AWS App Runner timing out on outbound HTTPS requests
I have a service running with App Runner that makes requests to SQS and S3. Unfortunately, requests to these services are timing out (ostensibly due to a network connectivity issue).
There are detailed instructions in the App Runner documentation with respect to how to setup the VPC configuration to allow for external access to the Internet, which I've followed. Our service also requires access to RDS, so it runs within a private subnet (same as RDS) that has 0.0.0.0 routed through a NAT attached to a public subnet in the same VPC.
I've also associated a security group that allows outbound access to all ports. I've also set up endpoints in VPC to both SQS and S3 for the VPC.
Below are screenshots of the relevant VPC, App Runner, and Security Group configurations. How should I update my configuration to allow App Runner to access S3 and SQS?
Thanks in advance!
Security Group (inbound):
Security Group (outbound):
VPC Endpoints:
Subnet Route Table:
App Runner Networking Configuration:
- Newest
- Most votes
- Most comments
Does the Security Group associated to your VPC Endpoints allow traffic in (tcp/443) from the security group used for your instances?
It might be worth running Reachability Analyzer on your configuration to see if it can spot any issues: https://aws.amazon.com/premiumsupport/knowledge-center/vpc-connectivity-reachability-analyzer/
Relevant content
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 8 months ago
Good question—yes it does (updated question with additional screenshot). Both the VPC endpoints and App Runner are associated with the default security group, which allows all traffic to itself (in and out).
How would I run Reachability Analyzer with an App Runner service? I can't seem to find a way to do that.
Hi @rePost-User-1719456, I work for App Runner service and we would be happy to help you out, can you please share the serviceARN so we can understand whats going wrong here. Thanks
Hi Hari—is there any way to share the service ARN in a direct message? The ARN exposes our application name and we'd prefer that not to be available publicly. Thanks!