How to Resolve the InsufficientFreeAddressesInSubnet Error

Issue

You receive the following error message:

creating EC2 VPC Endpoint (com.amazonaws.vpce.us-east-1.{vpcServiceIdentifier}): InsufficientFreeAddressesInSubnet: Insufficient free addresses to allocate an addresses in subnet "{subnetIdentifier}"

Environment

All database connectors Connection method: Private networking

Understanding the problem

When you create an EC2 VPC Interface Endpoint (com.amazonaws.vpce.us-east-1.{vpcServiceIdentifier}), AWS provisions one or more ENIs (Elastic Network Interfaces) in the chosen subnets. Each ENI consumes a private IP from the subnet’s CIDR. The error InsufficientFreeAddressesInSubnet: Insufficient free addresses to allocate an addresses in subnet "{subnetIdentifier}" means the target subnet doesn’t have enough free IPs to allocate those ENIs.

Causes and solutions

Causes of insufficient free addresses include:

• Subnet too small: {subnetIdentifier} uses a very small CIDR (for example, /28 or /29), leaving few usable IPs.
• High utilization: Existing resources (EC2, RDS, load balancers, other ENIs, and more) have consumed most IP addresses.
• Endpoint overhead: Interface VPC endpoints add one or more ENIs per selected subnet. Highly available services may add several.
• IP Address Exhaustion: Over time, addresses can be held or not yet released, temporarily shrinking the free pool.

Solutions include:

• Use a different subnet with available IPs, or free addresses in the current subnet by removing unused ENIs or resources.
• If capacity is still tight, create a larger subnet or a new VPC with a bigger CIDR, and migrate workloads.

Resolution

Option 1: Use a different subnet (quickest)

If you have other subnets within the same VPC that have sufficient free IP addresses, simply create the VPC Endpoint in one of those subnets instead.

Action: When creating the VPC Endpoint, review the available subnets and choose one with a larger /availableIpAddressCount or one you know is less utilized.

How to check:

1. In the AWS Console, navigate to VPC > Subnets.
2. Select {subnetIdentifier} to view Available IPv4 addresses count, then compare with other subnets.

Option 2: Increase subnet capacity (if feasible)

This is generally not directly possible for an existing subnet in AWS. You can’t enlarge an existing subnet’s CIDR in AWS. Instead, do the following:

• Create a new, larger subnet: Define a new subnet with a larger CIDR block (for example, /24, /22) in your VPC.
• Migrate resources: Migrate or re-create your workloads (EC2 and any dependent resources) from the saturated subnet to the new, larger one. Expect possible disruption and plan the transition carefully.

Option 3: Free Up IP Addresses in the current subnet (temporary cleanup)

Remove unused resources consuming IPs in {subnetIdentifier}.

• Identify unused ENIs:
  • Go to VPC > Network Interfaces.
  • Filter by {subnetIdentifier}.
  • Look for ENIs with a Description that indicates they belong to old load balancers, old NAT gateways, or other resources that are no longer in use.
  • Look for ENIs that are Available (not attached to an instance). Delete if safe.
• Terminate unused instances or resources: If there are instances, such as EC2 or RDS that are no longer needed in that subnet, terminate them free up IP addresses.

Option 4: Create a New VPC and subnets (long-term)

If your current VPC is generally running out of IP space, or if your current subnetting strategy is too restrictive, design a new VPC with a larger CIDR and roomier subnetting for future growth. This is a more involved process.

Immediate action to solve the error:

Create the VPC Endpoint in a different subnet within your VPC that has enough available IP addresses.

1. List Subnets:

   aws ec2 describe-subnets --filters "Name=vpc-id,Values=<your_vpc_id>" --query 'Subnets[*].[SubnetId,CidrBlock,AvailableIpAddressCount]' --output table
   

   Replace <your_vpc_id> with the ID of the VPC containing {subnetIdentifier}).
2. Choose a Subnet: Look for a subnet with a sufficient AvailableIpAddressCount.
3. Retry VPC Endpoint Creation: Use the subnet-id of the chosen, less-utilized subnet when creating the EC2 VPC Endpoint.