Cost

Delete unused Elastic Network Interfaces

A detached ENI isn't billed on its own — but it can hold a public IPv4 you're paying for, and it blocks the cleanup of everything attached to it. Find the true orphans and delete them safely.

12 min·10 sections·AWS

Last reviewed 27 May 2026

Unused Elastic Network Interfaces: the basics

Why a leftover network card is a hygiene problem with a hidden price tag

An Elastic Network Interface (ENI) is the virtual network card that a workload uses to talk to the rest of the VPC — it carries the private IP, optional public/Elastic IP, MAC address, security groups, and subnet placement for an instance or a managed service. When something is deleted or detached, its ENI can be left behind in the available state: allocated to your account, attached to nothing, doing no work. The ENI object itself is not a billed line item — AWS does not charge a per-hour fee for an idle network interface.

So why does it land on a wastage report? Two reasons. First, a detached ENI frequently still holds an associated public IPv4 or Elastic IP, and that is billed — roughly $0.005/hour, about $3.65/month, since the February 2024 universal IPv4 charge. An orphaned ENI is therefore often a hidden IPv4 charge wearing a network-card costume. Second, leftover ENIs are a strong orphan signal — they're the residue of terminated instances, deleted Lambda VPC attachments, removed load balancers, and stale interface VPC endpoints — and they block deletion of the security groups and subnets they reference, gumming up every other cleanup you try to run.

The trap is telling a true orphan from a service-reserved interface. Many ENIs in the available or in-use state belong to AWS managed services — RDS, Lambda, NAT Gateways, interface VPC endpoints, ELB — and are flagged RequesterManaged=true. Those must never be hand-deleted; AWS owns their lifecycle and will recreate or error on them. A genuinely safe-to-delete ENI is one that is both detached (status=available, Attachment=null) and not requester-managed (RequesterManaged=false).

In this lesson you'll learn why an ENI itself isn't directly billed, and where the real value lives instead: reclaiming the public IPv4 charges that hide on detached interfaces, restoring the ability to delete blocked security groups and subnets, and using the orphan count as a cleanup-discipline signal. You'll see the AWS CLI commands to list every available interface, the single most important filter — distinguishing a true orphan (RequesterManaged=false) from a service-reserved one belonging to RDS, Lambda, NAT, interface VPC endpoints, or ELB — and the safe delete pattern. You'll also see the edge cases that bite: requester-managed ENIs that error or silently respawn, and the off-platform references that any attached public IP might still carry.

Fun fact

The interfaces that wouldn't let go

A common AWS support ticket reads: "I'm trying to delete a security group and AWS says it's still in use, but I've deleted everything that used it." Nine times out of ten the culprit is a forgotten ENI — a network interface left in the available state by a deleted Lambda VPC function or a removed load balancer — still referencing that security group. The group can't be deleted until the interface is. One platform team auditing a VPC they thought was empty found 318 detached ENIs blocking the teardown of an entire account they were trying to decommission; 71 of them still carried a billed public IPv4 address. The cleanup wasn't about the interfaces — it was about everything they were quietly holding hostage.

Cleaning up unused ENIs in action

Marco runs the monthly FinOps cadence at a media company with a sprawling legacy VPC. The dashboard flags 64 network interfaces in the available state. He knows the interface count itself isn't a dollar figure — what catches his eye is that 22 of them still have an associated public IPv4, which is real money, and that an account-decommission ticket has been stuck for weeks because a subnet "won't delete."

Marco doesn't bulk-delete. The first filter is the one that matters: he checks RequesterManaged on every interface. Of the 64, 19 turn out to be requester-managed — interface VPC endpoints, a couple of RDS instances, and Lambda functions with VPC access — and those are off-limits entirely; deleting them by hand either errors out or has AWS silently recreate them. He tags those Lifecycle=managed and moves on.

That leaves 45 genuinely orphaned interfaces: Attachment=null, RequesterManaged=false, residue of terminated instances and a load balancer deleted last quarter. For the 22 carrying a public IP he confirms nothing off-platform references the address, then deletes all 45 in one scripted pass. The stuck subnet deletes cleanly the moment its last ENI is gone, the decommission ticket closes, and ~$80/month of hidden IPv4 charges drop off. Elapsed time: about twenty minutes, most of it the managed-versus-orphan check.

First, list every network interface in the available (detached) state, showing whether it's requester-managed and whether it carries a public IP. The RequesterManaged flag is the single most important column — true means AWS owns it.

$ aws ec2 describe-network-interfaces --filters Name=status,Values=available --query "NetworkInterfaces[].{Id:NetworkInterfaceId,Managed:RequesterManaged,Desc:Description,PublicIp:Association.PublicIp,SG:Groups[0].GroupId}" --output table

-----------------------------------------------------------------------------------

| DescribeNetworkInterfaces |

+----------------------+---------+--------------------------+--------------+--------+

+----------------------+---------+--------------------------+--------------+--------+

+----------------------+---------+--------------------------+--------------+--------+

# Managed=True (VPC endpoint) is OFF-LIMITS. The two Managed=False are true orphans;

# the first one has a billed public IP attached — check DNS/allowlists before release.

Detached interfaces with RequesterManaged=False are the safe-to-delete orphans; True belongs to a managed service and must be left alone.

Once you've confirmed the interface is detached (Attachment=null), not requester-managed, and that any attached public IP has no off-platform references, delete it by ID.

$ aws ec2 delete-network-interface --network-interface-id eni-0aa11bb22cc33dd

# (no output on success — the interface is removed immediately)

$ aws ec2 describe-network-interfaces --network-interface-ids eni-0aa11bb22cc33dd

An error occurred (InvalidNetworkInterfaceID.NotFound) when calling the

DescribeNetworkInterfaces operation: The networkInterface ID 'eni-0aa11bb22cc33dd' does not exist

# Gone. Its security group and subnet can now be deleted too — the block is cleared.

# If you'd tried this on a Managed=True interface: 'You are not allowed to manage 'ela-...' attachments.'

Delete is immediate. On a requester-managed interface it errors out — that's AWS protecting a resource it owns, and the signal to leave it alone.

Network interfaces under the hooddeep dive

An ENI bundles the network identity of a workload: one primary and optional secondary private IPs, an optional public IPv4 or associated Elastic IP, a MAC address, a list of security groups, a source/dest-check flag, and its subnet/AZ placement. The interface object is free — there is no per-hour charge for an ENI in any state. What costs money is anything billed that rides on it: most commonly an associated public IPv4 address, metered at $0.005/hour (~$3.65/month) since the February 2024 universal IPv4 charge. So the cost of an orphaned ENI is exactly the cost of whatever address it's still holding, and zero if it holds none.

The two state fields that decide whether an interface is safe to touch are Attachment and RequesterManaged. A detached interface has status=available and a null Attachment — it's wired to nothing. But detached doesn't mean deletable: RequesterManaged=true marks an interface that AWS provisioned on your behalf for a managed service — RDS, Lambda VPC access, NAT Gateways, interface VPC endpoints (ela-...), ELB/ALB/NLB. Those have their lifecycle owned by the service; hand-deleting one either returns an authorization error or, worse, succeeds momentarily before the service recreates it. The unambiguous safe target is status=available AND RequesterManaged=false.

Two further mechanics matter. First, terminating an instance auto-detaches its ENI but, depending on the DeleteOnTermination flag, may leave the interface behind in available state — that's a primary source of orphans. Second, a detached non-managed ENI still pins its security groups and subnet: AWS refuses to delete a security group or subnet while any interface references it, which is why these leftovers surface as "can't delete, still in use" errors during teardown. Deleting the orphan ENI is frequently the unlock for a whole chain of blocked cleanup.

# List only the SAFE deletion candidates: detached AND not requester-managed.
# Anything RequesterManaged=true (RDS, Lambda, NAT, VPC endpoints, ELB) is excluded.
aws ec2 describe-network-interfaces \
  --filters Name=status,Values=available \
  --query "NetworkInterfaces[?RequesterManaged==\`false\`].\
{Id:NetworkInterfaceId,PublicIp:Association.PublicIp,SG:Groups[].GroupId,Subnet:SubnetId}" \
  --output table

# Inspect one before deleting — confirm Attachment is null and check for a billed IP.
aws ec2 describe-network-interfaces \
  --network-interface-ids eni-0aa11bb22cc33dd \
  --query 'NetworkInterfaces[0].{Attachment:Attachment,Managed:RequesterManaged,PublicIp:Association.PublicIp}'

What is the impact of unused Elastic Network Interfaces?

The direct cost of the interfaces themselves is zero — AWS doesn't meter an idle ENI. The real dollar impact is the public IPv4 addresses that hide on a subset of them: each carried address is ~$3.65/month since the 2024 universal IPv4 charge, so 50 orphaned ENIs of which 20 still hold a public IP is ~$73/month of charge that's invisible unless you look at the interface level. The orphan that carries no address costs nothing directly — its impact is entirely the hygiene and blocking problem below.

