Why can't I detach or delete an elastic network interface that Lambda created?

Short description

You can delete a network interface only through Lambda. If you delete the resources that the network interface represents, then Lambda detaches and deletes the network interface for you. To delete unused network interfaces, Lambda uses the execution role of the functions that created the network interfaces. However, you can't delete network interfaces that a function or function version uses.

Lambda shares network interfaces across multiple functions and event source mappings that have the same Amazon Virtual Private Cloud (Amazon VPC) configuration. To reduce the number of network interfaces that you use in your AWS account, you can share network interfaces.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Identify the functions and function versions that use the network interface

Note: The following commands are only for Linux and Unix operating systems.

To identify the functions or function versions that use a network interface, use the Lambda ENI Finder on the GitHub website.

Complete the following steps:

1. Configure the AWS CLI with an AWS Identity and Access Management (IAM) role that has permissions to query Lambda and network interfaces.
   Important: Lambda uses the permissions in a function's execution role to delete a Hyperplane elastic network interface. Delete the execution role only after Lambda deletes the Hyperplane elastic network interface.

2. To install the jq command-line JSON processor, run the following command:

   sudo yum install jq -y

   Note: For more information, see jq on the jq website.

3. To install Git, run the following command:

   sudo yum install git -y

   Note: For more information, see Getting started - installing Git on the Git website.

4. To clone the aws-support-tools GitHub repository, run the following command:

   git clone https://github.com/awslabs/aws-support-tools.git

   Note: For more information, see aws-support-tools on the GitHub website.

5. To change the directory to the location of the Lambda ENI Finder, run the following commands:

   cd aws-support-tools    cd Lambda  
   cd FindEniMappings

6. To run the Lambda ENI Finder for the network interface that you want to delete, run the following command:

   ./findEniAssociations --eni eni-0123456789abcef01 --region us-east-1

   Note: Replace eni-0123456789abcef01 with the network interface ID and replace us-east-1 with the AWS Region that the network interface is in. For more information, see Requester-managed network interfaces.

The output returns a list of the Lambda functions and function versions that use the network interface in your account and Region. If you need any of the functions or function versions, then don't delete the network interface.

If the output doesn't list any functions or function versions, then check whether the following services in your account use the network interface:

• Amazon Managed Streaming for Apache Kafka (Amazon MSK)
• Self-managed Apache Kafka
• Amazon MQ for ActiveMQ
• Amazon MQ for RabbitMQ
• Amazon DocumentDB (with MongoDB compatibility)

Identify event source mappings that use the network interface

Use the AWS CLI

Complete the following steps:

1. Configure the AWS CLI with an IAM role that has permissions to query Lambda, Amazon MSK, Amazon MQ, and Amazon DocumentDB.
   Note: Lambda uses the permissions in the execution role of the function that's associated with the event source mapping to delete the Hyperplane elastic network interface. Delete the execution role only after Lambda deletes the Hyperplane elastic network interface.

2. To list the event source mappings, run the following list-event-source-mappings command:

   aws lambda list-event-source-mappings --query 'EventSourceMappings[?State != Disabled]'

3. Check the EventSourceArn field or SelfManagedEventSource field for each event source mapping.
   If the EventSourceArn field contains an Amazon Resource Name (ARN) for an MSK cluster, Amazon MQ broker, or Amazon DocumentDB cluster, then note the ARN.
   To view the cluster or broker details, run one of the following commands based on the event source.
   For Amazon MSK, run the following describe-cluster-v2 command:

   aws kafka describe-cluster-v2 --cluster-arn MSK_CLUSTER_ARN

   Note: Replace MSK_CLUSTER_ARN with your MSK cluster ARN.
   For Amazon MQ, run the following describe-broker command:

   aws mq describe-broker --broker-id MQ_BROKER_ID

   Note: Replace MQ_BROKER_ID with your Amazon MQ broker ID.
   For Amazon DocumentDB, run the following describe-db-clusters command:

   aws docdb describe-db-clusters --db-cluster-identifier DOCDB_CLUSTER_ID

   Note: Replace DOCDB_CLUSTER_ID with your Amazon DocumentDB cluster ID.

4. In the command's output, check whether the cluster or broker uses the same subnet and security group IDs as the network interface.

5. If the SelfManagedEventSource field exists, then check whether the network interface's subnet and security group IDs are listed under SourceAccessConfigurations in event source mapping.

Use the Lambda console

Note: To check event source mapping for self-managed Apache Kafka, you must use the Lambda console.

Complete the following steps:

1. Open the Lambda console.
2. In the navigation pane, choose Event source mappings.
3. Check the Event source service column to find event source mappings for apache kafka, docdb, msk, or mq.
4. For docdb, msk, or mq, note the cluster or broker name under Event source resource. For apache kafka, choose the event source mapping's UUID, and then proceed to step 8.
5. Use the Amazon MSK, Amazon MQ, or Amazon DocumentDB console to search for the cluster or broker name.
6. Choose the cluster or broker name to view its details.
7. In the network settings, verify that you configured the cluster or broker to use the same subnet and security group IDs as the network interface.
8. Choose the Event Source ARN for your service to view the event source and service configurations.
9. Under Source access configurations, check whether the network interface's subnet and security group IDs are listed.

Delete a network interface that Lambda created

Complete the following steps:

1. Run the Lambda ENI Finder.
2. For each unpublished Lambda function version ($LATEST) that's listed, complete one of the following steps:
   Change the Amazon VPC configuration to use a different subnet and security group.
   -or-
   Disconnect the function from the Amazon VPC.
3. For published Lambda function versions, delete each one.
   Note: Because you can't edit published function versions, you can't change the Amazon VPC configuration.
4. For each Lambda event source mapping that uses the network interface, turn off or delete the event source mapping.
5. To verify that the network interface is no longer in use, run the Lambda ENI Finder again.

Lambda automatically deletes the network interface when both of the following settings occur:

• The output lists no other functions or function versions.
• The event source mapping doesn't use the network interface.

Find and delete scrapers

If you associate your Lambda network interfaces with Amazon Managed Service for Prometheus scrapers, then complete the following steps:

1. To identify your scraper configuration, run the following list-rule-groups-namespaces command:

   aws amp list-rule-groups-namespaces

2. To list the scrapers in your account, run the following list-scrapers command:

   aws amp list-scrapers --region your-region

   Note: Replace your-region with your Region.

3. To delete a scraper, run the following delete-scraper command:

   aws amp delete-scraper --scraper-id your-scraperId

   Note: Replace your-scraperId with your scraper ID. Wait 5-10 minutes for the scraper deletion to complete before you proceed to step 4.

4. To delete the ENI, run the following delete-network command:

   aws ec2 delete-network --your-network-interface-id

   Note: Replace your-network-interface-id with your network interface ID.

For more information, see Find and delete scrapers.

Related information

How do I get more elastic network interfaces if I've reached the limit in an AWS Region?