Skip to content

How do I resolve a dependency error I receive when I try to delete my VPC?

5 minute read
1

When I try to delete my VPC, I receive a dependency error.

Short description

When you delete a VPC, all its components must also be deleted. These components include subnets, security groups, network access control lists (ACLs), route tables, internet gateways, and DHCP options.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Before you delete your VPC, you must remove all associated and dependent resources. You can delete a VPC either through the Amazon Virtual Private Cloud (Amazon VPC) console or the AWS CLI. When you delete a VPC through the Amazon VPC console, certain dependencies such as subnets, internet gateways, and others will also be automatically removed. However, when you use the AWS CLI, you must first delete all dependent resources manually before you delete the VPC itself.

AWS CLI

"An error occurred (DependencyViolation) when calling the DeleteVpc operation: The vpc 'vpc-id' has dependencies and cannot be deleted."

You receive this error when there are dependencies that you must remove before you delete the VPC. To resolve this error, complete the following steps:

  1. Run the following script to find the remaining dependencies:
    #!/bin/bashvpc="vpc-#############"region="yy-yyyy-y"
    aws ec2 describe-internet-gateways --region AWS_REGION --filters 'Name=attachment.vpc-id,Values='VPC_ID | grep InternetGatewayId
    aws ec2 describe-subnets --region AWS_REGION --filters 'Name=vpc-id,Values='VPC_ID | grep SubnetId
    aws ec2 describe-route-tables --region AWS_REGION --filters 'Name=vpc-id,Values='VPC_ID | grep RouteTableId
    aws ec2 describe-network-acls --region AWS_REGION --filters 'Name=vpc-id,Values='VPC_ID | grep NetworkAclId
    aws ec2 describe-vpc-peering-connections --region AWS_REGION --filters 'Name=requester-vpc-info.vpc-id,Values='VPC_ID | grep VpcPeeringConnectionId
    aws ec2 describe-vpc-endpoints --region AWS_REGION --filters 'Name=vpc-id,Values='VPC_ID | grep VpcEndpointId
    aws ec2 describe-nat-gateways --region AWS_REGION --filter 'Name=vpc-id,Values='VPC_ID | grep NatGatewayId
    aws ec2 describe-security-groups --region AWS_REGION --filters 'Name=vpc-id,Values='VPC_ID | grep GroupId
    aws ec2 describe-instances --region AWS_REGION --filters 'Name=vpc-id,Values='VPC_ID | grep InstanceId
    aws ec2 describe-vpn-gateways --region AWS_REGION --filters 'Name=attachment.vpc-id,Values='VPC_ID | grep VpnGatewayId
    aws ec2 describe-network-interfaces --region AWS_REGION --filters 'Name=vpc-id,Values='VPC_ID | grep NetworkInterfaceId
    aws ec2 describe-carrier-gateways --region AWS_REGION --filters 'Name=vpc-id,Values=VPC_ID' | grep CarrierGatewayId
    aws ec2 describe-local-gateway-route-table-vpc-associations --region AWS_REGION --filters Name=vpc-id,Values=VPC_ID | grep LocalGatewayRouteTableVpcAssociationId
    aws ec2 describe-vpc-peering-connections --region AWS_REGION --filters 'Name=accepter-vpc-info.vpc-id,Values='VPC_ID | grep VpcPeeringConnectionId
    Note: In the following script, replace VPC_ID with your VPC ID value. Additionally, replace AWS_REGION with your AWS Region. Use credentials with appropriate permissions to run the Describe API calls.
  2. Delete any dependencies that you identified in step 1.
  3. Delete your VPC.

Amazon VPC console

The following are some common dependency errors you might receive when you delete a VPC through the console:

"VPC contains one or more instances, and cannot be deleted until those instances have been terminated."

You receive this error when the VPC has Amazon Elastic Compute Cloud (Amazon EC2) instances that run on it.

To resolve this error, terminate your Amazon EC2 instances.

"VPC contains one or more in-use network interfaces, and cannot be deleted until those network interfaces have been deleted."

You receive this error when your VPC has network interfaces that are in use or available.

"An error occurred (InvalidParameterValue) when calling the DeleteNetworkInterface operation: Network interface 'eni-aabbccdd' is currently in use."

You receive this error when there are requester-managed network interfaces that you can't delete. To delete requester-managed network interfaces, you must delete the AWS service that created the network interfaces.

To remove the dependent services, complete the following steps:

  1. Open the Amazon EC2 console.
  2. Select the Region that the VPC is in.
  3. In the navigation pane, under Network Interfaces, search for the VPC ID of the VPC that you want to delete.
  4. Select the network interface and choose the Details tab.
  5. Review the Description to see the resources that the network interface is attached to.
  6. Delete the associated resources.
    Note: If the network interface is a primary interface, then when you delete the instance, the resources are also deleted.

"VPC has one or more attached NAT gateways or virtual private gateways, and cannot be deleted until they are detached or deleted."

You receive this error when the VPC has a dependent gateway. To resolve this error, complete the steps in Delete a NAT gateway and Delete an AWS Site-to-Site VPN connection and gateway.

"The VPC is peered as a requester with at least one other VPC through peering connections."

You receive this error when there are active VPC peering connections. To resolve this error, complete the steps in Delete a VPC peering connection.

Other dependency errors

If you still have dependencies that prevent the VPC from deletion, first delete the carrier gateway. Then dissociate the VPC from any local gateway route tables.

To delete the carrier gateway, complete the following steps:

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Carrier Gateways.
  3. Select the carrier gateway, choose Actions, and then choose Delete carrier gateway.
  4. In the Delete carrier gateway dialog box, enter Delete, and then choose Delete.

To disassociate the VPC from any local gateway route tables, complete the following steps:

  1. Open the AWS Outposts console.
  2. In the navigation pane, choose Local gateway route tables.
  3. Select the route table.
  4. Choose Actions, and then choose View details.
  5. In VPC associations, select the VPC to disassociate, and then choose Disassociate.

Related information

Why can't I detach or delete an elastic network interface that Lambda created?

How can I delete my VPC that is shared with another AWS account?

Why can't I delete my requester-managed VPC endpoint?

Delete your VPC

3 Comments

In above script, below aws cli command is incorrect

aws --profile prod ec2 describe-vpn-connections --region $region --filters 'Name=vpc-id,Values='$vpc | grep VpnConnectionId

API call DescribeVPNConnections does not have filter vpc-id

https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpn-connections.html

Correct AWS CLI command should be:

aws --profile prod ec2 describe-vpn-connections --region $region --filters 'Name=vpn-gateway-id,Values='vgw-xxxxx

replied 2 years ago

Thanks for the script.

Please also include one more line in the script to list peering connections where the VPC is the accepter, like this: aws ec2 describe-vpc-peering-connections --region $region --filters 'Name=accepter-vpc-info.vpc-id,Values='$vpc | grep VpcPeeringConnectionId

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied 2 years ago