Login/Register
Issue when trying to delete VPC and Network Interface
Asked Answered
amazon-web-servicesamazon-ec2amazon-vpcnetwork-interface
P

27

98

I am trying to delete AWS VPC (a non default one). I am getting error that "We could not delete the following VPC (vpc-xxxxxxx (xx.xx.xx.x/16)) Network interface 'eni-xxxxxx' is currently in use. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: xxxxxx-dd86-47c8-98cd-xxxxxxxxxxx)".

When I tried deleting the related Network Interface, I got error "eni-xxxxxxx: You do not have permission to access the specified resource."

There are security groups associated with the NI (network interface). There are subnets associated with the NI. There are no EC2 instances - all are terminated. There are no VPC endpoints. There are no RDS db, db security group or subnets.

For EC2 SG (security groups), I am getting permission denied error message while trying to delete (even the non default SG against the non-default VPC. This SG has description of "AWS created security group for d-xxxxxxxxxx directory controllers".

For subnets, I am not able to delete them because they are associated with the above mentioned NI.

Can someone help? I have a free tier account and hence even dont have technical support or neither able to post new thread in aws forums (getting error message - Your account is not ready for posting messages yet. Please try again later). I fear this is because I have a free tier account.

Philbin answered 14/5, 2016 at 23:33 Comment(2)
Are you using Amazon Workspaces? It creates a VPC with an ENI, which you cannot delete if Workspaces has been provisioned. Are there any other services linked into your VPC, such as peering?Pyrotechnic
Thanks John! I am neither using Amazon Workspaces nor did establish any peering for that VPC.Philbin
C
109

Check 2 things.

  • If you have a VPC Elastic IP Address you created in the VPC you are trying to delete.
  • Check if you created a AWS ELB in the VPC.

Delete above two resources if present then you will be able to delete the VPC.

Ceasar answered 15/5, 2016 at 1:33 Comment(9)
thanks for reminding those two. I missed them while posting the question. I had created EIP (elastic IP) but deleted them while deleting the EC2 instance some time back.Philbin
And I had not created ELB against the VPC. So is there anything else I should check?Philbin
@Philbin Try to detach the Internet Getaway and then try to delete the VPC.Ceasar
Not sure of the issue. But the VPC was deleted next time I logged in after 2-3 days. Thank you all for the tips!Philbin
For me it was a lingering RDS instance.Smell
Thank you. This saved me from a CloudFormation stack generated by a program that failed to delete it and then obscure cascading delete failures all the way down to the ELB without making it obvious that the ELB was the cause.Creatine
Can also be a load balancer that was not deleted.Tyche
Another place to look is the Description field of the ENI itself. For me it pinpointed to a Lambda function configured with a VPC. This data seems some important, it should be displayed on the "ENI currently in-use" pop-up screen.Sarcophagus
For me it was a NAT GatewayGalvanometer
I
19

As @karimtabet said, the VPC I was unable to delete was still assigned to an active RDS instance. after removing this RDS instance, I was able to delete the VPC.

Inversion answered 10/2, 2017 at 14:31 Comment(2)
Something I encountered which others may run into is that Neptune also counts as an RDS when it comes to this.Bield
This saved me!! Ty. I couldn't figure out why i couldnt delete my vpc, and i checked every other r esource i had. The only error I got during deletion was that the vpc was being used by a network interface that i couldnt delete.Asuncionasunder
M
18

To be able to delete Security Groups (SG) and their Network Interfaces (NI) I had to:

  • delete the inbound + outbound rules of the SGs
  • wait 5-10 minutes that NIs move from state "in use" to "available"
  • delete the NIs
  • delete the SGs
Marjorie answered 15/6, 2022 at 12:18 Comment(2)
Worked for me as well. Had to delete all the rules and then NI and Subnet got deleted.Jitters
Here's why this worked for me: The network interface had 2 sg's associated with it. Those 2 sg's for some reason referenced each other in the inbound/outbound rules (for some unknown reason). Therefore, each individual one could not be deleted bc it contained a reference. Removed those rules, deleted sg's, deleted NIs.Katzman
G
17

Check if you have any EFS instances or S3 buckets with versioning turned on or cross-domain replication (this is the one that got me recently).

Gilges answered 4/4, 2018 at 0:25 Comment(0)
P
7

I solved this by deleting the active load balancer that was attached to the ENIs. You can check active load balancers on EC2 > Load Balancing > Load Balancers

Pinnatifid answered 27/11, 2020 at 18:7 Comment(0)
X
5

I was only able to delete the eni through de api:

aws ec2 delete-network-interface --network-interface-id eni-XXXXXXX

In my case I have created an ECS cluster with Terraform. But wasn't able to clean it up with the command terraform destroy.

In the web console I always got the error Network interface is currently in use.

Xeniaxeno answered 18/5, 2021 at 23:45 Comment(2)
Same error with awscli in my caseSatellite
I tried everything else listed here and this was the only thing that worked for meBlunder
J
2

That network interface could be connected to a security group which is then connected to another Amazon product like ElastiCache (or anything). It's connected to something which may be connected to something else.

