January 31, 2023
6
min

Hands-on Guide: How to Find and Remove Unattached Elastic IPs

Elastic IPs are charged an hourly fee even if they are not associated with any running instances, or if they are associated with a stopped instance or with a network interface that is not attached to any running instance. Associating more than one Elastic IP with an instance adds additional charges. Releasing any unassociated Elastic IPs that are no longer needed can help reduce your monthly AWS bill. Stream.Security offers an easy and scalable way to find and manage Elastic IPs with advanced search capabilities and architectural standards.
Tal Shladovsky
Cloud Specialist

TL;DR

  • Elastic IPs are charged an hourly fee even if they are not associated with any running instances, or if they are associated with a stopped instance or with a network interface that is not attached to any running instance.
  • Associating more than one Elastic IP with an instance adds additional charges.
  • Releasing any unassociated Elastic IPs that are no longer needed can help reduce your monthly AWS bill.
  • Stream.Security offers an easy and scalable way to find and manage Elastic IPs with advanced search capabilities and architectural standards.

Intro

In this hands-on guide we will demonstrate how to locate and remove unnecessary Elastic IP addresses in order to reduce Elastic IP costs on your AWS bill.

Elastic IPs Overview

An Elastic IP is a static, public IPv4 address that you can allocate to your AWS account, and then associate it with an EC2 instance or a Network Load Balancer.
An Elastic IP is typically used for the following purposes:

  1. Masking instance or availability zone failures: If an instance or availability zone experiences a failure, you can use an Elastic IP address to quickly remap the address to a running instance in another availability zone, without having to update DNS records.
  2. Internet-facing load balancer: You can associate an Elastic IP address with a Network Load Balancer, making it easy to route internet traffic to your instances.
  3. NAT gateway: You can use an Elastic IP address to create a NAT gateway, which enables instances in a private subnet to connect to the internet, while still maintaining their private IP addresses.
  4. Dedicated IPs: You can use Elastic IPs as a dedicated IPs for your server, that is not associated with any particular instance, and can be easily remapped to another instance if needed.
  5. Custom domain: You can use Elastic IPs to point your custom domain to your server, allowing visitors to access your website or application using your domain name.

AWS’s Pricing for Elastic IPs

Elastic IPs are charged for the number of hours that an Elastic IP is allocated to your AWS account, even if it is not associated with a running instance or a Network Load Balancer.  
You can have one Elastic IP associated with a running instance at no charge.
If you associate additional Elastic IPs with that instance, you will be charged for each additional Elastic IP associated with that instance per hour on a pro rata basis. Additional Elastic IPs are only available in Amazon VPC.
Additionally, data transfer may be charged depending on the amount of data transferred and the region of the instances.  
Note that if an Elastic IP is released, it cannot be associated with the account again without being charged for additional allocation.
The hourly rate for an Elastic IP varies by region, and you can find the current rate in the AWS pricing page.  

Here’s a quick review for Elastic IP charges in the case it’s not associated with a running instance or when it’s associated with a stopped instance or unattached network interface
in us-east-1 (N. Virginia) Region:

  • $0.005 per additional IP address associated with a running instance per hour on a pro rata basis
  • $0.005 per Elastic IP address not associated with a running instance per hour on a pro rata basis
  • $0.00 per Elastic IP address remap for the first 100 remaps per month
  • $0.10 per Elastic IP address remap for additional remaps over 100 per month

    Note:  
    “Remap” refers to the process of reassociating an Elastic IP address with a different EC2 instance or a Network Load Balancer. It is useful in case of failure of an instance or availability zone, where an Elastic IP address can quickly be reassociated with a running instance in another availability zone, without having to update DNS records. This allows you to maintain the same IP address for your service and avoid disruptions to your customers, instead of having to wait for DNS propagation.

So, let’s say you have 50 unattached Elastic IP addresses associated with your account,  
you might be paying 50 x (24 hours x 30 days in month) x $0.005 = $180 a month for these unused resources.

How to Find and Release Unattached Elastic IPs

It's important to be aware of unattached Elastic IPs, especially if you are using the older EC2-Classic service. When an EC2 instance is stopped, the associated Elastic IP will be disassociated and will incur hourly charges if not manually released. Additionally, having multiple Elastic IPs set to be associated with the same EC2 instance can also result in unattached addresses.

Finding and Releasing Unattached Elastic IPs via AWS Console

To find and release an Elastic IP using the console:

  1. Open Amazon EC2 console.
  1. In the navigation pane, choose Elastic IPs.
  1. Identify all IP addresses with no associated instance ID – that is, those with a blank value for “Associated Instance ID”
    (An Elastic IP without an “Associated Instance ID” but with an “Association ID”, means the Elastic IP is associated with a NAT Gateway.
  1. Select the Elastic IP address to release and choose Actions, Release Elastic IP addresses.
  1. Choose Release.
AWS Console screenshot - Release Elastic IP Addresses

Finding and Releasing Unattached Elastic IPs via AWS CLI

  1. To find a specific Elastic IP or all of your Elastic IPs, you should use the describe-addresses command.
    To find unattached Elastic IPs you should use the following command while using a JMESPath expression:
aws ec2 describe-addresses --filters "Name=domain,Values=vpc" --query "Addresses[?AssociationId==null]"  

The --query option is used to filter the results further, so that only Elastic IPs that are not currently associated with any instances or load balancers are returned.

