Why can't I detach or delete an elastic network interface that Lambda created?

Short description

When you configure a Lambda function to access resources in an Amazon Virtual Private Cloud (Amazon VPC), Lambda assigns the function to a network interface. You can delete this network interface only through the Lambda service. If you delete the resources that the network interface represents, then Lambda detaches and deletes the network interface for you. To delete unused network interfaces, the Lambda service uses the execution role of the functions that created the network interfaces.

A network interface might be used by functions or function versions with the same Amazon VPC configurations as the functions that created them. In this case, you can't delete the network interface.

To identify which functions or function versions currently use a network interface, use the Lambda ENI Finder bash script on GitHub. For more information, see Requester-managed network interfaces.

Note: Lambda shares network interfaces across multiple functions that have the same Amazon VPC configuration. Sharing network interfaces helps reduce the number of network interfaces that are used in your AWS account.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Run the Lambda ENI Finder to identify functions and function versions that use the network interface

Note: The following commands are valid only for Linux, Unix, and macOS operating systems.

1.    Install the latest version of the AWS CLI.

2.    Configure the AWS CLI with an AWS Identity and Access Management (IAM) role that has permissions to query Lambda and network interfaces. For more information, see Execution role and user permissions.
Note: Lambda uses the permissions in a function's execution role to delete the Hyperplane ENI. Therefore, don't delete the execution role before Lambda deletes the Hyperplane ENI.

3.    Install the command-line JSON processor jq:

$ sudo yum install jq -y

Note: For more information, see the jq page on GitHub.

4.    Verify that Git is installed:

$ sudo yum install git -y

To install Git, see Getting Started - Installing Git on the Git website.

5.    Clone the aws-support-tools GitHub repository:

$ git clone https://github.com/awslabs/aws-support-tools.git

6.    Change the directory to the location of Lambda ENI Finder:

$ cd aws-support-tools  
$ cd Lambda  
$ cd FindEniMappings

7.    Run the Lambda ENI Finder for the network interface that you want to deleted: 

./findEniAssociations --eni eni-0123456789abcef01 --region us-east-1

Note: Replace eni-0123456789abcef01 with the network interface's ID. You can find the ID on the Network Interfaces page of the Amazon Elastic Compute Cloud (Amazon EC2) console. Also, replace us-east-1 with the AWS Region that the network interface is in.

The output returns a list of the Lambda functions and function versions in your AWS account and specified Region that use the network interface. If you still need any of these functions or function versions, then you likely don't need to delete the network interface. 

Delete a network interface that Lambda created

1.    For each unpublished Lambda function version ($LATEST) that the Lambda ENI Finder lists, take one of the following actions:

2.    Change the Amazon VPC configuration to use a different subnet and security group.

-or-

Disconnect the function from the Amazon VPC.

3.    For each published Lambda function version that's listed, delete the function version.
Note: You can't edit published function versions, so you can't change the VPC configuration.

4.    Verify that the network interface is no longer in use. To do this, run the Lambda ENI Finder again.

If the output lists no other functions or function versions, then Lambda automatically deletes the network interface within 24 hours.

Related information

How do I get more elastic network interfaces if I've reached the limit in an AWS Region?