How to access the Internet from an AWS App Runner service that is added to a VPC?
The question is the same as this one but has screenshots of AWS resources' configurations.
Situation:
- A backend is hosted as an App Runner service.
- The backend needs to communicate with a private RDS instance. So, the App Runner service is add to a VPC.
- Backend can now communicate with the RDS instance.
Expected:
- Backend should also be able to make HTTP requests to the Internet.
Actual:
- Any HTTP request from the backend to the Internet takes forever/times out.
Checklist:
- An Internet gateway is connected.
- Route table is set to route 0.0.0.0/0 to the Internet gateway.
- Security group allows outbound access.
I've tried also putting a NAT gateway in place of the Internet gateway and set up the route table accordingly. But the behaviour was the same. Screenshots below are without the NAT gateway configuration.
Screenshots:
VPC Connector configuration on App Runner service
Security group outbound rule allowing all traffic
Route table routing outbound traffic to internet gateway
Route table association with all subnets (non-explicit. Default, didn't change)
How I know that my service has no outbound Internet access:
- I'm making a request google.com
- I've made a log before, after, and in catch of the request.
- Log happens before, but then nothing happens. And my API that invokes this request keeps loading forever (until it Gateway Timeouts after 5 minutes).
So, what is wrong in my configuration above/How can I give outbound Internet access to the service?
And btw, I can access the service itself (i.e., inbound traffic) through the domain generated by App Runner.
A related discussion: https://github.com/aws/apprunner-roadmap/issues/109
According to the official App Runner documentation, you must use a NAT Gateway to provide Internet access to App Runner applications running in a VPC.
You mentioned you already tried to use a NAT Gateway in your question, but I think you configured it incorrectly. Please bear in mind the following:
- Your VPC needs both public and private subnets configured in order to properly use a NAT Gateway. Public subnets are subnets that have a route to the Internet Gateway. Private subnets are subnets that have a route to the NAT Gateway.
- The NAT Gateway itself must reside in a public subnet.
- The App Runner application must be configured to run only in private subnets.
- Using forward slash (`/`) in key of a RedisJSON object on Amazon Elasticache
- How to increase aws dynamodb index limit from 5
- Does Amazon Lightsail have remote desktop (GUI) with their Linux offering?
- Why does Runtime.maxMemory() change its value on separate calls?
- Appsync Query Returning Null with Cognito Auth
- AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden
- How to extract files from a zip archive in S3
- Copy Aws launch template to another region
- AWS S3 upload fails: RequestTimeTooSkewed
- Simplest way to automate starting of EC2 daily
- How to pass API Gateway authorizer context to a HTTP integration
- How to use AWS CLI to deploy lambda function to specific alias or version?
- Exporting data from dynamo db to a csv file
- Amazaon S3Client can list buckets, but throws an UnknownHostException when trying to do a putObject
- No integration defined for method - Choose a stage where your API will be deployed
- Using SNS to send push notifications - Expo App
- CodePipeline buildspec and multiple build actions
- Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet?
- Lambda@Edge not logging on cloudfront request
- Vue is not picking up env variables from aws ecs task container
- AWS CLI cloudformation validate-template success but getting error during create-stack
- The term 'Events:' is not recognized in cloudformation template in AWS
- AWS Lambda function and S3 - change metadata on an object in S3 only if the object changed
- Cloudformation : Encountered unsupported property DeletionPolicy on S3 Bucket
- Error in CloudFormation Stack: Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400;
- Template format error: Unresolved resource dependencies [subnet-057ba3df40f87da4e] in the Resources block of the template
- Encountered unsupported property Version
- While deploying an efs stack i get the following error
- Invalid request provided: AWS::ElasticLoadBalancingV2::ListenerRule Validation exception
- aws cloudformation - Encountered unsupported property RequestValidatorId