In case you’re using EC2-Classic, you may need to use the following command:

aws ec2 describe-addresses --query "Addresses[?InstanceId==null]"

Notes:
#1 Elastic IPs that are not in a VPC do not have the ‘AssociationId’ property, but Elastic IPs in both VPC and EC2 Classic will output ‘InstanceId’.
#2 Elastic IPs are also attached to NAT gateways. In that case, ‘InstanceId’ value will be ‘null’, but ‘AssociationId’ is the field which will be present there in any scenario.
     So, it’s better to use ‘AssociationId’ to be sure that Elastic IP is in use or not.  

  1. To release unattached Elastic IPs, you should use the release-address command.
    The basic syntax of the command is as follows:
aws ec2 release-address --public-ip <public-ip>

Where <public-ip> is the Elastic IP address that you want to release.

The New & Easy Way: Find Unattached Elastic IPs with Stream.Security

With Stream.Security Architectural Standards you can easily find unattached Elastic IPs to be released using Stream's out-of-the-box Cost rules or you can create your own custom rules while using tags and various Elastic IP attributes.

Example architectural standard: Elastic IP not in use
This rule identifies any unattached (unused) Elastic IP addresses in your AWS account, so you can release (remove) them to lower the cost of your monthly AWS bill.
This rule can help you with the following compliance standards: MAS, NIST4
And also help you work with AWS Well-Architected Framework.

Screenshot from Stream.Security showing the architectural standard for Elastic IP

This architectural standard’s conditions:

You can review the conditions for any out-of-the-box or custom rule on Stream.Security


Review rule violations: When there are violations for this rule (or any rule in our architectural standards), this view shows each violated resource including category, amount of violations, compliance frameworks and more.

Detailed look of this violation in the Stream.Security UI

Depending on your use case, a specific team can be notified via Slack (using Stream.Security’s Slack integration) whenever an Elastic IP gets unattached, So your teams can release these IPs as soon as they stop being used.

You can create your own custom rules using the rule creation wizard on Stream.Security.
Here’s a custom rule example:
The below custom rule checks for any unattached Elastic IP addresses using an attribute filter of ‘Associationid’ OR  ‘Allocationid’ having an empty value, in a Dev Environment, by using the proper Tag filter.

Conditional checks for custom rules on Stream.Security

Conclusion

Monitor your Elastic IPs
Keep an eye on the number of Elastic IP addresses that are allocated to your AWS account, as well as which addresses are associated with running instances and which ones are not. This will help you identify any unattached Elastic IPs that you may be paying for but not using.

Release unused Elastic IPs
If you have Elastic IPs that are not currently associated with any instances or load balancers, consider releasing them to avoid unnecessary charges.

Remap Elastic IPs
If an instance or availability zone experiences a failure, you can use an Elastic IP address to quickly remap the address to a running instance in another availability zone, without having to update DNS records.

Use Elastic IP for NAT gateway
You can use an Elastic IP address to create a NAT gateway, which enables instances in a private subnet to connect to the internet, while still maintaining their private IP addresses.

Use Elastic IP for custom domain
You can use Elastic IPs to point your custom domain to your server, allowing visitors to access your website or application using your domain name.

Automate the process
Use AWS CloudFormation or AWS Lambda to automate the release of unattached Elastic IP addresses.

Bring Your Own Public IP (BYOPIP)
BYOPIP is a feature that allows customers to bring their own public IP addresses to AWS and associate them with their instances or Network Load Balancer. This feature can be useful in situations where customers want to maintain the same IP address for their service, for example, for compliance or to maintain existing DNS entries.
Using BYOPIP may be more cost-effective than using Elastic IP addresses for long term usage, as you avoid hourly costs and are not subjected to data transfer costs as well.
For more details, check this FAQ

Be aware of the limits
AWS has a soft limit of 5 Elastic IP addresses per region per account, and you can request more by contacting AWS support.

Found this useful?

Read Tal's other blog posts in this series:

Reach out to Tal on LinkedIn if you'd like to suggest other topics, tips & tricks to reduce AWS cost.

About Stream Security

Stream.Security delivers the only cloud detection and response solution that SecOps teams can trust. Born in the cloud, Stream’s Cloud Twin solution enables real-time cloud threat and exposure modeling to accelerate response in today’s highly dynamic cloud enterprise environments. By using the Stream Security platform, SecOps teams gain unparalleled visibility and can pinpoint exposures and threats by understanding the past, present, and future of their cloud infrastructure. The AI-assisted platform helps to determine attack paths and blast radius across all elements of the cloud infrastructure to eliminate gaps accelerate MTTR by streamlining investigations, reducing knowledge gaps while maximizing team productivity and limiting burnout.

Tal Shladovsky
Cloud Specialist
Related Articles
All
Cost
articles >

Step into the Future of SecOps