Issue when trying to delete VPC and Network Interface

Question

I am trying to delete AWS VPC (a non default one). I am getting error that "We could not delete the following VPC (vpc-xxxxxxx (xx.xx.xx.x/16)) Network interface 'eni-xxxxxx' is currently in use. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: xxxxxx-dd86-47c8-98cd-xxxxxxxxxxx)".

When I tried deleting the related Network Interface, I got error "eni-xxxxxxx: You do not have permission to access the specified resource."

There are security groups associated with the NI .network interface). There are su.nets associated with the NI. There are no EC2 instances - all are terminated. There are no VPC endpoints. There are no RDS db, db security group or su.nets.

For EC2 SG (security groups), I am getting permission denied error message while trying to delete (even the non default SG against the non-default VPC. This SG has description of "AWS created security group for d-xxxxxxxxxx directory controllers".

For su.nets, I am not able to delete them because they are associated with the above mentioned NI.

Can someone help? I have a free tier account and hence even dont have technical support or neither able to post new thread in aws forums (getting error message - Your account is not ready for posting messages yet. Please try again later). I fear this is because I have a free tier account.

Answer 1

Check 2 things.

• If you have a VPC Elastic IP Address you created in the VPC you are trying to delete.
• Check if you created a AWS ELB in the VPC.

Delete above two resources if present then you will be able to delete the VPC.

Answer 2

As @karimtabet said, the VPC I was unable to delete was still assigned to an active RDS instance. after removing this RDS instance, I was able to delete the VPC.

Answer 3

检查您是否有任何启用了版本控制或跨域复制的 EFS 实例或 S3 存储桶（这是我最近遇到的一个）。

Answer 4

I solved this by deleting the active load balancer that was attached to the ENIs. You can check active load balancers on EC2 > Load Balancing > Load Balancers

Answer 5

I was only able to delete the eni through de api:

aws ec2 delete-network-interface --network-interface-id eni-XXXXXXX

In my case I have created an ECS cluster with Terraform. But wasn't able to clean it up with the command terraform destroy .

In the web console I always got the error Network interface is currently in use .

Answer 6

A running ECS task could be an issue, try to stop/delete the same. https://forums.aws.amazon.com/thread.jspa?threadID=114301

Answer 7

That network interface could be connected to a security group which is then connected to another Amazon product like ElastiCache (or anything). It's connected to something which may be connected to something else.

Answer 8

In my case I had to first detach and delete 2 things in EC2 section (of the same region as your VPC):

1. Network & Security -> Elastic IPs. Delete the Elastic IP associated with your VPC
2. Network & Security -> Network Interfaces. Detach your VPC's network interface first (This took around a minute). Then delete.

Now try deleting the VPC.

Answer 9

So you should check the network interfaces usage, if they don't appear it means you have to check computing and load balancing stacks for it.

For me it was a lambda test function that was using the interface and not appearing in the networkInterface for some reason. Make sure to check your lambda functions.

Answer 10

在我的情况下，首先我们检查是否有可用的负载均衡器，然后首先我们必须删除负载均衡器，然后我们删除现有的 vpc

Answer 11

You have to do it bottom-up approach.

1. Delete services that are working on subnets if you have them (Redshift clusters, RDS)
2. Check jobs in Glue, Lambda etc and delete them if you don't need them
3. Release IP addresses from NAT Gateway
4. Detach/Delete NAT and Internet Gateway
5. Detach and delete subnets
6. Delete VPC

Answer 12

To be able to delete Security Groups (SG) and their Network Interfaces (NI) I had to:

• delete the inbound + outbound rules of the SGs
• wait 5-10 minutes that NIs move from state "in use" to "available"
• delete the NIs
• delete the SGs

Answer 13

You were right..It was ECS issue in my case. Not letting me delete my ENIs saying I dont have the permissions. I had already deregistered my ECS task definition but still It was not letting me delete resources like VPC, ENIs created by ECS.

I had to update the version of task definition under ECS using same resources as previous definition version and then I deleted that new service and then deleted the clustere.

With clustere, it deleted all resource like VPC, ENIs which it was not letting me delete earlier.

I then dergistered second version of task definition. I had two inactive tasks definitions for a monent and then one task definitions disappeared..now only one is there in inactive state.

