Recently got an email titled, "Important News from AWS About Amazon EC2-Classic" describing some changes that need to occur. These emails from AWS usually reference the effected resources though and this one did not. I am having a hard time identifying what resources in our account are effected by this. All our EC2 instances are in a VPC and I am not even sure if anything needs to change or not.
Is there a way to identify that an EC2 instance is classic?
I have looked through their linked documentation and gone through the instances we have but I cannot tell if they are "classic" of not.
You can identify the EC2-Classic env by checking the instance has VPC ID or not.
EC2 console
VPC ID is not shown by default. Enable VPC ID from Preference -> Attribute columns.
Then if VPC ID attribute is -, that means the instance is EC2-Classic. (Except that the instance state is not terminated.)
CLI
2 ways for checking. Output is none unless EC2-classic instances exist.
Describe instance with EC2-Classic env.
aws ec2 describe-instances --filters Name=instance-state-name,Values=pending,running,shutting-down,stopping,stopped | jq '.Reservations[].Instances[] | select(.VpcId == null)'
Describe the instance if it is the EC2-Classic.
aws ec2 describe-instances --instance-id i-xxxxxxxxxxxx --filters Name=instance-state-name,Values=pending,running,shutting-down,stopping,stopped | jq '.Reservations[].Instances[] | select(.VpcId == null)'
jq select for terminated state
This is another way to filter the result of aws ec2 describe-instances.
Adding .State.Name != "terminated" and in jq select works the same as --filters .... This might be more readable.
aws ec2 describe-instances | jq '.Reservations[].Instances[] | select(.State.Name != "terminated" and .VpcId == null)'
Edit note: Thanks to the suggestion from #AUdden, I have modified the CLI code for filtering out the terminated state. When we terminated instances (not stop), the instances exist for a while in terminated state. The terminated instances are not associated with VPC anymore. To do that, I have added --filters Name=instance-state-name,Values=pending,running,shutting-down,stopping,stopped.
Amazon provides a script to identify all resources affected by the retirement, including resources you may not consider such as security groups.
Important: Check the file errors.txt after running the script. The script will happily run through its steps even if there is an error (such as missing/wrong credentials) without showing any hint of trouble in the console output.
I have created two instances with the package information t2.micro.
When I checked with service-quotes, there were 02 instances. How can I use AWS CLI (or API) to get value at Usage?
Hope you can help me.
You can get the total value of instances in region using something like this:
aws ec2 describe-instances --query "Reservations[].Instances[].InstanceId" --output text | wc -w
Refer this, Maybe you can get some insights
I did the AWS misfits tutorial and I thought the cleanup would be as simple as deleting the Cloud Formation stack. However, items failed to delete so I am trying to clean them up manually to assist the Cloud Formation stack deletion.
I keep getting an error when trying to Detach the network interfaces (I am logged into the root account):
Error detaching network interfaces:
eni-0047gfhfgh8ab0e: You are not allowed to manage 'ela-attach' attachments.
eni-0f4a46hgfha757e: You are not allowed to manage 'ela-attach' attachments.
I am unable to delete my VPC without these being deleted.
The stack as a whole is failing to delete because of the following:
The following resource(s) failed to delete: [InternetGateway,
PublicSubnetTwo, VPC, GatewayAttachement, PublicSubnetOne].
I had the same issue, which gave me the following message:
This could be because there is a service in use which still uses the network interface. You could try some of the following things:
Remove unused VPC links from API gateway
Remove unused VPC Endpoint services
Remove unused NAT gateways
Remove unused ECS/EKS clusters
Remove unused load balancers
Remove unused EFS mounts
If that doesn't help, there is something wrong/stuck on the underlying OS, you should wait for it to resolve by itself or report it. I had an ENI deployed by a Lambda function after deleting the lambda function, the ENI got stuck. After some time I was able to detach the ENI.
Update: for the people using the aws cli, AWS support posted a bash script and documentation to easily identify ENIs that are still hanging around somewhere (source).
AWS offers this bash script as help to find out the dependencies:
#!/bin/bash
vpc="vpc-xxxxxxxxxxxxx"
region="yy-yyyy-y"
aws ec2 describe-internet-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep InternetGatewayId
aws ec2 describe-subnets --region $region --filters 'Name=vpc-id,Values='$vpc | grep SubnetId
aws ec2 describe-route-tables --region $region --filters 'Name=vpc-id,Values='$vpc | grep RouteTableId
aws ec2 describe-network-acls --region $region --filters 'Name=vpc-id,Values='$vpc | grep NetworkAclId
aws ec2 describe-vpc-peering-connections --region $region --filters 'Name=requester-vpc-info.vpc-id,Values='$vpc | grep VpcPeeringConnectionId
aws ec2 describe-vpc-endpoints --region $region --filters 'Name=vpc-id,Values='$vpc | grep VpcEndpointId
aws ec2 describe-nat-gateways --region $region --filter 'Name=vpc-id,Values='$vpc | grep NatGatewayId
aws ec2 describe-security-groups --region $region --filters 'Name=vpc-id,Values='$vpc | grep GroupId
aws ec2 describe-instances --region $region --filters 'Name=vpc-id,Values='$vpc | grep InstanceId
aws ec2 describe-vpn-connections --region $region --filters 'Name=vpc-id,Values='$vpc | grep VpnConnectionId
aws ec2 describe-vpn-gateways --region $region --filters 'Name=attachment.vpc-id,Values='$vpc | grep VpnGatewayId
aws ec2 describe-network-interfaces --region $region --filters 'Name=vpc-id,Values='$vpc | grep NetworkInterfaceId
aws ec2 describe-carrier-gateways --region $region --filters Name=vpc-id,Values=$vpc | grep CarrierGatewayId
aws ec2 describe-local-gateway-route-table-vpc-associations --region $region --filters Name=vpc-id,Values=$vpc | grep LocalGatewayRouteTableVpcAssociationId
My issue was a Transit Gateway Attachment and I could figure it out at some point.
Source: https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-dependency-error-delete-vpc/
If you're working with Lambda Functions in VPC.
This is caused by old Lambda version is still referring to the ENI.
Try below to see if it's this case:
aws lambda list-versions-by-function --function-name FUNCTIONNAME | jq -r '.Versions | .[] | [.LastModified, .Version, .VpcConfig.VpcId] | #tsv' | sort
I had this same issue. For me, I had to delete an Endpoint Service associated with my ELB first, then I could start to get rid of the network interfaces that were set up.
Try to verify if you have a EFS mount target asociated at the ENI and delete it, after try to delete the network interface that's work for me.
Modify the VPC Endpoint Service to reject VPC Endpoint (deselect
Require acceptance for endpoint) https://docs.aws.amazon.com/vpc/latest/userguide/modify-endpoint-service.html
Delete the VPC Endpoint Service
Continue deleting other resources or try again the stack deletion task in
Cloudformation.
The VPC Endpoint Service deletion is restricted by the no longer existing VPC Endpoint.
In my case I had an EFS mount that was preventing my subnets from being deleted. My solution was to visit the AWS Management Console, search for EFS, and delete the corresponding mount. After that I was able to delete the subnets and VPC.
I had the same issue. The root problem is that it won't let you delete anything because everything has something else dependent on it. The solution was to scroll down below the list of each type of resource and find the right tab to edit/delete the connections to other resources. Once those are gone, you will be able to delete the resource at the top of the page. I'm not sure which break ultimately enabled the cloudformation to delete successfully, but just going through the VPC dashboard and hitting each of these should fix the problem.
The problem for me was that my load balancer was created with "Deletion protection"
enabled. I logged on to AWS console, found my load balancer and edited its attributes setting "Deletion protection" to false. This allowed me to delete the load balancer and everything else.
if error occurs on network interface deletion , wait until NAT gateway and internet gateway entry removes on the respective page. Otherwise remove public or static IP associate with service in the vpc
In my case I had a DataSync instance - when I removed that I could delete these resources
Check whether any lambda function/db instance/ec2 instance still there in the VPC-> any of the subnet.
Delete that particular instance first and then the network interface will get deleted automatically.
For identifying the instance you can follow the following steps :
1.Search for the network interface in the AWS Network interface console.
2.Click on that open the detailed view and then check for interface type and delete the mentioned resource from there.
Error:
Failed to detach the network interface. API error: "You do not have
permission to access the specified resource."
Solution: In order to find the resources that are still using the Elastic Network Interface, pull up the ENI details by clicking on the Network Interface ID, and use these two fields:
Description: should indicate which service is using the ENI (ie ECS, ELB, Lambda, etc), but you might have to use some clues in the attachment ARN.
Security groups: should help you associate the specific cluster that's associated with it.
Once I deleted the ECS cluster that was associated with the ENI, the ENI resources went away automatically.
Also delete any Global Accelerator instances associated with the VPC.
I'd like to add to this conversation.
I had a similar issue and had to clear out some roles and 2x cloud9 environments, that I had ignored.
Worked the charm as my network interface was no longer associated with my cloud9 environments.
I am trying to streamline the process for creating VPC/EC2 environments without using the gui. I also want to automate it by telling a script what I want created with what properties.
I decided that the best place to start is to create a VPC and create an EC2 instance with in it.
I am using
aws ec2 create-vpc --cidr-block 10.0.0.0/16
But I wanted to name it something like myVPC. Is there a way to do things like this? I am very new to this so if you have any documentation regarding this please send it my way.
Thank you!
Generally, AWS resources don't have names. Instead they have IDs. What passes for a 'name' of Production is actually a tag with the key/value pair Name=Production.
To set a name tag for a VPC, use the CLI's ec2 create-tags command. For example:
aws ec2 create-tags --resources vpc-1a2b3c4d --tags Key=Name,Value=Production
If you really want a one liner:
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --output text | awk '{print $NF}' | xargs aws ec2 create-tags --tags Key=Name,Value=MyVPC --resources
It is a concatenation of two commands explained below.
Adding a tag while creating a VPC is not supported yet. Create a VPC like the following. The last value is VPC ID.
aws ec2 create-vpc --cidr-block 10.3.0.0/16 --output text
VPC 10.3.0.0/16 dopt-a54153c7 default False pending vpc-f13d7295
Use create-tags to add a tag to the created VPC
aws ec2 create-tags --resources vpc-f13d7295 --tags Key=Name,Value=MyVPC
You could use --tag-specifications:
aws ec2 create-vpc --cidr-block 10.0.0.0/24 --tag-specifications "ResourceType=vpc,Tags=[{Key=Name,Value=MyVPC}]"
https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#options
Unrelated to your specific question, but allow me to highly recommend AWS CloudFormation for managing these resources. It's a nicer method of definition that just the CLI, allows you to group resources or delete a stack. I use the CLI to call the Cloudformation, specifying a template.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html
I am working on creating a monitor dashboard for monitoring status of ec2 instances.
I am searching for a method to get information (especially instances ID) of newly spawned instances using auto scaling.
Can anyone point me in the right direction. Thanks
If you know your instance type then you can use describe-instances command to get details about instances and use query command to get the details what you need (in your case Instance-id)
aws ec2 describe-instances --filters "Name=instance-type,Values=t1.micro" --query 'Reservations[*].{InstanceId:Instances[0].InstanceId}'
## Enter your instance type in the 'Values' field of '--filters' command
I was able to get instance id by using combination of following commands
aws elb describe-load-balancers --load-balancer-name "LoadBalanceID" --region "region" --output text | grep INSTANCES
Using the AWS CLI you can get a list of scaling activities for an auto scaling group.
aws autoscaling describe-scaling-activities --auto-scaling-group-name my-group-name
See AWS CLI
This is the newer Python CLI, so you would need to install that if you have not already done so. It will return a JSON block with all of the scale up and down activities in the group, including the reason an the date and time.