Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

App Runner fail connection to external services

0

Hi,

I have made an App Runner deployment which are getting time outs when accessing external resources such as Sendgrid, Hubspot and similar. When a function trying to connect to those API's then it gets a timeout. Since it is all external API's then it makes me think there is something wrong with the network/security groups of my setup. I just don't understand why, because all security groups are configured with allow any output to anywhere.

Setup Just a quick info about the setup.

I have a RDS (aurora-postgres) located in a non default VPC and then I have the App Runner instance running in the default VPC (I cant change the App Runner VPC, but I can use a VPC connector). I have two security groups (one for the RDS server (A) and one for the App Runner VPC connecter (B)).

The App Runner's network is configured as following: input = "Public Endpoint" Output = "Custom VPC" - where it connects to the same VPC as the RDS server (including the same subnets) and the security group (B) for the App Runner.

The RDS security group (A) is configured as following input IP version: - Protocol: TCP Port range: 5432 (postgres) Source: Security group B (see below)

output IP version: IPv4 Protocol: All Port range: All Source: 0.0.0.0/0

The App Runner security group (B) is configured as following: input IP version: IPv4 Protocol: All Port range: All Source: 0.0.0.0/0

output IP version: IPv4 Protocol: All Port range: All Source: 0.0.0.0/0

There is access from the App Runner to the database. That is working flawlessly, but when the App Runner tries to access e.g. Sendgrid API then it gets a time out. I do not understand that, because the security group for the App Runner VPC connector is set to allow all destinations.

What am I missing?

Topics
ComputeDatabaseNetworking & Content DeliveryContainers
Tags
Aurora PostgreSQLAmazon VPCAWS App RunnerSecurity Group
Language
English
asked a year ago303 views
1 Answer
1
Accepted Answer

When your App Runner service is configured with a VPC connector for outbound traffic, all traffic from your service is routed through the VPC, including traffic to external services like Sendgrid and Hubspot. This is likely causing your timeout issues.

The problem is that when you use a VPC connector, your App Runner service needs a way to access the internet. Even though your security group allows all outbound traffic, the subnets you're using need to have a route to the internet. For private subnets (which are typically used with VPC connectors), this means you need a NAT Gateway or similar service to enable outbound internet access.

Here are some steps to troubleshoot and fix the issue:

  1. Verify that the subnets you're using for your VPC connector are private subnets. Public subnets can cause errors with App Runner VPC connectors.

  2. Check if these subnets have a route to the internet via a NAT Gateway in their route tables. Without this, your App Runner service won't be able to reach external APIs even with permissive security groups.

  3. To confirm this is a networking issue, you could try connecting to these external services from an EC2 instance in the same VPC and subnets. If the EC2 instance also can't connect, it confirms the issue is with your VPC's outbound internet connectivity.

  4. If you're using private subnets, ensure they have a route to a NAT Gateway in their route table to allow outbound internet access.

  5. If you're still experiencing issues, you might want to check the VPC Flow Logs to see if traffic is being blocked somewhere or use the Network Reachability Analyzer to identify network misconfigurations.

The fact that your App Runner can connect to your RDS but not to external services suggests that internal VPC routing is working, but outbound internet access is not configured correctly.
Sources
When the service fails to connect to Amazon RDS or downstream service - AWS App Runner
Amazon VPC Lattice Troubleshooting Part 1 - Client to Amazon VPC Lattice Communication | AWS re:Post
Troubleshoot ETIMEDOUT error in my Lambda function | AWS re:Post

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content