Answer 14

I had forgotten that I had an RDS instance that was still connected to that VPC. After deleting it, the network interface deleted itself.

Answer 15

There is a tool that can help you figure out which AWS resource associate with the ENI. This post document how you use it: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-eni-find-delete/

Answer 16

I fixed this issue by deleting ElastiCache resource. After that, I was able to remove VPC

Answer 17

Make sure to also check your lambda versions. I had deployed my application with the serverless framework and changed the VPC for deployment at some point in time. Hence I had to delete all previous versions of my lambda function to be able to delete the old VPC.

You can do that in the AWS console under the "version" tab for your lambda function.

Answer 18

If it was created by CloudFormation , deleting the CloudFormation Stack might take help you delete the VPC.

Answer 19

This happened to me as well recently, and @Pierre-Yves Savard 's answer helped me to understand it. Let me explain why it happens.

When you have created the whole stack with Cloudformation script, let's call it Server-Network-Stack1 . Although later you created some resources ( for example RDS database ) manually from AWS Console and put them inside the Subnet/VPC which your Server-Network-Stack1 cloudformation script created previously.

Now your Server-Network-Stack1 Cloudformation stack doesn't know anything about your RDS creation, because you created it manually. So, when you are trying to remove the Server-Network-Stack1 , it will give an error means that "there is another resource which is dependent on the VPC/Subnet ( indirectly Network Interface ), and it is not declared inside my script"

Therefore, I recommended you write all of the resource declarations inside Cloudformation, even if you will create them once and will not update them throughout the project lifecycle. Otherwise, your whole team must remember which resources are created with the script, and which are not.

Answer 20

If you have any Endpoints configured (Currently located in the VPC section in the AWS console), you must delete these first.

Answer 21

In my case, i have deleted the global celerator. Search for Global acelerator service and delete it.(You need AWS CLI installed and configured) Sorry my english

Answer 22

Deleting a NAT gateway solved the issue for me.

Answer 23

I had no instances attached. The network interface just was related to a subnet, security group and the VPC. This is how I solved it:

1. Delete the Load Balancers that I had
2. Delete the network interface
3. Delete the VPC

Answer 24

You can use this script to find your resources (nano describe_vpc.sh): When you find them, delete them one by one manually: (You need AWS CLI installed and configured) Sorry for my english:(

#./bin/bash vpc="vpc-XXXXXXXXXXXXX" aws ec2 describe-inte.net-gateways --filters 'Name=attachment,vpc-id,Values='$vpc | grep Inte.netGatewayId aws ec2 describe-su.nets --filters 'Name=vpc-id,Values='$vpc | grep Su.netId aws ec2 describe-route-tables --filters 'Name=vpc-id,Values='$vpc | grep RouteTableId aws ec2 describe.network-acls --filters 'Name=vpc-id.Values='$vpc | grep NetworkAclId aws ec2 describe-vpc-peering-connections --filters 'Name=requester-vpc-info,vpc-id,Values='$vpc | grep VpcPeeringConnectionId aws ec2 describe-vpc-endpoints --filters 'Name=vpc-id,Values='$vpc | grep VpcEndpointId aws ec2 describe-nat-gateways --filter 'Name=vpc-id,Values='$vpc | grep NatGatewayId aws ec2 describe-security-groups --filters 'Name=vpc-id,Values='$vpc | grep GroupId aws ec2 describe-instances --filters 'Name=vpc-id.Values='$vpc | grep InstanceId aws ec2 describe-vpn-gateways --filters 'Name=attachment,vpc-id,Values='$vpc | grep VpnGatewayId aws ec2 describe.network-interfaces --filters 'Name=vpc-id,Values='$vpc | grep NetworkInterfaceId

region="yy-yyyy-y" aws ec2 describe-vpc-peering-connections --region $region --filters 'Name=requester-vpc-info.vpc-id,Values='$vpc | grep VpcPeeringCo> aws ec2 describe-nat-gateways --region $region --filter 'Name=vpc-id,Values='$vpc | grep NatGatewayId aws ec2 describe-instances --region $region --filters 'Name=vpc-id,Values='$vpc | grep InstanceId aws ec2 describe-vpn-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep VpnGatewayId aws ec2 describe-local-gateway-route-table-vpc-associations --region $region --filters Name=vpc-id,Values=$vpc | grep LocalGatewayRo>