vnet create --resource-group "$RESOURCEGROUP" --name dev-vnet --address-prefix 10.0.0.0/16 --subnet-name dev-subnet --subnet-prefix 10.0.0.0/24
 else
@@ -56,27 +53,20 @@ else
 fi
 
 # Create key vault
-echo "Ensuring key vault ${KEYVAULT_PREFIX} in resource group $RESOURCEGROUP..."
-az keyvault show --name "${KEYVAULT_PREFIX}" --resource-group "$RESOURCEGROUP" &>/dev/null
+echo "Ensuring key vault ${KEYVAULT_PREFIX}-kv in resource group $RESOURCEGROUP..."
+az keyvault show --name "${KEYVAULT_PREFIX}-kv" --resource-group "$RESOURCEGROUP" &> /dev/null
 if [ $? -ne 0 ]; then
-  az keyvault create --name "${KEYVAULT_PREFIX}" --resource-group "$RESOURCEGROUP" --location "$LOCATION"
+  az keyvault create --name "${KEYVAULT_PREFIX}-kv" --resource-group "$RESOURCEGROUP" --location "$LOCATION"
 else
-  echo "Key vault ${KEYVAULT_PREFIX} already exists."
-fi
-
-# Validate key URL format and existence in Key Vault
-KEY_URL="https://${KEYVAULT_PREFIX}.vault.azure.net/keys/${KEY_NAME}/${KEY_VERSION}"
-echo "Ensuring disk encryption set ${RESOURCEGROUP}-disk-encryption-set in resource group $RESOURCEGROUP..."
-az keyvault key show --vault-name "${KEYVAULT_PREFIX}" --name "${KEY_NAME}" --version "${KEY_VERSION}" &>/dev/null
-if [ $? -ne 0 ]; then
-  echo "The specified key name and version do not exist in the Key Vault. Please check the values and try again."
-  exit 1
+  echo "Key vault ${KEYVAULT_PREFIX}-kv already exists."
 fi
 
 # Create disk encryption set
-az disk-encryption-set show --name "${RESOURCEGROUP}-disk-encryption-set" --resource-group "$RESOURCEGROUP" &>/dev/null
+KEY_URL="https://${KEYVAULT_PREFIX}-kv.vault.azure.net/keys/${KEY_NAME}/${KEY_VERSION}"
+echo "Ensuring disk encryption set ${RESOURCEGROUP}-disk-encryption-set in resource group $RESOURCEGROUP..."
+az disk-encryption-set show --name "${RESOURCEGROUP}-disk-encryption-set" --resource-group "$RESOURCEGROUP" &> /dev/null
 if [ $? -ne 0 ]; then
-  az disk-encryption-set create --name "${RESOURCEGROUP}-disk-encryption-set" --resource-group "$RESOURCEGROUP" --location "$LOCATION" --source-vault "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCEGROUP/providers/Microsoft.KeyVault/vaults/${KEYVAULT_PREFIX}" --key-url "$KEY_URL"
+  az disk-encryption-set create --name "${RESOURCEGROUP}-disk-encryption-set" --resource-group "$RESOURCEGROUP" --location "$LOCATION" --source-vault "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCEGROUP/providers/Microsoft.KeyVault/vaults/${KEYVAULT_PREFIX}-kv" --key-url "$KEY_URL"
 else
   echo "Disk encryption set ${RESOURCEGROUP}-disk-encryption-set already exists."
 fi