AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
Why can't I delete my requester-managed VPC endpoint?
When I try to delete my requester-managed Amazon Virtual Private Cloud (Amazon VPC) endpoint, I receive an error.
Short description
When you try to delete an interface VPC endpoint, you might receive the following error:
"vpce-0399e6e9fd2f4e430: Operation is not allowed for requester-managed VPC endpoints for the service com.amazonaws.vpce.region.vpce-svc-04c257ad126576358."
You receive this error when the endpoint you want to delete is a requester-managed VPC endpoint. AWS managed services such as Amazon Aurora Serverless create requester-managed endpoints. To delete this type of endpoint, you must first identify the AWS managed service that created the endpoint and delete the resource. Then, the AWS managed service that originally created the endpoint automatically deletes the endpoint.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Identify the AWS service that created endpoints in the last 90 days
To determine the service that created the endpoint, use AWS CloudTrail. Make sure to set the CloudTrail console view to the last 90 days of recorded API activity (management events).
To view CloudTrail events, complete the following steps:
- Open the CloudTrail console.
- In the navigation pane, choose Event history.
- Select your Resource name. Then, for the resource name filter, enter the VPC endpoint ID, for example vpce-######.
- In the CreateVpcEndpoint API call, check the Username value. For endpoints created by Aurora Serverless, the username is RDSAuroraServeless. For endpoints created by Amazon Relational Database Service (Amazon RDS) Proxy, the username is RDSSlrAssumptionSession.
- To identify endpoints created by AWS Network Firewall, view the event record for the CreateVpcEndpoint API call. Then, check for tags that have the Firewall and AWSNetworkFirewallManaged keys.
Example:{ "Tag": [ { "Value": "arn:aws:network-firewall:region:account number:firewall/firewall name", "tag": 1, "Key": "Firewall" }, { "Value": true, "tag": 2, "Key": "AWSNetworkFirewallManaged" } ] }
Identify the AWS service that created endpoints more than 90 days ago
Check whether Network Firewall created the endpoint
Complete the following steps:
- Open the VPC console.
- Choose Endpoints.
- Select the endpoint, and then choose the Tags tab.
- If you see the following values in Tags, then Network Firewall created the endpoint:
The Key is AWSNetworkFirewallManaged and the Value is True.
The Key is Firewall and the Value is your Network Firewall ARN arn:aws:network-firewall:region:account number:firewall/firewall name.
(Optional) To verify that Network Firewall has the endpoint, complete the following steps:
- Open the VPC console.
- In the navigation pane, under Network Firewall, choose Firewalls.
- Choose Firewall details.
- Review the firewall configuration details.
Check whether Aurora Serverless created the endpoint
Perform a name lookup for the existing Aurora Serverless databases' endpoints. If the returned Canonical Name Record (CNAME) matches the VPC interface endpoint DNS name, then Aurora Serverless created the endpoint.
For example, you have an interface VPC endpoint with the ID vpce-0013b47d434ae7786 that you can't delete. To verify whether Aurora Serverless created the endpoint, complete the following steps:
-
Perform a name lookup on the Aurora Serverless endpoint:
dig test1.proxy-chnis5vssnuj.us-east-1.rds.amazonaws.com +shortExample output:
vpce-0ce9fdcdd4aa4097e-1hbywnw6.vpce-svc-0b2f119acb23c050e.us-east-1.vpce.amazonaws.com. 172.31.4.218 172.31.21.82 -
Check the CNAME value of the record to see whether it matches the DNS name of the endpoint that you want to delete.
(Optional) To verify the DNS name of the endpoint, complete the following steps:
- Open the VPC console.
- Choose Endpoints.
- Choose the Details tab, and then review the listed DNS names.
Check whether Amazon RDS Proxy created the endpoint
Perform a name lookup for the Amazon RDS Proxy endpoints. Then, complete the preceding steps provided for Aurora Serverless. If there are multiple Amazon RDS Proxy endpoints, then repeat the steps for each endpoint.
Check whether Amazon Redshift created the endpoint
Complete the following steps:
- Open the Amazon Redshift console.
- In the navigation pane, choose Configurations.
- Check whether there are any endpoints configured under Redshift-managed VPC endpoints.
Delete the resource
After you identify the service that created the endpoint, delete the resource. Then the service automatically deletes the endpoint.
For endpoints created by Network Firewall, delete the network firewall.
For endpoints created by Aurora Serverless, delete the Aurora Serverless DB cluster.
For endpoints created by Amazon RDS Proxy, delete the RDS Proxy.
For Amazon Redshift managed VPC endpoints, use the Amazon Redshift console or the delete-endpoint-access AWS CLI command.
- Tags
- Amazon VPC
- Language
- English
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 6 months ago
