App Runner service cannot access Internet when added to a VPC

Question

I've set up an App Runner service, which works fine. Currently for networking it's configured as public access, but I'd like to change this to a VPC so that I can connect the service to an RDS instance without having to open the database up to the world.

When I change the networking config to use my default security group, the service is unable to access the Internet. Cloning a git repo from Bitbucket brings up the error:
```
ssh: Could not resolve hostname bitbucket.org: Try again
```

... and trying to run `npm install` brings up:
```
npm ERR! network request to https://registry.npmjs.org/gulp failed, reason: connect ETIMEDOUT 104.16.24.35:443
```

My security group has an outgoing rule allowing all traffic out to any destination. My RDS instance is in the same VPC/security group and I'm able to connect to this without issue (currently I've opened up port 3306 to the world). Everything else I've read from a bunch of Googling seems fine: route tables, internet gateways, firewall rules, etc.

Any help would be much appreciated!

Tuure · Answer

We encountered this same problem. It's really confusing that it does not work out of the box.

We ended up solving this with a NAT Gateway as recommended by the [documentation](https://docs.aws.amazon.com/apprunner/latest/dg/network-vpc.html#network-vpc.considerations-subnet). You can find more details about how we set it up here: https://github.com/aws/apprunner-roadmap/issues/192

AWS-User-3199583 · Answer

I ran into the same issue and have used the following to sort it out -

https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/

App Runner service cannot access Internet when added to a VPC

Add your answer

Relevant content