Posted By in Uncategorized

Generally for VPCs that are integrated with an organizations private network we don’t provide direct access to the Internet. Normally we provide Internet access via a Squid proxy auto scaling farm in a different ‘Internet connected’ VPC over a VPC Peering connection.

But on occasion we need to do so temporarily by creating an Internet Gateway, attaching it to the VPC and the other steps required to give access to the Internet [assign Public IPs or create NAT Gateway, and configure routing]. As with everything else we implement and manage these changes via Cloudformation.

If you want to remove that Internet Gateway later, you need to first detach it from the VPC and then delete it. But is not possible to detach an Internet Gateway from a VPC while there are still Public IPs assigned to EC2 instances.

Trying to remove a Internet Gateway via Cloudformation failed for us, because an EC2 instance still has a public IP address assigned. Thus some manual intervention was required.

In this case before you detach the Internet Gateway from the VPC you must;

  • Stop an EC2 instances with Public IPs automatically assigned, when stopped they lose the Public IP association.
  • If you have any EIP’s associated with EC2 instances in the VPC, disassociate them as this will not happen automatically when you stop the instances.