The bigger operational cost is that leftover ENIs block other cleanup. A detached non-managed interface pins the security groups and subnet it references, so AWS refuses to delete those while it exists. That's how a routine VPC or account teardown stalls for weeks on a cryptic "resource still in use" error, and how a single forgotten interface can hold an entire decommission hostage. The saving from deleting the ENI is small; the value is unblocking everything downstream of it.

There's a discrimination cost too — the risk of cleaning up the wrong thing. A large fraction of available interfaces belong to AWS-managed services (RDS, Lambda, NAT, interface VPC endpoints, ELB) and are flagged RequesterManaged=true. Delete one of those by hand and you either hit an authorization error or trigger a confusing respawn, and a careless bulk script that ignores the flag can cause an outage. So the work is precision cleanup, not volume cleanup: the value is in correctly separating the true orphans from the service-reserved interfaces, every time.

Finally, an orphaned interface that still carries a public address is a small attack-surface and audit item, not just a cost one. An address that resolves in DNS but points at a dead interface, or one a partner still allowlists, is exactly the loose end a security review surfaces. Reclaiming orphans tightens the network surface and shortens the inventory at the same time — the cost report is just the easiest place to notice the mess.

How do you delete unused network interfaces safely?

Cleanup is a four-step loop: inventory every detached interface, separate the true orphans from service-managed ones, check any attached address for off-platform references, then delete the confirmed orphans and adopt conventions so they don't come back.

1. Inventory every interface in the available state

Run describe-network-interfaces --filters Name=status,Values=available in every region and account. Capture the interface ID, Description, RequesterManaged, any Association.PublicIp, the security groups it references, and its subnet. The available status with a null Attachment is what makes it detached; the rest of the fields tell you whether it's safe to touch and whether it's actually costing anything.

2. Separate true orphans from service-managed interfaces

This is the safety-critical filter. Exclude every interface with RequesterManaged=true — those belong to RDS, Lambda VPC access, NAT Gateways, interface VPC endpoints (ela-...), and ELB/ALB/NLB, and AWS owns their lifecycle. Hand-deleting one errors out or triggers a silent respawn, and a bulk script that ignores the flag can cause an outage. Only interfaces that are available AND RequesterManaged=false are genuine orphans. Tag the managed ones Lifecycle=managed so the next audit skips them.

3. Check any attached public IP for off-platform references

For each orphan that carries a public IPv4 or Elastic IP, the same caveat as any address applies: confirm nothing off-platform points at it — no DNS A record, no customer or partner firewall allowlist, no BYOIP dependency — before you let the address go. Deleting the interface releases or strands that address, and you won't get the same IP back. For orphans with no attached address there's no IP risk; the only thing to confirm is that they're genuinely detached and non-managed.

4. Delete the confirmed orphans and prevent recurrence

For interfaces that cleared the checks, call delete-network-interface --network-interface-id eni-.... Deleting the orphan also unblocks the security groups and subnets it pinned, so chain the cleanup. To stop new orphans, make deleting leftover interfaces part of the same change that retires a resource, set DeleteOnTermination=true on instance ENIs, and add an AWS Config rule or scheduled job that flags long-lived available, non-managed interfaces so the next teardown isn't blocked.

# Delete ONLY detached, non-managed interfaces. The RequesterManaged filter is
# the safety gate — never delete an interface AWS provisioned for a service.
REGION=us-east-1

ORPHANS=$(aws ec2 describe-network-interfaces --region $REGION \
  --filters Name=status,Values=available \
  --query "NetworkInterfaces[?RequesterManaged==\`false\`].NetworkInterfaceId" \
  --output text)

for eni in $ORPHANS; do
  # Check for a billed public IP and confirm DNS/allowlist before this point.
  ip=$(aws ec2 describe-network-interfaces --region $REGION \
        --network-interface-ids "$eni" \
        --query 'NetworkInterfaces[0].Association.PublicIp' --output text)
  echo "Deleting $eni (public IP: $ip)"
  aws ec2 delete-network-interface --region $REGION --network-interface-id "$eni"
done
# Their security groups and subnets can now be deleted — the block is cleared.

Quick quiz

Question 1 of 5

You find a network interface in the available state. Before deciding to delete it, what's the single most important thing to confirm?