Jeromejeromy answered 19/5, 2017 at 18:24 Comment(0)
B
2

A running ECS task could be an issue, try to stop/delete the same. https://forums.aws.amazon.com/thread.jspa?threadID=114301

Baloney answered 8/9, 2020 at 6:34 Comment(0)
H
2

In My case first we have check that any load balancer available if it is then first we have to delete the load balancer then we the delete the exisiting vpc

Hipbone answered 30/8, 2021 at 1:52 Comment(0)
W
1

In my case I had to first detach and delete 2 things in EC2 section (of the same region as your VPC):

  1. Network & Security -> Elastic IPs. Delete the Elastic IP associated with your VPC
  2. Network & Security -> Network Interfaces. Detach your VPC's network interface first (This took around a minute). Then delete.

Now try deleting the VPC.

Waneta answered 8/7, 2018 at 22:8 Comment(0)
H
1

So you should check the network interfaces usage, if they don't appear it means you have to check computing and load balancing stacks for it.

For me it was a lambda test function that was using the interface and not appearing in the networkInterface for some reason. Make sure to check your lambda functions.

Helgahelge answered 11/8, 2021 at 13:11 Comment(0)
F
1

You have to do it bottom-up approach.

  1. Delete services that are working on subnets if you have them (Redshift clusters, RDS)
  2. Check jobs in Glue, Lambda etc and delete them if you don't need them
  3. Release IP addresses from NAT Gateway
  4. Detach/Delete NAT and Internet Gateway
  5. Detach and delete subnets
  6. Delete VPC
Fogle answered 11/1, 2022 at 9:31 Comment(0)
P
1

Make sure to also check your lambda versions. I had deployed my application with the serverless framework and changed the VPC for deployment at some point in time. Hence I had to delete all previous versions of my lambda function to be able to delete the old VPC.

You can do that in the AWS console under the "version" tab for your lambda function.

Plaid answered 20/7, 2022 at 10:4 Comment(0)
L
1

If it was created by CloudFormation, deleting the CloudFormation Stack might take help you delete the VPC.

Lenitalenitive answered 24/8, 2022 at 1:54 Comment(0)
A
1

If you have any Endpoints configured (Currently located in the VPC section in the AWS console), you must delete these first.

Autography answered 4/10, 2022 at 19:3 Comment(1)
This was it for me. 3 hours down the drain!Storehouse
M
1

Deleting a NAT gateway solved the issue for me.

Meddle answered 25/1, 2023 at 18:24 Comment(1)
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.Melmon
R
0

You were right..It was ECS issue in my case. Not letting me delete my ENIs saying I dont have the permissions. I had already deregistered my ECS task definition but still It was not letting me delete resources like VPC, ENIs created by ECS.

I had to update the version of task definition under ECS using same resources as previous definition version and then I deleted that new service and then deleted the clustere.

With clustere, it deleted all resource like VPC, ENIs which it was not letting me delete earlier.

I then dergistered second version of task definition. I had two inactive tasks definitions for a monent and then one task definitions disappeared..now only one is there in inactive state.

Rooky answered 27/12, 2020 at 16:46 Comment(0)
U
0

I had forgotten that I had an RDS instance that was still connected to that VPC. After deleting it, the network interface deleted itself.

Ullund answered 8/7, 2021 at 17:53 Comment(0)
O
0

There is a tool that can help you figure out which AWS resource associate with the ENI. This post document how you use it: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-eni-find-delete/

Ocampo answered 14/7, 2021 at 0:45 Comment(0)
S
0

I fixed this issue by deleting ElastiCache resource. After that, I was able to remove VPC

Suctorial answered 26/1, 2022 at 22:20 Comment(0)
P
0

This happened to me as well recently, and @Pierre-Yves Savard's answer helped me to understand it. Let me explain why it happens.

When you have created the whole stack with Cloudformation script, let's call it Server-Network-Stack1. Although later you created some resources ( for example RDS database ) manually from AWS Console and put them inside the Subnet/VPC which your Server-Network-Stack1 cloudformation script created previously.

Now your Server-Network-Stack1 Cloudformation stack doesn't know anything about your RDS creation, because you created it manually. So, when you are trying to remove the Server-Network-Stack1 , it will give an error means that "there is another resource which is dependent on the VPC/Subnet ( indirectly Network Interface ), and it is not declared inside my script"

Therefore, I recommended you write all of the resource declarations inside Cloudformation, even if you will create them once and will not update them throughout the project lifecycle. Otherwise, your whole team must remember which resources are created with the script, and which are not.

