Can't detach network interfaces

Question

I did the AWS misfits tutorial and I thought the cleanup would be as simple as deleting the Cloud Formation stack. However, items failed to delete so I am trying to clean them up manually to assist the Cloud Formation stack deletion.

I keep getting an error when trying to Detach the network interfaces (I am logged into the root account):

Error detaching network interfaces:

eni-0047gfhfgh8ab0e: You are not allowed to manage 'ela-attach' attachments.
eni-0f4a46hgfha757e: You are not allowed to manage 'ela-attach' attachments.

I am unable to delete my VPC without these being deleted.

The stack as a whole is failing to delete because of the following:

The following resource(s) failed to delete: [InternetGateway, PublicSubnetTwo, VPC, GatewayAttachement, PublicSubnetOne].

it doesn't say anything good about AWS to see that this question has gotten so much traffic - 42k views, 38 upvotes, 15 answers — Kaan, Jun 01 '22 at 23:09
Take a look at this [AWS Article](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-eni-find-delete/). I ran ```findEniAssociations``` to find out why there might the interface might be in use. Then you can decide if you want to first delete the dependencies and try again. I believe it's a good thing that it does not let you delete things when they are in use. In my case, I found that I could delete the ENIs after I assigned only the default VPC to each ENI. I used the CLI: ```aws ec2 modify-network-interface-attribute --network-interface-id eni-1234 --groups sg-1234default``` — Michael Behrens, Feb 17 '23 at 21:29
for us it turned out to be dependent load balances. Error message is incorrect — bhurlow, Apr 17 '23 at 16:04

Cloudkollektiv · Accepted Answer · 2023-01-21T00:17:36.193

46

I had the same issue, which gave me the following message:

This could be because there is a service in use which still uses the network interface. You could try some of the following things:

Remove unused VPC links from API gateway
Remove unused VPC Endpoint services
Remove unused NAT gateways
Remove unused ECS/EKS clusters
Remove unused load balancers
Remove unused EFS mounts

If that doesn't help, there is something wrong/stuck on the underlying OS, you should wait for it to resolve by itself or report it. I had an ENI deployed by a Lambda function after deleting the lambda function, the ENI got stuck. After some time I was able to detach the ENI.

Update: for the people using the aws cli, AWS support posted a bash script and documentation to easily identify ENIs that are still hanging around somewhere (source).

edited Jan 21 '23 at 00:17

answered Dec 03 '19 at 20:40

Cloudkollektiv

11,852
3
44
71

10

**Remove unused VPC links from API gateway** worked for me – muasif80 Jun 14 '20 at 17:38
2

It may not be clear by the message that there are dependent load balancers. – reergymerej Jul 31 '20 at 14:23
For me it was EFS created by SageMaker. – Martijn Oct 20 '20 at 13:59
4

For me it was an RDS Postgres DB that needed to be removed. – openCivilisation Nov 01 '20 at 08:29
2

You should also look at Lambda functions. My NICs were associated to Lambda VPC ENI-xxxxx. I deleted the Lambda functions and no more association. NICs were gone and I was able to delete the VPC. – E.T Dec 30 '20 at 01:50
For me, it was also to do with lambda VPC ENI's – Greg Jan 16 '21 at 23:12
I don't have lb, ec2 or ecs instances and deleted all VPC endpoints but cannot delete some VPC because they are using ENIs. What should I do? – Siddhant Aug 17 '22 at 18:47
Ug, AWS is so difficult to use – Diego Oct 20 '22 at 23:54
Than you haven’t used Azure yet ;-) – Cloudkollektiv Oct 21 '22 at 06:55
Remove unused EFS mounts -> This worked for me – Senthil Dec 02 '22 at 10:08
Thanks, for me it was the **Remove unused load balancers** – Dário Jan 09 '23 at 14:42
In my case had a classic load balancer using network interfaces. Had to delete the load balancer before network interfaces could be deleted. The "you have no permission" error is just false. The actual error is an in-use network interface. – Rick O'Shea Jan 20 '23 at 19:33

metanerd · Answer 2 · 2022-12-07T12:09:38.330

AWS offers this bash script as help to find out the dependencies:

#!/bin/bash
vpc="vpc-xxxxxxxxxxxxx"
region="yy-yyyy-y"
aws ec2 describe-internet-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep InternetGatewayId
aws ec2 describe-subnets --region $region --filters 'Name=vpc-id,Values='$vpc | grep SubnetId
aws ec2 describe-route-tables --region $region --filters 'Name=vpc-id,Values='$vpc | grep RouteTableId
aws ec2 describe-network-acls --region $region --filters 'Name=vpc-id,Values='$vpc | grep NetworkAclId
aws ec2 describe-vpc-peering-connections --region $region --filters 'Name=requester-vpc-info.vpc-id,Values='$vpc | grep VpcPeeringConnectionId
aws ec2 describe-vpc-endpoints --region $region --filters 'Name=vpc-id,Values='$vpc | grep VpcEndpointId
aws ec2 describe-nat-gateways --region $region --filter 'Name=vpc-id,Values='$vpc | grep NatGatewayId
aws ec2 describe-security-groups --region $region --filters 'Name=vpc-id,Values='$vpc | grep GroupId
aws ec2 describe-instances --region $region --filters 'Name=vpc-id,Values='$vpc | grep InstanceId
aws ec2 describe-vpn-connections --region $region --filters 'Name=vpc-id,Values='$vpc | grep VpnConnectionId
aws ec2 describe-vpn-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep VpnGatewayId
aws ec2 describe-network-interfaces --region $region --filters 'Name=vpc-id,Values='$vpc | grep NetworkInterfaceId
aws ec2 describe-carrier-gateways --region $region --filters Name=vpc-id,Values=$vpc | grep CarrierGatewayId
aws ec2 describe-local-gateway-route-table-vpc-associations --region $region --filters Name=vpc-id,Values=$vpc | grep LocalGatewayRouteTableVpcAssociationId

My issue was a Transit Gateway Attachment and I could figure it out at some point.

Source: https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-dependency-error-delete-vpc/

Just a personal note: Use `vpc="${1}"` if you want to supply the VPC ID as a String parameter after calling the script. Easier to run it numerous times — conedmiro, Sep 10 '21 at 23:03

score 7 · Answer 3 · answered Jan 06 '21 at 20:54

7

If you're working with Lambda Functions in VPC.

This is caused by old Lambda version is still referring to the ENI.

Try below to see if it's this case:

aws lambda list-versions-by-function --function-name FUNCTIONNAME | jq -r '.Versions | .[] | [.LastModified, .Version, .VpcConfig.VpcId] | @tsv' | sort

answered Jan 06 '21 at 20:54

Yang_2333

644
8
10

1

After I deleted all the old lambda versions that used old VPC, the ENI was automatically deleted. I can even see a `DeleteNetworkInterface` event in CloudTrail EventHistory. – Sapience Aug 21 '22 at 08:47

score 5 · Answer 4 · answered Jan 13 '20 at 18:17

5

Try to verify if you have a EFS mount target asociated at the ENI and delete it, after try to delete the network interface that's work for me.

answered Jan 13 '20 at 18:17

Jotaemece

51
1
1

score 4 · Answer 5 · answered Jul 15 '19 at 05:27

4

I had this same issue. For me, I had to delete an Endpoint Service associated with my ELB first, then I could start to get rid of the network interfaces that were set up.

answered Jul 15 '19 at 05:27

780Farva

176
1
9

score 2 · Answer 6 · answered Feb 15 '20 at 08:02

Modify the VPC Endpoint Service to reject VPC Endpoint (deselect Require acceptance for endpoint) https://docs.aws.amazon.com/vpc/latest/userguide/modify-endpoint-service.html
Delete the VPC Endpoint Service
Continue deleting other resources or try again the stack deletion task in Cloudformation.

The VPC Endpoint Service deletion is restricted by the no longer existing VPC Endpoint.

score 1 · Answer 7 · answered Oct 12 '20 at 15:50

1

In my case I had an EFS mount that was preventing my subnets from being deleted. My solution was to visit the AWS Management Console, search for EFS, and delete the corresponding mount. After that I was able to delete the subnets and VPC.

answered Oct 12 '20 at 15:50

John Sid

11
2

score 0 · Answer 8 · answered Jan 12 '20 at 19:27

I had the same issue. The root problem is that it won't let you delete anything because everything has something else dependent on it. The solution was to scroll down below the list of each type of resource and find the right tab to edit/delete the connections to other resources. Once those are gone, you will be able to delete the resource at the top of the page. I'm not sure which break ultimately enabled the cloudformation to delete successfully, but just going through the VPC dashboard and hitting each of these should fix the problem.

score 0 · Answer 9 · answered Jan 26 '20 at 15:51

The problem for me was that my load balancer was created with "Deletion protection" enabled. I logged on to AWS console, found my load balancer and edited its attributes setting "Deletion protection" to false. This allowed me to delete the load balancer and everything else.

score 0 · Answer 10 · answered Feb 03 '20 at 17:18

0

if error occurs on network interface deletion , wait until NAT gateway and internet gateway entry removes on the respective page. Otherwise remove public or static IP associate with service in the vpc

answered Feb 03 '20 at 17:18

Ezhil Arasan

450
3
5

score 0 · Answer 11 · answered Sep 27 '20 at 00:47

0

In my case I had a DataSync instance - when I removed that I could delete these resources

answered Sep 27 '20 at 00:47

user2965205

141
2
7

score 0 · Answer 12 · edited May 28 '22 at 01:21

Error:

Failed to detach the network interface. API error: "You do not have permission to access the specified resource."

Solution: In order to find the resources that are still using the Elastic Network Interface, pull up the ENI details by clicking on the Network Interface ID, and use these two fields:

Description: should indicate which service is using the ENI (ie ECS, ELB, Lambda, etc), but you might have to use some clues in the attachment ARN.
Security groups: should help you associate the specific cluster that's associated with it.

Once I deleted the ECS cluster that was associated with the ENI, the ENI resources went away automatically.

score 0 · Answer 13 · answered May 12 '21 at 11:03

Check whether any lambda function/db instance/ec2 instance still there in the VPC-> any of the subnet.

Delete that particular instance first and then the network interface will get deleted automatically.

For identifying the instance you can follow the following steps :

1.Search for the network interface in the AWS Network interface console. 2.Click on that open the detailed view and then check for interface type and delete the mentioned resource from there.

score -1 · Answer 14 · answered Jan 16 '22 at 14:09

-1

Also delete any Global Accelerator instances associated with the VPC.

answered Jan 16 '22 at 14:09

strizzwald

643
1
8
19

score -1 · Answer 15 · answered May 15 '22 at 19:44

-1

I'd like to add to this conversation.

I had a similar issue and had to clear out some roles and 2x cloud9 environments, that I had ignored.

Worked the charm as my network interface was no longer associated with my cloud9 environments.

answered May 15 '22 at 19:44

ZimCanIT

69
7

Can't detach network interfaces

15 Answers15

Linked