Keep learning

Dig deeper into ENI mechanics, the public IPv4 charge that hides on them, and the cleanup discipline that keeps the category small.

You've completed Delete unused Elastic Network Interfaces. You now know that the interface itself isn't billed — the value is in the public IPv4 charges that hide on detached interfaces and in unblocking the security groups and subnets they pin. You know the one filter that makes this safe: a true orphan is status=available AND RequesterManaged=false, while a requester-managed interface (RDS, Lambda, NAT, VPC endpoint, ELB) must be left to AWS. Next time the wastage report flags an unused interface, you'll have a defensible path from "flagged" to "deleted" — and you'll know which ones never to touch.

Back to the library

Unused network interfaces: what it means for the bill

Mostly a hygiene flag — but one that often hides a real charge

An Elastic Network Interface is the virtual network card that lets a cloud machine connect to the network. The fact that matters for the bill is counterintuitive: the network card itself doesn't cost anything to leave lying around — AWS doesn't meter an idle one. So on its own, this finding isn't a direct line item the way an idle disk or an idle address is.

The reason it still shows up on a cost report is that a leftover network card very often has a public internet address still clipped to it, and that address is billed — about $3.65 a month each since AWS started charging for all public IPv4 in early 2024. So an orphaned interface is frequently a hidden IPv4 charge in disguise. Just as important, these leftovers are the clearest evidence that cleanup didn't finish: they're what's left when a server, a load balancer, or a serverless function was deleted but its plumbing wasn't. And they physically block other cleanup — you can't retire the security groups or network segments they're attached to until they're gone.

For budgeting, treat this as a leading-indicator and hygiene category rather than a dollar category. The right question at a cost review isn't "how much do network interfaces cost" — it's "how many detached, non-managed interfaces are we carrying, how many of them have a billed IP attached, and is that count flat?" A growing count says cleanup isn't closing the loop, which reliably predicts bigger waste categories drifting the same way.

This lesson is for the finance partner who sees "unused network interfaces" on a wastage report and wants to know whether it's a real number. It explains why the interface itself costs nothing, why the value is in the hidden IPv4 charges and the unblocked cleanup rather than the interfaces directly, what a reasonable count looks like, and the practical levers — reporting the count and the attached-IP subset, ownership conventions, and a release cadence — that keep it small without learning any AWS internals. By the end you'll know the one question to ask at the monthly review and how to read the answer.

Fun fact

The interfaces that wouldn't let go

How a finance partner closes the loop

Lena is the finance partner embedded with the platform team. "Unused network interfaces" appears on the wastage dashboard with a count of 64 and a tiny dollar figure, and she asks the question that's now standing on the agenda: "How many of these are truly orphaned versus owned by AWS services, and how many are carrying a public IP we're actually paying for?" The platform lead's answer is the useful one: the interfaces themselves are free, 19 belong to managed services and can't be touched, and 22 of the rest hold a billed address — so the real money is about $80 a month, plus a stuck decommission the leftovers are blocking.

The conversation isn't technical. Lena doesn't ask about subnets or MAC addresses. She asks three things: how many are safe to delete (orphaned and not service-owned), how many of those carry a billed IP, and whether anything else is blocked by leaving them. The split — 19 managed, 45 orphaned, 22 of those costing money, one subnet teardown waiting on them — is enough to act. She gets a commitment to clear the 45 this sprint and to add the orphan count and the attached-IP subset to the recurring finance pack so neither drifts back up unnoticed.

Two months later the residual is a handful of interfaces, all tagged as managed or deliberately kept. Lena knows that's the right floor, and she knows that if the orphan count climbs again it means cleanup isn't closing the loop after resources are deleted. The interface count is a hygiene metric; the attached-IP subset is the part with a dollar sign; she watches both as trends, not as a one-time number.

Why this matters to the budget, not just the bill

The direct line-item impact is unusual for a wastage category: the interfaces themselves are free, so a count of leftover network cards isn't a cost in itself. The dollars live in a subset — the ones still holding a billed public address — and that's typically a few dozen to a few hundred dollars a month, a fraction of a percent of cloud spend. The useful framing for finance is to split the count from the cost: report how many orphaned interfaces exist, and separately how many of those carry a billed IP, because only the second is money.

The larger budget impact is indirect and worth understanding. Leftover interfaces block the retirement of the network components around them, which is why account and environment decommissions — the kind of cleanup that produces real, lasting savings — stall. When a teardown that should remove a whole environment's spend sits unfinished for a quarter because of forgotten plumbing, the cost isn't the interface; it's the savings you didn't capture. This category is often the literal blocker on bigger wins.

