AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

App Runner service cannot access Internet when added to a VPC

1

I've set up an App Runner service, which works fine. Currently for networking it's configured as public access, but I'd like to change this to a VPC so that I can connect the service to an RDS instance without having to open the database up to the world.

When I change the networking config to use my default security group, the service is unable to access the Internet. Cloning a git repo from Bitbucket brings up the error:

ssh: Could not resolve hostname bitbucket.org: Try again

... and trying to run npm install brings up:

npm ERR! network request to https://registry.npmjs.org/gulp failed, reason: connect ETIMEDOUT 104.16.24.35:443

My security group has an outgoing rule allowing all traffic out to any destination. My RDS instance is in the same VPC/security group and I'm able to connect to this without issue (currently I've opened up port 3306 to the world). Everything else I've read from a bunch of Googling seems fine: route tables, internet gateways, firewall rules, etc.

Any help would be much appreciated!

주제
네트워킹 및 콘텐츠 전송컴퓨팅컨테이너
태그
아마존 VPC네트워킹 및 콘텐츠 전송AWS App Runner보안 그룹
언어
English
gregdev
질문됨 2년 전3085회 조회
3개 답변
4

After a lot of trial and error i have finally found the solution.

You should first make sure that you select a public subnet when creating the VPC connector

Then, when the app runner service is running follow the next steps:

  1. Go to the network interfaces section, inside VPC module, and you will find one interface with a description starting to Fargate ENI... that belongs to the public subnet you choose when creating the app runner service. That's the network interface of your app runner service. Note down the id of that network interface, eni-...
  2. Now go to elastic ip, in the VPC module aswell, and allocate a new elastic ip address.
  3. Then, select the new elastic ip and, under the actions button, select associate elastic ip. There, choose network interface and select the network interface id of the step 1.
  4. After that, deploy the app runner service again and you should have internet connectivity.
Javier Morales de VEra
답변함 2년 전
  • crucis
    2년 전

    Thank you!

  • rePost-User-1140032
    2년 전

    Thank you!

  • rePost-User-7379986
    2년 전

    You deserve a medal! Thank you!

  • dhaval
    2년 전

    ENI with static IP enables the public traffic, although it defeats the purpose of having other settings in place.

  • dhaval
    2년 전

    Looking at the VPC connector release notes, it is explained that the egress will be by default disabled and NAT has to be there.

    https://aws.amazon.com/blogs/aws/new-for-app-runner-vpc-support/ When connected to a VPC, all outbound traffic from your AppRunner service will be routed based on the VPC routing rules. Services will not have access to the public internet (including AWS APIs) unless allowed by a route to a NAT Gateway. You can also set up VPC endpoints to connect to AWS APIs such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB to avoid NAT traffic.

0

I ran into the same issue and have used the following to sort it out -

https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/

AWS-User-3199583
답변함 2년 전
0

We encountered this same problem. It's really confusing that it does not work out of the box.

We ended up solving this with a NAT Gateway as recommended by the documentation. You can find more details about how we set it up here: https://github.com/aws/apprunner-roadmap/issues/192

Tuure
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