@shinyaz

DependencyViolation when deleting VPC after agentcore destroy — wait for ENI release

1 min read
#bedrock#agentcore#vpc#aws

After testing a WebRTC agent on AgentCore Runtime, I ran agentcore destroy and tried to clean up the VPC. The subnet deletion failed with DependencyViolation.

Output
An error occurred (DependencyViolation) when calling the DeleteSubnet operation:
The subnet 'subnet-xxx' has dependencies and cannot be deleted.

The culprit was an ENI that AgentCore Runtime created in the private subnet. It showed in-use with InstanceOwnerId: amazon-aws, and manual detach was rejected with OperationNotPermitted.

The only option was to wait. In my case, the ENI was released about 9 hours after agentcore destroy. Once it became available, the standard delete-network-interfacedelete-subnetdelete-vpc sequence worked.

Similar behavior exists with Lambda VPC ENIs. For AgentCore, the ENI is managed by a service-linked role (AWSServiceRoleForBedrockAgentCoreNetwork) — deleting that role first may speed up the release.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more