By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

App Runner service cannot access Internet when added to a VPC

1

I've set up an App Runner service, which works fine. Currently for networking it's configured as public access, but I'd like to change this to a VPC so that I can connect the service to an RDS instance without having to open the database up to the world.

When I change the networking config to use my default security group, the service is unable to access the Internet. Cloning a git repo from Bitbucket brings up the error:

ssh: Could not resolve hostname bitbucket.org: Try again

... and trying to run npm install brings up:

npm ERR! network request to https://registry.npmjs.org/gulp failed, reason: connect ETIMEDOUT 104.16.24.35:443

My security group has an outgoing rule allowing all traffic out to any destination. My RDS instance is in the same VPC/security group and I'm able to connect to this without issue (currently I've opened up port 3306 to the world). Everything else I've read from a bunch of Googling seems fine: route tables, internet gateways, firewall rules, etc.

Any help would be much appreciated!

Topics
Networking & Content DeliveryComputeContainers
Tags
Amazon VPCNetworking & Content DeliveryAWS App RunnerSecurity Group
Language
English
gregdev
asked 2 years ago3038 views
3 Answers
4

After a lot of trial and error i have finally found the solution.

You should first make sure that you select a public subnet when creating the VPC connector

Then, when the app runner service is running follow the next steps:

  1. Go to the network interfaces section, inside VPC module, and you will find one interface with a description starting to Fargate ENI... that belongs to the public subnet you choose when creating the app runner service. That's the network interface of your app runner service. Note down the id of that network interface, eni-...
  2. Now go to elastic ip, in the VPC module aswell, and allocate a new elastic ip address.
  3. Then, select the new elastic ip and, under the actions button, select associate elastic ip. There, choose network interface and select the network interface id of the step 1.
  4. After that, deploy the app runner service again and you should have internet connectivity.
Javier Morales de VEra
answered 2 years ago
  • crucis
    2 years ago

    Thank you!

  • rePost-User-1140032
    2 years ago

    Thank you!

  • rePost-User-7379986
    2 years ago

    You deserve a medal! Thank you!

  • dhaval
    2 years ago

    ENI with static IP enables the public traffic, although it defeats the purpose of having other settings in place.

  • dhaval
    2 years ago

    Looking at the VPC connector release notes, it is explained that the egress will be by default disabled and NAT has to be there.

    https://aws.amazon.com/blogs/aws/new-for-app-runner-vpc-support/ When connected to a VPC, all outbound traffic from your AppRunner service will be routed based on the VPC routing rules. Services will not have access to the public internet (including AWS APIs) unless allowed by a route to a NAT Gateway. You can also set up VPC endpoints to connect to AWS APIs such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB to avoid NAT traffic.

0

I ran into the same issue and have used the following to sort it out -

https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/

AWS-User-3199583
answered 2 years ago
0

We encountered this same problem. It's really confusing that it does not work out of the box.

We ended up solving this with a NAT Gateway as recommended by the documentation. You can find more details about how we set it up here: https://github.com/aws/apprunner-roadmap/issues/192

Tuure
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content