This also tests chargeback in a specific way. Orphaned interfaces are by definition unowned — the resource they served is gone — so neither the (zero) interface cost nor the attached-IP cost can be cleanly assigned to a team. Making teams own and delete the interfaces tied to resources they decommission keeps the model honest, and the precision requirement (don't touch service-managed ones) is a reminder that this is engineering-owned cleanup, not something finance can script.

Treat the orphan count as a leading indicator. A growing count of detached, non-managed interfaces is one of the cleanest signals that cleanup isn't reaching the plumbing when resources are deleted — and that same gap predicts larger waste categories (idle volumes, stopped instances, unattached addresses) drifting the same way. Watch the count and its trend, plus the attached-IP subset for the actual dollars.

What finance can actually do about this

Finance can't delete interfaces, but it can set the conditions that keep the orphan count near zero and the hidden charges visible. Three levers, used at the monthly cadence.

1. Report the count and the attached-IP subset separately

Add "detached network interfaces" as a standing line on the cost pack, split into two numbers: the orphan count (the hygiene signal) and how many of those carry a billed public IP (the actual dollars). The interface count alone isn't money; conflating the two either overstates the cost or hides the real charge. A count that grows two months running is the prompt to escalate, regardless of the small dollar figure.

2. Track what these leftovers are blocking

The biggest financial impact here is indirect: orphaned interfaces stall environment and account decommissions, which is where real savings live. Ask engineering whether any in-flight teardown is blocked by leftover plumbing, and treat that blocked saving — not the interface cost — as the number that matters. Unblocking a stalled decommission is often worth far more than the IP charges.

3. Make decommission-includes-cleanup the rule

The agreement with each team should be that retiring a resource includes deleting the interfaces it left behind and releasing any address they carry — as part of the same change. That single convention does more than any one-off sweep, because it stops orphans being created and stops decommissions stalling in the first place. Pair it with the understanding that service-managed interfaces are off-limits, so cleanup stays precise.

4. Treat the trend as the metric

A small, stable residual of service-managed and deliberately-kept interfaces is fine and expected — many interfaces are supposed to exist. The right question isn't "why isn't this zero?" but "is the orphan count flat, and is the attached-IP subset shrinking?" A creeping orphan count with a small dollar figure is worse than a static larger one, because it signals the cleanup loop is slipping.

Quick quiz

Question 1 of 5

The "detached network interfaces" line shows a count that's grown from 20 to 70 over six months, but the dollar figure is tiny, and a VPC decommission is stuck. As the finance partner, what's the right next move?

Keep learning

Dig deeper into ENI mechanics, the public IPv4 charge that hides on them, and the cleanup discipline that keeps the category small.

You've finished the finance partner's view of unused network interfaces. You know the interface itself is free, that the dollars live in the subset holding a billed public IP, that the bigger impact is unblocking stalled decommissions, and the three finance levers — report the count and the billed-IP subset separately, track what the leftovers are blocking, and make decommission-includes-cleanup the rule. Next time the line shows up at the review, you'll have a sharper question than "what does this cost?"

Back to the library

Unused network interfaces: the headline

Leftover plumbing that hides charges and blocks cleanup

When a cloud resource is deleted, the virtual network card it used can be left behind — attached to nothing, doing no work. The card itself isn't billed, but it often still holds a public internet address that is billed, and it physically blocks the retirement of the network components around it. So it's a small, hidden cost wrapped inside a bigger hygiene problem.

This is a discipline signal more than a cost story. A pile of leftover interfaces says cleanup stops at "delete the server" and never reaches the plumbing — the same gap that produces larger waste elsewhere. The fix is low-risk reclamation, with one careful caveat: many interfaces belong to AWS-managed services and must be left alone, so the work is about deleting the right ones, not all of them.

A short read on a small but telling category of cloud waste, written for the exec who wants the headline and the one question to ask. You'll get the framing — the interface is free but signals incomplete cleanup and often hides a real charge — what the count says about discipline, and what "good" looks like at an org level. No commands, no internals.

Fun fact

The interfaces that wouldn't let go

What it looks like when the org gets this right

At one company a VPC decommission had been "almost done" for two quarters — blocked, it turned out, by a layer of forgotten network plumbing nobody had cleaned up. The exec sponsor stopped asking when it would finish and started asking the better question: "Why does deleting a server leave this much behind, and why isn't releasing it part of the same change?"

