By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why can't I delete my requester-managed VPC endpoint?

4 minute read
4

I want to know why I can't delete my requester-managed Amazon Virtual Private Cloud (Amazon VPC) endpoint.

Short description

When deleting an interface VPC endpoint, you might receive the following error: "vpce-0399e6e9fd2f4e430: Operation is not allowed for requester-managed VPC endpoints for the service com.amazonaws.vpce.region.vpce-svc-04c257ad126576358."

This error occurs when the endpoint being deleted is a requester-managed VPC endpoint. Requester-managed endpoints are created by any of the AWS-managed services (for example, Amazon Aurora Serverless). To delete this type of endpoint, you must determine the AWS-managed service that created the endpoint. After identifying the service, you must first delete that resource before you can delete the endpoint.

Resolution

To verify which AWS-managed service created an endpoint, do the following:

If the endpoint was created within 90 days

If the endpoint was created within 90 days of when you are trying to delete it, use AWS CloudTrail to determine which service created it. Make sure to set the CloudTrail console view to the last 90 days of recorded API activity (management events).

To view CloudTrail events, do the following:

  1. Open the CloudTrail console.
  2. In the navigation pane, choose Event history.
  3. From the dropdown list select the Resource name. Then, add the VPC endpoint ID (for example vpce-xxxxxx) in the filter.
  4. In the CreateVpcEndpoint API call, check the username. For endpoints created by Aurora Serverless the username displays as RDSAuroraServeless. For endpoints created by Amazon Relational Database Service (Amazon RDS) Proxy, the username displays as RDSSlrAssumptionSession. To identify the endpoints created by AWS Network Firewall, view the event record for the CreateVpcEndpoint API call and check for tags with the key value of Firewall and AWSNetworkFirewallManaged:
    "Tag": [
                      {
                            "Value": ""arn:aws:network-firewall:<region>:<account number>:firewall/<firewall name>",
                            "tag": 1,
                            "Key": "Firewall"
    
                        },
                        {
                            "Value": true,
                            "tag": 2,
                            "Key": "AWSNetworkFirewallManaged"
                        }

If the endpoint is older than 90 days

Determine if AWS Network Firewall created the endpoint

  1. Open the VPC console, and then select Endpoints.
  2. Select the endpoint and then select Tags.
  3. Check for the following:
    The Key is AWSNetworkFirewallManaged and the Value is True.
    The Key is Firewall and the Value is your Network Firewall ARN arn:aws:network-firewall:region:account number:firewall/firewall name.

To view endpoints created by AWS Network Firewall, do the following; 

  1. Open the VPC console, and then select Firewalls.
  2. Select Firewall details.

Determine if Aurora Serverless created the endpoint

If the requestor-managed interface endpoint is created by Aurora Serverless after 90 days, perform a name lookup for the existing Aurora Serverless databases' endpoint. This returns the CNAME as the VPC interface endpoint DNS name. You can use this to confirm if the endpoint was created by Aurora Serverless.

For example, you have an interface VPC endpoint with the ID vpce-0013b47d434ae7786 that you can't delete. To verify whether Aurora Serverless created the endpoint, do the following:

  1. Perform a name lookup on the Aurora Serverless endpoint:

    dig test1.proxy-chnis5vssnuj.us-east-1.rds.amazonaws.com +short
    vpce-0ce9fdcdd4aa4097e-1hbywnw6.vpce-svc-0b2f119acb23c050e.us-east-1.vpce.amazonaws.com.
    172.31.4.218
    172.31.21.82
  2. Check the CNAME value of the record matching the DNS name of the endpoint that you're trying to delete. This confirms that this endpoint was created by Aurora Serverless.

To verify the DNS name of the endpoint, do the following:

  1. Open the VPC console and then select Endpoints.
  2. Select the Details tab and view the listed DNS names.

Determine if RDS Proxy created the endpoint

Complete the preceding steps provided for Aurora Serverless. If there are multiple RDS Proxy and Aurora Serverless endpoints, repeat the steps for each endpoint.

Determine if it is Redshift-managed VPC endpoint

  1. Open the Amazon Redshift console, and then choose Configurations.
  2. Check if there are any endpoints configured under Redshift-managed VPC endpoints.

Delete the service

After identifying the service that created the endpoint, delete the service (and the corresponding endpoint).

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago