How to find unused VPC in AWS account

Question

Is there any way to find unused VPCs in an AWS account?

I mean the VPCs that don't have any EC2 instances, RDS and other services associated with it.

One way is to just search with VPC ID in running instances, RDS and for other services to find out whether it is in use or not. Is there any other way or AWS CLI to find unused VPCs?

Answer 1

This AWS Knowledge Center post will give good help. It contains even better aws-cli commands to use. https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-dependency-error-delete-vpc/

Answer 2

Please use the following script to identify the unused Subnets for your AWS accounts in all regions:

USAGE:

• Please add Account list in accounts variable as accounts=["a1","a2","a3"]
• It will query and provide the list of subnets in all the regions for respective accounts
• A single CSV file will be created at end of each run for one account

Logic:

• Query all the subnets across all the regions for an AWS account

• Get currently available IP details for the subnet(It is provided by AWS API)

• Get Subnet CIDR, calculate total IPs count, and subtract 5 counts (5 because 2 are used for Network and Broadcast and the other 3 are reserved by AWS by default)

• Then, Subtract Total IPs - Available = Currently used IP. If Used IP = 0 , subnet can be cleaned

   import boto3
   import sys
   import csv
   import ipaddress
  
   def describe_regions(session):
       try:
           aws_regions = []
           ec2_client = session.client('ec2')
           response_regions = ec2_client.describe_regions()['Regions']
           for region in response_regions:
               aws_regions.append(region['RegionName'])
           return aws_regions
       except Exception:
           print("Unexpected error:", sys.exc_info()[0])
  
  
   def describe_vpc(ec2,aws_region,writer,profile_name):
       try:
           response_vpc = ec2.describe_vpcs()['Vpcs']
           for vpc in response_vpc:
               print('=' * 50)
               count = 0
               filters = [
                   {'Name': 'vpc-id',
                    'Values': [vpc['VpcId']]}
               ]
  
               response_subnets = ec2.describe_subnets(Filters=filters)['Subnets']
  
               for subnets in response_subnets:
                   count += 1
                   total_count = (ipaddress.ip_network(subnets['CidrBlock']).num_addresses) - 5
                   Used_IP = total_count - subnets['AvailableIpAddressCount']
                   writer.writerow({"Account": profile_name, "VpcId": vpc['VpcId'], "VpcCidr": vpc['CidrBlock'], "Region": aws_region,
                               "Subnet": subnets['CidrBlock'], "SubnetId": subnets['SubnetId'], "AvailableIPv4": subnets['AvailableIpAddressCount'], "Total_Network_IP": str(total_count),
                               "AvailabilityZone": subnets['AvailabilityZone'],"Used_IP": str(Used_IP)})
                   print({"Account": profile_name, "VpcId": vpc['VpcId'], "VpcCidr": vpc['CidrBlock'], "Region": aws_region,
                               "Subnet": subnets['CidrBlock'], "SubnetId": subnets['SubnetId'], "AvailableIPv4": subnets['AvailableIpAddressCount'], "Total_Network_IP": str(total_count),
                               "AvailabilityZone": subnets['AvailabilityZone'],"Used_IP": str(Used_IP)})
               print('='*50)
       except Exception:
           print("Unexpected error:", sys.exc_info()[0])
  
  
   def main():
       try:
  
           accounts=["<Account names here as list>"]
           for profile in accounts:
               session = boto3.session.Session(
                   profile_name=profile
               )
               file_name = profile
               print("File Name: " +file_name)
               profile_name = profile
               print("Profile_name: " +profile_name)
               with open(file_name + ".csv", "w", newline="") as csvfile:
                   fieldnames = [
                       "Account", "VpcId",
                       "VpcCidr", "Region",
                       "Subnet", "SubnetId",
                       "AvailableIPv4","Total_Network_IP",
                       "AvailabilityZone","Used_IP"
                   ]
                   writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
                   writer.writeheader()
                   aws_regions = describe_regions(session)
                   for aws_region in aws_regions:
                       ec2 = session.client('ec2', region_name=aws_region)
                       print("Scanning region: {}".format(aws_region))
                       describe_vpc(ec2,aws_region, writer, profile_name)
  
       except Exception:
           print("Unexpected error:", sys.exc_info()[0])
           raise
  
  
   if __name__ == "__main__":
       main()
  

Answer 3

There are many resources that be included in a VPC, such as:

• Amazon EC2 instances
• Amazon RDS instances
• Amazon Redshift instances
• Amazon Elasticache instances
• Elastic Load Balancers
• Elastic Network Interfaces
• and so on!

Rather than trying to iterate through each of these services, you could iterate through the Elastic Network Interfaces (ENIs), since everything connects to a VPC via an ENI.

Here's a command you could run using the AWS Command-Line Interface (CLI) that shows ENIs attached to a given VPC:

aws ec2 describe-network-interfaces --filters 'Name=vpc-id,Values=vpc-abcd1234' --query 'NetworkInterfaces[*].NetworkInterfaceId'

If no ENIs are returned, then you'd probably call it an unused VPC.

Answer 4

This might sound crazy, but I am pretty sure you can attempt to delete the VPC. It should protect from deletion any VPC that has resources running in it. Of course, you should give this a quick try before you do it. But its probably the fastest/cleanest.