AWS

LambdaSubnetIPAddressLimitReachedException - Lambda Subnet IP Address Limit Reached

Hitting a **LambdaSubnetIPAddressLimitReachedException** means your Lambda functions have exhausted the available IP addresses in the VPC subnet—each concurrent Lambda execution in a VPC requires an IP address, and the subnet's CIDR block doesn't have enough available. This client-side error (4xx) happens when AWS enforces subnet IP address limits. Most common when subnet CIDR blocks are too small, but also appears when too many concurrent Lambda executions occur, IP addresses aren't released properly, subnets are near capacity, or multiple Lambda functions share the same subnet.

#Common Causes

  • Identity: IAM policy allows Lambda VPC but subnet IP limit reached. Service Control Policy (SCP) enforces subnet limits.
  • Network: Subnet CIDR block too small. VPC subnet capacity exhausted. Regional subnet IP limits.
  • Limits: Subnet CIDR block too small. Too many concurrent Lambda executions. IP addresses not released properly. Subnet near capacity. Multiple Lambda functions sharing subnet.

Solutions

  1. 1Step 1: Diagnose - Check subnet available IP addresses: aws ec2 describe-subnets --subnet-ids subnet-XXXXX --query 'Subnets[0].[AvailableIpAddressCount,CidrBlock]' --output table. Compare available IPs with Lambda concurrency.
  2. 2Step 2: Diagnose - Check Lambda functions using subnet: aws lambda list-functions --query 'Functions[?VpcConfig.SubnetIds!=null].[FunctionName,VpcConfig.SubnetIds]' --output table. Count how many functions use the subnet.
  3. 3Step 3: Diagnose - Check subnet utilization: aws ec2 describe-network-interfaces --filters "Name=subnet-id,Values=subnet-XXXXX" --query 'length(NetworkInterfaces)' --output text. Monitor ENI count.
  4. 4Step 4: Fix - Add additional subnets to Lambda: aws lambda update-function-configuration --function-name FUNCTION_NAME --vpc-config SubnetIds=subnet-1,subnet-2,SecurityGroupIds=sg-XXXXX. Distribute Lambda functions across multiple subnets.
  5. 5Step 5: Fix - Increase subnet CIDR block or reduce concurrency: Create new subnet with larger CIDR: aws ec2 create-subnet --vpc-id vpc-XXXXX --cidr-block 10.0.2.0/24. Or reduce Lambda concurrency limits. Use larger subnet CIDR blocks (/24 or /23).

</>Code Examples

Check Subnet Available IP Addresses
1#!/bin/bash
2SUBNET_ID="subnet-12345678"
3
4echo "=== Subnet IP Address Information ==="
5aws ec2 describe-subnets \
6  --subnet-ids ${SUBNET_ID} \
7  --query 'Subnets[0].[SubnetId,AvailableIpAddressCount,CidrBlock]' \
8  --output table
9
10# Calculate total IPs in CIDR
11CIDR=$(aws ec2 describe-subnets \
12  --subnet-ids ${SUBNET_ID} \
13  --query 'Subnets[0].CidrBlock' \
14  --output text)
15
16echo "\n=== Subnet Capacity Analysis ==="
17echo "CIDR Block: ${CIDR}"
18echo "Available IPs: Check output above"
19
20# Check ENI count (each Lambda execution uses one)
21echo "\n=== Network Interfaces in Subnet ==="
22ENI_COUNT=$(aws ec2 describe-network-interfaces \
23  --filters "Name=subnet-id,Values=${SUBNET_ID}" \
24  --query 'length(NetworkInterfaces)' \
25  --output text)
26
27echo "ENIs in subnet: ${ENI_COUNT}"
28echo "Each Lambda execution requires one ENI/IP address"
Add Additional Subnets to Lambda Function
1#!/bin/bash
2FUNCTION_NAME="my-function"
3SUBNET_1="subnet-12345678"
4SUBNET_2="subnet-87654321"
5SECURITY_GROUP="sg-12345678"
6
7echo "=== Adding Additional Subnets to Lambda ==="
8echo "Function: ${FUNCTION_NAME}"
9echo "Subnets: ${SUBNET_1}, ${SUBNET_2}"
10
11aws lambda update-function-configuration \
12  --function-name ${FUNCTION_NAME} \
13  --vpc-config SubnetIds=${SUBNET_1},${SUBNET_2},SecurityGroupIds=${SECURITY_GROUP} \
14  --output json
15
16if [ $? -eq 0 ]; then
17  echo "\n✓ VPC configuration updated"
18  echo "Lambda can now use IPs from multiple subnets"
19  
20  echo "\n=== Verify Configuration ==="
21  aws lambda get-function-configuration \
22    --function-name ${FUNCTION_NAME} \
23    --query 'VpcConfig.SubnetIds' \
24    --output table
25else
26  echo "\n✗ Failed to update VPC configuration"
27  echo "Check subnet IDs and security group IDs"
28fi
Create New Subnet with Larger CIDR Block
1#!/bin/bash
2VPC_ID="vpc-12345678"
3AZ="us-east-1a"
4NEW_CIDR="10.0.2.0/24"  # Larger CIDR block
5
6echo "=== Creating New Subnet with Larger CIDR ==="
7echo "VPC: ${VPC_ID}"
8echo "Availability Zone: ${AZ}"
9echo "CIDR Block: ${NEW_CIDR}"
10
11NEW_SUBNET=$(aws ec2 create-subnet \
12  --vpc-id ${VPC_ID} \
13  --cidr-block ${NEW_CIDR} \
14  --availability-zone ${AZ} \
15  --query 'Subnet.SubnetId' \
16  --output text)
17
18if [ ! -z "${NEW_SUBNET}" ]; then
19  echo "\n✓ New subnet created: ${NEW_SUBNET}"
20  
21  echo "\n=== Subnet Details ==="
22  aws ec2 describe-subnets \
23    --subnet-ids ${NEW_SUBNET} \
24    --query 'Subnets[0].[SubnetId,CidrBlock,AvailableIpAddressCount]' \
25    --output table
26  
27  echo "\n=== Next Steps ==="
28  echo "Add this subnet to Lambda VPC configuration"
29  echo "aws lambda update-function-configuration --function-name FUNCTION_NAME --vpc-config SubnetIds=${NEW_SUBNET},..."
30else
31  echo "\n✗ Failed to create subnet"
32  echo "Check VPC ID, CIDR block, and availability zone"
33fi

Related Errors

InvalidParameterValueServiceQuotaExceededException

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

LambdaSubnetIPAddressLimitReachedException - Lambda Subnet IP Address Limit Reached | AWS Error Reference | Error Code Reference