QuickSight: Fixing VPC Connection Deletion Failed Issues
By khoanc, at: March 17, 2025, 10:17 p.m.
Estimated Reading Time: __READING_TIME__ minutes


When working with AWS QuickSight, you may need to delete a VPC connection to set up a new one. However, this process isn't always smooth. Common issues like "VPC Connection is in use" or orphaned datasets preventing deletion can usually be resolved with AWS CLI commands.
But there’s one particularly frustrating issue that can waste hours because QuickSight doesn’t provide a clear error message:
- When deleting the VPC connection, QuickSight shows a success message, and the status changes to UNAVAILABLE.
- Running the delete command via AWS CLI returns DELETION_IN_PROGRESS.
- However, after a few minutes, the VPC connection is still there, unchanged.
- Checking the VPC connection details reveals that network interfaces failed to delete (DELETION_FAILED).
- You can delete related VPC's network interfaces because they are managed by QuickSight
The Real Issue: IAM Role Permissions
The root cause is insufficient IAM permissions for the role that QuickSight is using. To check which IAM role is in use (admin access required):
Manage QuickSight → Security & Permissions → IAM Role in Use
- If you’re using the default QuickSight role, it’s likely aws-quicksight-service-role-v0 or aws-quicksight-s3-consumers-role-v0.
- If you’re using a custom IAM role, it may be missing critical permissions, such as:
"ec2:CreateNetworkInterface"
"ec2:ModifyNetworkInterfaceAttribute"
"ec2:DeleteNetworkInterface"
"ec2:DescribeSubnets"
"ec2:DescribeSecurityGroups"
How to fix?
- The fastest solution (not recommended for production, but effective) is to temporarily assign AmazonEC2FullAccess permission to the role that being used by QuickSight and try deleting the connection again.
- A more secure approach is to manually add only the missing permissions and retry the deletion.
Preventing This Issue in the Future
This permission issue can also occur when creating a VPC connection, especially if you use a custom IAM role instead of the default QuickSight role. To avoid long debugging sessions, always check IAM permissions first when encountering errors.
By understanding this hidden pitfall, you can save hours of troubleshooting and manage QuickSight VPC connections more efficiently!
REF: https://repost.aws/knowledge-center/quicksight-permission-errors