Poulenc answered 20/9, 2022 at 9:44 Comment(0)
A
0

In my case, i have deleted the global celerator. Search for Global acelerator service and delete it.(You need AWS CLI installed and configured) Sorry my english

Asomatous answered 16/10, 2022 at 1:41 Comment(1)
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.Melmon
H
0

I was having trouble deleting a VPC that was associated with an RDS instance, even after the instance was deleted. I navigated to RDS->Subnet groups in the console and realised there were groups associated with the deleted RDS. By deleting them, I was then able to complete the RDS VPC deletion.

Hyperpituitarism answered 17/3, 2023 at 17:52 Comment(0)
S
0

Deleting a Network Firewall did the trick for my colleague and I. Make sure your Network Firewall has deletion protection and logging disabled too

Subterfuge answered 9/6, 2023 at 20:19 Comment(0)
A
0

Unable to Delete VPC Due to API Gateway's VPC Links

Hello community,

I wanted to share my experience solving an issue that prevented me from deleting a VPC in AWS. After several attempts and meticulously reviewing associated resources, I discovered that the problem was due to VPC Links created for the API Gateway, which blocked the VPC deletion.

Context

I was trying to delete a VPC that I no longer needed, but AWS kept preventing me from doing so, indicating that there were still resources associated with the VPC. I checked all EC2 instances, subnets, internet gateways, and other commonly associated resources, but couldn't find the cause.

Problem

The error message from AWS was generic, simply stating that resources were still associated with the VPC, without specifying which ones. This led me to a detailed review process of all services.

Solution

Eventually, I found that the real culprits were the VPC Links created for the API Gateway, which I had overlooked. These VPC Links were still active and linked to the VPC I was trying to delete. To resolve the issue, I followed these steps:

  • Accessed the AWS API Gateway console.
  • Navigated to VPC Links under the Resources section.
  • Identified the VPC Links associated with the VPC in question.
  • Proceeded to delete each of the VPC Links.

After removing the VPC Links, I tried deleting the VPC again, and this time the process completed successfully.

Conclusion

If you find yourself unable to delete a VPC and have checked for common resources without finding the cause, I recommend checking for any VPC Links associated with API Gateway that might be preventing the VPC's deletion. This step can be easily overlooked if you're not actively working with API Gateway or if the environment was configured by someone else. I hope this solution can help someone else facing a similar issue.

Agentive answered 21/3 at 17:2 Comment(0)
C
-1

I had no instances attached. The network interface just was related to a subnet, security group and the VPC. This is how I solved it:

  1. Delete the Load Balancers that I had
  2. Delete the network interface
  3. Delete the VPC
Calliopsis answered 20/8, 2021 at 15:8 Comment(0)
A
-1

You can use this script to find your resources (nano describe_vpc.sh): When you find them, delete them one by one manually: (You need AWS CLI installed and configured) Sorry for my english :(

#!/bin/bash
vpc="vpc-XXXXXXXXXXXXX" 
aws ec2 describe-internet-gateways --filters 'Name=attachment.vpc-id,Values='$vpc | grep InternetGatewayId
aws ec2 describe-subnets --filters 'Name=vpc-id,Values='$vpc | grep SubnetId
aws ec2 describe-route-tables --filters 'Name=vpc-id,Values='$vpc | grep RouteTableId
aws ec2 describe-network-acls --filters 'Name=vpc-id,Values='$vpc | grep NetworkAclId
aws ec2 describe-vpc-peering-connections --filters 'Name=requester-vpc-info.vpc-id,Values='$vpc | grep VpcPeeringConnectionId
aws ec2 describe-vpc-endpoints --filters 'Name=vpc-id,Values='$vpc | grep VpcEndpointId
aws ec2 describe-nat-gateways --filter 'Name=vpc-id,Values='$vpc | grep NatGatewayId
aws ec2 describe-security-groups --filters 'Name=vpc-id,Values='$vpc | grep GroupId
aws ec2 describe-instances --filters 'Name=vpc-id,Values='$vpc | grep InstanceId
aws ec2 describe-vpn-gateways --filters 'Name=attachment.vpc-id,Values='$vpc | grep VpnGatewayId
aws ec2 describe-network-interfaces --filters 'Name=vpc-id,Values='$vpc | grep NetworkInterfaceId

region="yy-yyyy-y"
aws ec2 describe-vpc-peering-connections --region $region --filters 'Name=requester-vpc-info.vpc-id,Values='$vpc | grep VpcPeeringCo
aws ec2 describe-nat-gateways --region $region --filter 'Name=vpc-id,Values='$vpc | grep NatGatewayId
aws ec2 describe-instances --region $region --filters 'Name=vpc-id,Values='$vpc | grep InstanceId
aws ec2 describe-vpn-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep VpnGatewayId
aws ec2 describe-local-gateway-route-table-vpc-associations --region $region --filters Name=vpc-id,Values=$vpc | grep LocalGatewayRo
Asomatous answered 16/10, 2022 at 1:45 Comment(1)
Your answer could be improved by formatting the commands using code blocks, and then explain what these commands do since it's a very long chain of commands.Moselle

© 2022 - 2024 — McMap. All rights reserved.