How to access the Internet from an AWS App Runner service that is added to a VPC?
The question is the same as this one but has screenshots of AWS resources' configurations.
Situation:
- A backend is hosted as an App Runner service.
- The backend needs to communicate with a private RDS instance. So, the App Runner service is add to a VPC.
- Backend can now communicate with the RDS instance.
Expected:
- Backend should also be able to make HTTP requests to the Internet.
Actual:
- Any HTTP request from the backend to the Internet takes forever/times out.
Checklist:
- An Internet gateway is connected.
- Route table is set to route 0.0.0.0/0 to the Internet gateway.
- Security group allows outbound access.
I've tried also putting a NAT gateway in place of the Internet gateway and set up the route table accordingly. But the behaviour was the same. Screenshots below are without the NAT gateway configuration.
Screenshots:
VPC Connector configuration on App Runner service
Security group outbound rule allowing all traffic
Route table routing outbound traffic to internet gateway
Route table association with all subnets (non-explicit. Default, didn't change)
How I know that my service has no outbound Internet access:
- I'm making a request google.com
- I've made a log before, after, and in catch of the request.
- Log happens before, but then nothing happens. And my API that invokes this request keeps loading forever (until it Gateway Timeouts after 5 minutes).
So, what is wrong in my configuration above/How can I give outbound Internet access to the service?
And btw, I can access the service itself (i.e., inbound traffic) through the domain generated by App Runner.
A related discussion: https://github.com/aws/apprunner-roadmap/issues/109
According to the official App Runner documentation, you must use a NAT Gateway to provide Internet access to App Runner applications running in a VPC.
You mentioned you already tried to use a NAT Gateway in your question, but I think you configured it incorrectly. Please bear in mind the following:
- Your VPC needs both public and private subnets configured in order to properly use a NAT Gateway. Public subnets are subnets that have a route to the Internet Gateway. Private subnets are subnets that have a route to the NAT Gateway.
- The NAT Gateway itself must reside in a public subnet.
- The App Runner application must be configured to run only in private subnets.
- AWS Lambda No module named 'regex._regex'
- Unable to resolve " not a valid key=value pair (missing equal-sign) in Authorization header" when POSTing to api gateway
- How to reset EC2 ubuntu instance?
- How to zip files properly on mac for unzipping via python from s3?
- Issues generating CloudFront signed URLs; always Access Denied
- AWS EventBridge Pipeline - Self Managed Kafka filter not working
- aws lambda function triggering multiple times for a single event
- Trying to create AWS spot datafeed, getting error: InaccessibleStorageLocation
- Can't see my EC2 instances on the management console?
- React web app Auth UserPool not configured
- How to retrieve usage on Amazon S3 based on tag?
- AWS Amplify: How to delete the environment, when resources are already partially deleted?
- Interactive shell in Docker image with Amazon ECS with `aws ecs run-task` followed by `aws ecs execute-command`
- Terraform v0.11.1 : Error downloading modules: Error loading modules: open .terraform/modules/3f10921295c292995128e9e36eb: no such file or directory
- Ansible - include vars file from remote host
- How to change AWS Lamp apache root directory?
- AWS Codeartifact and Poetry auth problems with private packages
- S3 Intelligent - Tiering with snowflake managed iceberg tables
- InvalidClientTokenId error aws when trying to get caller identity
- AWS Route 53: cost of having a subdomain on another DNS provider than AWS
- Unable to connect from MySQL Workbench to AWS RDS instance
- Querying timestamp data in Athena when the timestamp format in the underlying JSON files has changed
- Difference between AWS::IAM::Policy and AWS::IAM::ManagedPolicy
- During an aborted deployment, some instances may have deployed the new application version
- API Gateway V2 private integration to application load balancer always returns 503
- AWS ELB -> Backend Server over HTTPS with Self-Signed Certificate
- ELB to backend server using HTTPS with self-signed certificate
- How to pass different principals when deploying a bucket policy using terraform
- Clarification for AWS auto-scaling of instances
- Instances scaling (by ASG) but no new tasks being created