Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Outbound NAT for App Runner has stopped working

0

Inbound connections to the App Runner exposed port work fine.

Output connections needed for OAUTH2 fail traversing the NAT gateway.

Configuration:

VPC: 10.2.0.0/16

SUBNET: 10.2.160.0/24

ROUTING TABLE:

  • ::/0 => igw-006ee4549fbc47c3b
  • 2600:1f16:798:3a00::/56 => local
  • 0.0.0.0/0 => nat-0d81161b2083effcc
  • 10.1.0.0/16 => pcx-08c7cce5e8c546b16
  • 10.2.0.0/16 => local
  • 172.31.0.0/16 => pcx-0f85be56810e0c3d4

VPC interface endpoints:

  • Incoming: NONE
  • Outgoing: Active, any to any allowed

App Runner:

  • Spring Boot app with OAUTH2 enabled.
  • Malini Agrawal
    8 months ago

    can you check is your NAT Gateway is in public subnet? this indicate your NAT is in private subnet "0.0.0.0/0 => nat-0d81161b2083effcc"

    [ to check : <aws ec2 describe-nat-gateways --nat-gateway-ids nat-0d81161b2083effcc>]

    your igw should be 0.0.0.0/0 =>igw-006ee4549fbc47c3b where NAT is getting traffic from? should be from igw.

Topics
ComputeContainersNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCAWS App RunnerComputeNetworking & Content DeliverySecurity
Language
English
asked 8 months ago98 views
1 Answer
0

Based on the information provided, it appears that your App Runner service is experiencing issues with outbound connections through the NAT gateway, specifically for OAUTH2 traffic, while inbound connections are working fine. Here are some potential reasons and troubleshooting steps to consider:

  1. NAT Gateway Configuration: Ensure that the NAT gateway (nat-0d81161b2083effcc) is properly configured and in an "Available" state. Check its status in the Amazon VPC console.

  2. Security Group Settings: Verify that the security group associated with your App Runner service allows outbound traffic on the necessary ports for OAUTH2 (typically 443 for HTTPS).

  3. Network ACLs: Check if there are any Network ACLs in your VPC that might be blocking the outbound OAUTH2 traffic.

  4. VPC Endpoint Configuration: Although you mentioned VPC interface endpoints are active and allowing any-to-any traffic, double-check that they are correctly set up for the services your application needs to access.

  5. DNS Resolution: Ensure that DNS hostnames and DNS resolution are enabled for your VPC. This is crucial for proper name resolution, especially for external services like OAUTH2 providers.

  6. Route Table: Your route table looks correct with the 0.0.0.0/0 route pointing to the NAT gateway. However, verify that this route table is actually associated with the subnet where your App Runner service is deployed.

  7. App Runner VPC Connector: Make sure your App Runner service is correctly configured to use the VPC connector that's associated with your VPC and subnet.

  8. CloudWatch Logs: Check the CloudWatch logs for your App Runner service for any error messages related to network connectivity or OAUTH2 failures.

  9. VPC Flow Logs: Enable VPC Flow Logs if not already done, and analyze the logs to see if the OAUTH2 traffic is being blocked or routed incorrectly.

  10. NAT Gateway Capacity: If you're running a large number of instances or generating high volume of traffic, you might be hitting the NAT gateway's connection limits. Consider monitoring the NAT gateway's CloudWatch metrics.

If these steps don't resolve the issue, you may need to contact AWS support for more in-depth troubleshooting of your specific configuration. They can help identify any potential misconfigurations or limitations in your setup.

Sources
Instances within the private subnet are unable to access the internet using NAT gateway. | AWS re:Post
EKS on VPC using NAT instead of local network | AWS re:Post

answered 8 months ago
EXPERT
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content