By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why can't I detach or delete an elastic network interface that Lambda created?

6 minute read
0

When I try to detach or delete an elastic network interface that AWS Lambda created, I get an error message.

Short description

You can delete a network interface only through Lambda. If you delete the resources that the network interface represents, then Lambda detaches and deletes the network interface for you. To delete unused network interfaces, Lambda uses the execution role of the functions that created the network interfaces. However, you can't delete network interfaces that a function or function version uses.

Lambda shares network interfaces across multiple functions and event source mappings that have the same Amazon Virtual Private Cloud (Amazon VPC) configuration. To reduce the number of network interfaces that are used in your AWS account, you can share network interfaces.

Resolution

Identify the functions and function versions that use the network interface

Note:

To identify the functions or function versions that currently use a network interface, use the Lambda ENI Finder bash script on the GitHub website. For more information, see Requester-managed network interfaces.

Complete the following steps:

  1. Configure the AWS CLI with an AWS Identity and Access Management (IAM) role that has permissions to query Lambda and network interfaces. For more information, see Giving Lambda functions access to resources in an Amazon VPC.
    Note: Lambda uses the permissions in a function's execution role to delete the Hyperplane elastic network interface. Delete the execution role only after Lambda deletes the Hyperplane elastic network interface.

  2. Install the command-line JSON processor jq:

    $ sudo yum install jq -y

    Note: For more information about jq, see the jq website.

  3. Verify that Git is installed:

    $ sudo yum install git -y

    If Git isn't installed, then see Getting started - installing Git on the Git website.

  4. Clone the aws-support-tools GitHub repository:

    $ git clone https://github.com/awslabs/aws-support-tools.git

    Note: For more information about the tools, see aws-support-tools on the GitHub website.

  5. Change the directory to the location of the Lambda ENI Finder:

    $ cd aws-support-tools  
    $ cd Lambda  
    $ cd FindEniMappings
  6. Run the Lambda ENI Finder for the network interface that you want to delete:

    ./findEniAssociations --eni eni-0123456789abcef01 --region us-east-1

    Note: In the preceding command, replace eni-0123456789abcef01 with the network interface ID. You can find the ID on the Network Interfaces page of the Amazon Elastic Compute Cloud (Amazon EC2) console. Replace us-east-1 with the AWS Region that the network interface is in.

The output returns a list of the Lambda functions and function versions that use the network interface in your account and Region. If you need any of the functions or function versions, then don't delete the network interface.

If the output doesn't list any functions or function versions, then check whether the following services in your account use the network interface:

  • Amazon Managed Streaming for Apache Kafka (Amazon MSK)
  • Self-managed Apache Kafka
  • Amazon ActiveMQ
  • Amazon RabbitMQ
  • Amazon DocumentDB

Identify event source mappings that use the network interface

Use the AWS CLI

Complete the following steps:

  1. Configure the AWS CLI with an IAM role that has permissions to query Lambda, Amazon MSK, Amazon MQ and Amazon DocumentDB.
    Note: Lambda uses the permissions in the execution role of the function that's associated with the event source mapping to delete the Hyperplane elastic network interface. Delete the execution role only after Lambda deletes the Hyperplane elastic network interface.

  2. Run the list-event-source-mappings command:

    aws lambda list-event-source-mappings --query 'EventSourceMappings[?State != Disabled]'
  3. Check the EventSourceArn field or SelfManagedEventSource field for each event source mapping.
    If the EventSourceArn field contains an ARN for an Amazon MSK cluster, Amazon MQ broker, or Amazon DocumentDB cluster, then note the ARN.
    To view the cluster or broker details, run one of the following commands for the event source:

    aws kafka describe-cluster-v2 --cluster-arn MSK_CLUSTER_ARN
    aws mq describe-broker --broker-id MQ_BROKER_ID
    aws docdb describe-db-clusters --db-cluster-identifier DOCDB_CLUSTER_ID
  4. In the command's output, Check if the cluster or broker uses the same subnet and security group IDs as the network interface.

  5. If the SelfManagedEventSource field exists, then check whether the network interface's subnet and security group IDs are listed under SourceAccessConfigurations in the event source mapping.

Use the Lambda console

You can also check the Event source mappings page on the Lambda console to find event source mappings for the following services:

  • Amazon MSK
  • Self-managed Apache Kafka
  • Amazon ActiveMQ
  • Amazon RabbitMQ
  • Amazon DocumentDB

Complete the following steps:

  1. Open the Lambda console.
  2. In the navigation pane, choose Event source mappings.
  3. Check the Event source service column to find event source mappings for "apache kafka", "docdb", "msk" or "mq".
  4. For "docdb", "msk" or "mq", note the cluster or broker name under Event source resource.
  5. Use the Amazon MSK, Amazon MQ or Amazon DocumentDB console to search for the cluster or broker name.
  6. Choose the cluster or broker name to view its details.
  7. In the network settings, verify that the cluster or broker is configured to use the same subnet and security group IDs as the network interface.
  8. For "apache kafka", choose the event source mapping's UUID.
  9. Choose the Event Source ARN for your service to view the event source and service configurations.
  10. Under Source access configurations, check whether the network interface's subnet and security group IDs are listed.

Delete a network interface that Lambda created

Complete the following steps:

  1. Run the Lambda ENI Finder.
  2. For each unpublished Lambda function version ($LATEST) that's listed, complete one of the following steps:
    Change the Amazon VPC configuration to use a different subnet and security group.
    -or-
    Disconnect the function from the Amazon VPC.
  3. For published Lambda function versions, delete each one.
    Note: Because you can't edit published function versions, you can't change the Amazon VPC configuration.
  4. For each Lambda event source mapping that uses the network interface, turn off or delete the event source mapping.
  5. To verify that the network interface is no longer in use, run the Lambda ENI Finder again.

Lambda automatically deletes the network interface when both of the following are true:

  • The output lists no other functions or function versions.
  • The event source mapping isn't using the network interface.

Related information

How do I get more elastic network interfaces if I've reached the limit in an AWS Region?

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
3 Comments

Thanks, this post finally resolved my issue by finding the lambda linked with the dangling ENI

replied a year ago

If the output lists no other functions or function versions, then Lambda automatically deletes the network interface within 24 hours.

this is out-of-date information; the docs state that automatic deletion now happens within 20 minutes.

Deleting ENIs When you update a function to remove its VPC configuration, Lambda requires up to 20 minutes to delete the attached Hyperplane ENI. Lambda only deletes the ENI if no other function (or published function version) is using that Hyperplane ENI.

https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html#foundation-nw-eni-delete

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 10 months ago