Why can't I delete my requester-managed VPC endpoint?

Short description

When deleting an interface VPC endpoint, you might receive the following error:

vpce-0399e6e9fd2f4e430: Operation is not allowed for requester-managed VPC endpoints for the service com.amazonaws.vpce.region.vpce-svc-04c257ad126576358

This error occurs when the endpoint being deleted is a requester-managed VPC endpoint. Requester-managed endpoints are created by any of the AWS-managed services (for example, Amazon Aurora Serverless). To delete this type of endpoint, you must determine the AWS-managed service that created the endpoint. After identifying the service, you must first delete that resource before you can delete the endpoint.

Resolution

To verify which AWS-managed service created an endpoint, do the following:

If the endpoint was created within 90 days

If the endpoint was created within 90 days of when you are trying to delete it, use AWS CloudTrail to determine which service created it. Make sure to set the CloudTrail console view to the last 90 days of recorded API activity (management events).

To view CloudTrail events, do the following:

1.    Open the CloudTrail console.

2.    In the navigation pane, choose Event history.

3.    From dropdown list select the Resource name, and then add the VPC endpoint ID (for example vpce-xxxxxx) in the filter.

4.    Look for the CreateVpcEndpoint API call and check the username. For endpoints created by Aurora Serverless the username displays as RDSAuroraServeless. For endpoints created by Amazon Relational Database Service (Amazon RDS) Proxy, the username displays as RDSSlrAssumptionSession. To identify the endpoints created by AWS Network Firewall, view the event record for the CreateVpcEndpoint API call and check for tags with the key value of Firewall and AWSNetworkFirewallManaged:

"Tag": [
                  {
                        "Value": ""arn:aws:network-firewall:<region>:<account number>:firewall/<firewall name>",
                        "tag": 1,
                        "Key": "Firewall"

                    },
                    {
                        "Value": true,
                        "tag": 2,
                        "Key": "AWSNetworkFirewallManaged"
                    }

If the endpoint is older than 90 days

To determine if AWS Network Firewall created the endpoint:

1.    Open the VPC console, and then select Endpoints.

2.    Select the endpoint and then select Tags.

3.    Check for the following:

• The Key is AWSNetworkFirewallManaged and the Value is True.
• The Key is Firewall and the Value is your Network Firewall ARN arn:aws:network-firewall:region:account number:firewall/firewall name.

You can also view endpoints created by AWS Network Firewall by doing the following:

1.    Open the VPC console, and then select Firewalls.

2.    Select Firewall details.

To determine if Aurora Serverless created the endpoint:

If the requestor-managed interface endpoint is created by Aurora Serverless after 90 days, perform a name lookup for the existing Aurora Serverless databases' endpoint. This returns the CNAME as the VPC interface endpoint DNS name. You can use this to confirm if the endpoint was created by Aurora Serverless.

For example, you have an interface VPC endpoint with the ID vpce-0013b47d434ae7786 that you can't delete. To verify whether Aurora Serverless created the endpoint, do the following:

1.    Perform a name lookup on the Aurora Serverless endpoint:

dig test1.proxy-chnis5vssnuj.us-east-1.rds.amazonaws.com +short
vpce-0ce9fdcdd4aa4097e-1hbywnw6.vpce-svc-0b2f119acb23c050e.us-east-1.vpce.amazonaws.com.
172.31.4.218
172.31.21.82

2.    Check the CNAME value of the record matching the DNS name of the endpoint that you're trying to delete. This confirms that this endpoint was created by Aurora Serverless.

Note: To verify the DNS name of the endpoint, do the following:

1.    Open the VPC console and then select Endpoints.

2.    Select the Details tab and view the listed DNS names.

To determine if RDS Proxy created the endpoint:

Complete the preceding steps provided for Aurora Serverless. If there are multiple RDS Proxy and Aurora Serverless endpoints, repeat the steps for each endpoint.

To determine if it is Redshift-managed VPC endpoint:

1.    Open the Amazon Redshift console, and then choose Configurations.

2.    Check if there are any endpoints configured under Redshift-managed VPC endpoints.

Delete the service

After identifying the service that created the endpoint, delete the service (and the corresponding endpoint).

• Delete the network firewall to delete the endpoint created by network firewall.
• Delete the Aurora Serverless DB cluster.
• Delete the RDS Proxy to delete the endpoint created by RDS Proxy.
• Delete the Redshift-managed VPC endpoints using the Redshift console or use the delete-endpoint-access AWS Command Line Interface (AWS CLI) command.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

---