I’m facing an issue with my AWS VPC setup where all outgoing traffic from my services is using the AWS IP pool instead of the Elastic IP assigned to my NAT Gateway. Additionally, even after removing the route table entries for egress traffic (e.g., 0.0.0.0/0 pointing to the NAT Gateway), my services are still able to access the internet. I expect that removing the egress route should block external access, but it doesn’t seem to have any effect.
Details:
VPC Setup: I have a VPC with private and public subnets. The private subnets route outbound traffic (0.0.0.0/0) to a NAT Gateway in a public subnet, which is assigned an Elastic IP.
Issue: Outgoing traffic from instances in the private subnets appears to originate from the AWS IP pool, not the Elastic IP associated with the NAT Gateway.
Unexpected Behavior: When I remove the 0.0.0.0/0 route from the route table associated with the private subnets, the services in those subnets can still access the internet, which suggests they’re not relying on the NAT Gateway or the route table as expected. Removing the IGW also doesn't make any difference.
Configuration:
NAT Gateway is in a public subnet with an Elastic IP assigned.
Private subnet route table points 0.0.0.0/0 to the NAT Gateway (before removal).
Security Groups and NACLs allow outbound traffic. After NAT/IGW removal, I tried to restrict outbound rules in security groups attached, but the App Runner service is still able to connect internet with no change.
Troubleshooting Attempted:
Verified the NAT Gateway’s Elastic IP and its association.
Checked route tables to ensure no other 0.0.0.0/0 routes exist.
Removed the 0.0.0.0/0 route entirely from the private subnet’s route table, but services still access the internet.
Questions:
Why is outgoing traffic not using the Elastic IP assigned to the NAT Gateway?
Is it something specific to App Runner connecting the internet through AWS Shared IP Pool?
Why are my services still able to access the internet after removing the 0.0.0.0/0 route from the private subnet’s route table?
How can I ensure all outbound traffic uses the Elastic IP and that removing the egress route properly blocks internet access?
Any insights or suggestions on what to check would be greatly appreciated!
AWS OFFICIALUpdated 2 years ago
Thank you for your feedback!
Upon thorough review of my environment, I can confirm that my current setup does align with the documentation you've shared. However, I've observed what appears to be a discrepancy between the documented behavior and actual functionality.
Specifically, the documentation states: "When you connect your service to a VPC, the outbound traffic doesn't have access to the public internet. All outbound traffic from your application is directed through the VPC that your service is connected to."
Yet in my implementation, the service does maintain access to the public internet, despite being connected to the VPC. I've verified this through multiple tests.
Could this represent a potential documentation error, or perhaps there's a specific configuration aspect I might be overlooking? I'd appreciate any clarification you could provide regarding this behavior.
I tested this in my AWS account, and when I created a VPC connector and connected AppRunner to my VPC, I was able to confirm that it was connected to the public Internet via a NAT Gateway. I can't recreate the same situation as you. It may not be related, but could you try restarting the service? By the way, just to be sure, you are setting up a VPC connector for outbound communication, right? Is it possible that you've mistakenly set up a VPC connector for inbound communication?