Within a quarter the pattern changed. The team adopted a simple rule — retiring a workload includes deleting its leftover interfaces and releasing any address they carry — and added the orphan count to the standing report. The blocked decommission finished, the hidden IPv4 charges fell off, and the residual settled at a small number of service-owned interfaces that are supposed to be there. The dollar saving was modest; the point was that cleanup now reached all the way down.

That's the right outcome state. "Zero network interfaces" is the wrong goal — many are owned by AWS and must stay. "Every interface we carry is either in active use, owned by a managed service, or deliberately kept" is the right one. The report stops being a stuck ticket and becomes evidence the cleanup loop works end to end.

Why this is on the report at all

The direct dollar amount is small or zero — the interface itself is free, and only the subset holding a public address costs anything. It's tracked because of what its size and trend report about discipline: a small, stable count means cleanup reaches the plumbing when resources are deleted; a growing count means it stops at "delete the server," and the same gap almost certainly applies to bigger spend categories. It's also the category that most often blocks environment decommissions, which is where the larger savings actually are.

There's a second-order angle. A forgotten interface that still carries a public address — one that resolves in DNS or sits in a partner allowlist — is an audit and security loose end as much as a cost one. So this category sits where cost, security posture, and operational hygiene meet: modest in dollars, useful as a signal, and cheap to keep clean, with the one caveat that it must be cleaned precisely because many interfaces are AWS-owned.

The leadership move on this category

The handle for an executive isn't to chase the dollars — it's to set the norms that make cleanup reach the plumbing, not just the servers.

1. Require decommission to include the plumbing

Retiring a workload should include deleting the network interfaces and releasing the addresses it leaves behind, as part of the same change. Most of this category exists because cleanup stops at "delete the server" — and that same incomplete cleanup is what blocks the bigger environment decommissions where the real savings sit.

2. Ask for the orphan count and what it's blocking

"How many leftover interfaces do we carry, how many hold a billed address, and is any decommission stuck because of them?" is a one-minute review item that tells you whether cleanup discipline is working — no technical depth required. Flat, small, and blocking nothing for three quarters means the hygiene is healthy.

3. Insist cleanup is precise, not aggressive

Many interfaces are owned by AWS-managed services and must be left alone — a bulk delete that ignores that can cause an outage. The leadership norm is that this cleanup is done carefully and is engineering-owned: delete the true orphans, never the service-reserved ones. Precision here is a safety requirement, not a nicety.

Quick quiz

Question 1 of 5

The cloud cost pack shows the detached-interface count has been flat at a handful for three quarters, all of them service-managed or deliberately kept, and no decommission is blocked. What's the right read?

Keep learning

Dig deeper into ENI mechanics, the public IPv4 charge that hides on them, and the cleanup discipline that keeps the category small.

That's the lesson. Two takeaways: a leftover network interface is mostly free but often hides a real IPv4 charge and blocks the bigger decommissions where savings live, and the cleanup must be precise because many interfaces are AWS-owned and must stay. The leadership question is whether decommissioning reaches the plumbing — and whether the cleanup is done carefully.

Back to the library

Part of the learning path Kill idle waste

Delete unused Elastic Network Interfaces

Unused Elastic Network Interfaces: the basics

The interfaces that wouldn't let go

Cleaning up unused ENIs in action

Network interfaces under the hooddeep dive

What is the impact of unused Elastic Network Interfaces?

How do you delete unused network interfaces safely?

1. Inventory every interface in the available state

2. Separate true orphans from service-managed interfaces

3. Check any attached public IP for off-platform references

4. Delete the confirmed orphans and prevent recurrence

Quick quiz

Keep learning

Unused network interfaces: what it means for the bill

The interfaces that wouldn't let go

How a finance partner closes the loop

Why this matters to the budget, not just the bill

What finance can actually do about this

1. Report the count and the attached-IP subset separately

2. Track what these leftovers are blocking

3. Make decommission-includes-cleanup the rule

4. Treat the trend as the metric

Quick quiz

Keep learning

Unused network interfaces: the headline

The interfaces that wouldn't let go

What it looks like when the org gets this right

Why this is on the report at all

The leadership move on this category

1. Require decommission to include the plumbing

2. Ask for the orphan count and what it's blocking

3. Insist cleanup is precise, not aggressive

Quick quiz

Keep learning

Related cost lessons