This error occurs when trying to modify an RDS instance but the VPC or subnet configuration is in an incompatible state. Common causes include missing subnets, insufficient IP addresses, or disabled DNS settings.
The InvalidVPCNetworkStateFault error indicates that AWS RDS cannot perform the requested modification because the VPC network configuration is invalid or incompatible. This typically happens during DB instance modifications, reboots, or when changing VPC configurations. The instance may still be running at the application level, but AWS prevents changes due to network state issues.
Check that your DB subnet group contains subnets in different Availability Zones:
aws rds describe-db-subnet-groups --db-subnet-group-name your-subnet-groupIn Terraform, ensure your subnet group includes subnets from different AZs:
resource "aws_db_subnet_group" "main" {
name = "my-db-subnet-group"
subnet_ids = [
aws_subnet.private_a.id, # us-east-1a
aws_subnet.private_b.id # us-east-1b
]
}If subnets are missing, update your subnet group to include valid subnets in multiple AZs.
Verify that all subnets in your DB subnet group still exist and are in 'available' state:
aws ec2 describe-subnets --subnet-ids subnet-xxx subnet-yyyLook for any subnets with state other than 'available'. If a subnet was deleted, update your Terraform configuration to reference valid subnets:
resource "aws_db_subnet_group" "main" {
name = "my-db-subnet-group"
subnet_ids = [aws_subnet.private_a.id, aws_subnet.private_b.id]
depends_on = [aws_subnet.private_a, aws_subnet.private_b]
}Check available IP addresses in each subnet of your DB subnet group:
aws ec2 describe-subnets --subnet-ids subnet-xxx --query 'Subnets[0].AvailableIpAddressCount'Each subnet should have at least a few free IP addresses. If you're running low, expand your CIDR blocks:
resource "aws_subnet" "private_a" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24" # Larger block = more IPs
availability_zone = "us-east-1a"
}Alternatively, create new subnets with larger CIDR blocks and update your DB subnet group.
If your RDS instance is publicly accessible, DNS hostnames and DNS resolution must be enabled:
aws ec2 describe-vpc-attribute --vpc-id vpc-xxx --attribute enableDnsHostnames
aws ec2 describe-vpc-attribute --vpc-id vpc-xxx --attribute enableDnsSupportEnable both via AWS CLI:
aws ec2 modify-vpc-attribute --vpc-id vpc-xxx --enable-dns-hostnames
aws ec2 modify-vpc-attribute --vpc-id vpc-xxx --enable-dns-supportOr in Terraform:
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
}If you've hit the ENI quota for your region, request an increase:
aws service-quotas get-service-quota --service-code ec2 --quota-code L-DF5E4CA9View current usage:
aws ec2 describe-network-interfaces --query 'NetworkInterfaces | length(@)'Request a quota increase through the AWS Service Quotas console if needed.
When changing an RDS instance between VPCs, note that you cannot do so if the instance is Multi-AZ. Convert to single-AZ first, move to the new VPC, then convert back to Multi-AZ if needed. The instance will reboot during VPC changes. If your DB instance enters incompatible-network state and automated backups are enabled, consider point-in-time recovery (PITR) as an alternative to creating a new instance. For instances without backups, use AWS Database Migration Service (DMS) to migrate data to a new instance.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform