Network vpc-* has some mapped public address(es). Please unmap those public address(es) before detaching the gateway

I ran into the error:

Network vpc-* has some mapped public address(es). Please unmap those public address(es) before detaching the gateway

while working with AWS CloudFormation templates. This error message is accurate but if you don’t fully understand VPCs, it can be very confusing. After learning what and why this happens, I decided to write it down to share.

My CF Template Setup

  • Root VPC Template – This creates the VPC, Internet Gateway and Route Tables. Has output variables for vpc, igw, rt
  • Application Template – The webserver and ELB template; you pass in the igw, vpc, and rt as parameters.

 

VPC Design

If you look at http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html you’ll see this diagram.security-diagram

The Root VPC Template makes this structure. The Application Template makes the instance as well as connecting the networking dots.

 

Create first Application Template

  "Resources" : {

    "InternetGatewayAttachment": {
       "Type" : "AWS::EC2::VPCGatewayAttachment",
       "DeletionPolicy" : "Retain",
       "Properties" : {
          "InternetGatewayId" : { "Ref": "InternetGatewayParam"},
          "VpcId" : {"Ref": "RootVPC"}
       }
    },

   "Route" : {
      "DependsOn": "InternetGatewayAttachment",
      "Type" : "AWS::EC2::Route",
      "Properties" : {
        "RouteTableId" : { "Ref" : "RouteTableParam" },
        "DestinationCidrBlock" : "0.0.0.0/0",
        "GatewayId" : { "Ref" : "InternetGatewayParam" }
      }
    },

    "ElasticLoadBalancer" : {
      "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties" : {
        "CrossZone": "true",
        "Instances": [ { "Ref": "WebServerInstance"} ],
        "SecurityGroups" : [ { "Ref" : "LoadBalancerSecurityGroup" }, { "Ref": "WebServerSecurityGroup"} ],
        "Subnets" : [ "subnet-*" ],
        "Listeners" : [ {
           ...
        } ],
        "HealthCheck" : {
          ...
        }
      }
    },
    "LoadBalancerSecurityGroup" : {
      "Type" : "AWS::EC2::SecurityGroup",
      "Properties" : {
        "VpcId" : { "Ref" : "RootVPC" },
        "GroupDescription" : "Enable HTTPS access via port 443",
        "SecurityGroupIngress" : [
          { "IpProtocol" : "tcp", "FromPort" : "443", "ToPort" : "443", "CidrIp" : "0.0.0.0/0"}
         ]
      }
    },

    "WebServerSecurityGroup" : {
      "Type" : "AWS::EC2::SecurityGroup",
      "Properties" : {
        "VpcId" : { "Ref" : "RootVPC" },
        ...
      }
    },

    "WebServerInstance" : {
      "Type" : "AWS::EC2::Instance",
      "DependsOn": "InternetGatewayAttachment",
      "Properties" : {
        ...
      }
    }

  },

Second Application CF Stack

Launch another Application via CloudFormation. With the second application running, delete the first application. This is where I kept running into the error:

Network vpc-* has some mapped public address(es). Please unmap those public address(es) before detaching the gateway

and I wasn’t sure why. I put the proper code into the above example, but the first time I did it I forgot to include the the ‘Retain’ DeletionPolicy in:

    "InternetGatewayAttachment": {
       "Type" : "AWS::EC2::VPCGatewayAttachment",
       "DeletionPolicy" : "Retain",

According to http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html the default DeletionPolicy is “Delete”.

Why you get this error

This means if the DeletionPolicy “Retain” attribute does not exist, the default will be “Delete”. If you:

  • Launch one Application Template as a CloudFormation Stack
  • Launch a second Application Template
  • Forget to put the DeletionPolicy:Retain in both of those templates
  • Delete one of the CloudFormation Stacks
  • You see the error

The InternetGatewayAttachment is still being used by the other running application. This is a totally valid error but when you are focusing on the one application template, it can be confusing why they are related.

 

Leave a Reply

Your email address will not be published. Required fields are marked *