Cannot Delete an AWS VPC

Question

I want to delete an AWS VPC which I don't know how it came into existence. When I try to delete it in AWS Console, it says:

We could not delete the following VPC (vpc-0a72ac71) Network interface 'eni-ce2a0d10' is currently in use. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 821d8a6d-3d9b-4c24-b372-314ea9b18b23)

As it mentions "AmazonEC2" in the error message, I suspected there might be some EC2 instances residing in this VPC. So I went into EC2 dashboard but found no EC2 exist there. However, I found there are two security groups associated with this vpc. So I decided to delete them hoping that's the cause of the error. But when I tried to do so, I got this message:

As the message says, these security groups are associated with some network interfaces. Therefore, I decided to 'Detach' those but I got this error message:

Error deleting network interfaces eni-ce2a0d10: You do not have permission to access the specified resource. eni-0b7ff712: You do not have permission to access the specified resource.

But I'm the root user so I assume I should be able to do whatever I want to do except if the resource is made by aws itself or another root account.

I know somewhere this network interface is being used but it will be very time-consuming to go through each aws service and check that.

I've already checked AWS RDS service and no instance or rds subnet is made. I've already checked this question and this with no luck.

Did you perhaps do some testing with Workspaces or Workmail? "...interface for directory..." it says in your screenshot. — Michael - sqlbot
@Michael-sqlbot sharp eyes you have! I noticed that too but as I could not answer my own question immediately, I had to wait two days to post it. — Kamran Bigdely
@Michael-sqlbot but how did you guess that directory should be related to a workspace or work email? — Kamran Bigdely
I assumed that if you had a directory service that you didn't remember starting, it must have been one you created during the quick-start process of one of those services -- it's easy to forget having done it. From the Workdocs Administrator Guide, "In the Set up a Directory page, choose Create Simple AD ... For VPC Details, you can either use an existing VPC, or have Amazon WorkDocs create and configure a VPC for you. To have Amazon WorkDocs create the VPC for you, select Set up a new VPC on my behalf." — Michael - sqlbot

Kamran Bigdely Kamran Bigdely · Accepted Answer · 2018-03-02T18:25:28

I found the root cause of this issue.

Short Answer:

That VPC was created solely for the WorkDocs service instance. So AWS was preventing me to delete its VPC and any of its dependent services and pieces.

How I figured it out:

First, I noticed something interesting has been written in the 'Description' column of the 'undeletable' Network Interfaces (you can see them in the last OP's figure):

"AWS created network interface for directory d-90672d6b72."

From "directory", I suspected that this might have something do to with AWS Directory Service. So I went to this service and noticed there is a directory associated with the VPC:

So I tried to remove this directory but I got this error message:

Error - Directory cannot be deleted This directory still has authorized applications, and cannot be deleted. To delete this directory, complete all of the following steps: • Delete the WorkDocs site attached to this directory.

Therefore, I went to AWS WorkDocs Service and found it and deleted it:

So now the directory is also deleted (circled in red), I went back to delete those network interfaces. However I realized that they are vanished! (I guess Amazon removed them on its own). I went to VPC service to see whether I'm now able to delete the VPC. Guess what? That VPC was vanished too!

Now I understand what was happening. That VPC was created solely for the WorkDocs service instance. I wish Amazon was more transparent about it.

Cannot Delete an AWS VPC

2 Answers