How to access the Internet from an AWS App Runner service that is added to a VPC?
The question is the same as this one but has screenshots of AWS resources' configurations.
Situation:
- A backend is hosted as an App Runner service.
- The backend needs to communicate with a private RDS instance. So, the App Runner service is add to a VPC.
- Backend can now communicate with the RDS instance.
Expected:
- Backend should also be able to make HTTP requests to the Internet.
Actual:
- Any HTTP request from the backend to the Internet takes forever/times out.
Checklist:
- An Internet gateway is connected.
- Route table is set to route 0.0.0.0/0 to the Internet gateway.
- Security group allows outbound access.
I've tried also putting a NAT gateway in place of the Internet gateway and set up the route table accordingly. But the behaviour was the same. Screenshots below are without the NAT gateway configuration.
Screenshots:
VPC Connector configuration on App Runner service
Security group outbound rule allowing all traffic
Route table routing outbound traffic to internet gateway
Route table association with all subnets (non-explicit. Default, didn't change)
How I know that my service has no outbound Internet access:
- I'm making a request google.com
- I've made a log before, after, and in catch of the request.
- Log happens before, but then nothing happens. And my API that invokes this request keeps loading forever (until it Gateway Timeouts after 5 minutes).
So, what is wrong in my configuration above/How can I give outbound Internet access to the service?
And btw, I can access the service itself (i.e., inbound traffic) through the domain generated by App Runner.
A related discussion: https://github.com/aws/apprunner-roadmap/issues/109
According to the official App Runner documentation, you must use a NAT Gateway to provide Internet access to App Runner applications running in a VPC.
You mentioned you already tried to use a NAT Gateway in your question, but I think you configured it incorrectly. Please bear in mind the following:
- Your VPC needs both public and private subnets configured in order to properly use a NAT Gateway. Public subnets are subnets that have a route to the Internet Gateway. Private subnets are subnets that have a route to the NAT Gateway.
- The NAT Gateway itself must reside in a public subnet.
- The App Runner application must be configured to run only in private subnets.
- Get single-line json from aws cli
- Automatically "stop" Sagemaker notebook instance after inactivity?
- AWS Cloudwatch alarm not returning to OK state even though data looks fine
- Windows & Linux living together in Kubernetes cluster
- AWS CDK for .NET Core hangs at "ApplicationLoadBalancedFargateService" Task
- how to add cache control in AWS S3?
- AWS Lambda Open Telemetry, Missing Parent Span
- API Gateway Custom Authorizer: Control error message and code
- VSCode JSON to YAML auto conversion on save
- How to add multiple columns in AWS redshift with alter table query
- Retrieve one file from AWS Glacier using cli
- Email address is not verified (AWS SES)
- Terraform - s3 static website wont deploy, telling me I dont have permissions when I do
- How to Add Private Subnets with Designated IP Addresses When Creating a VPC Interface Endpoint in AWS CDK
- SpringBoot fails to deploy after adding .ebextensions for ngingx SSL -[An error occurred during execution of command [app-deploy]]
- What does 0.0.0.0/0 and ::/0 mean?
- How to query dynamoDB based on key + attribute?
- Getting "No AWS accounts are available to you" when using aws configure sso
- Terraform directory Structure for common infrastructure on aws for ADO pipeline
- Mysterious TransactionConflict in TransactionCanceledException
- Cloudwatch VPC interface endpoint times out
- AWS s3 V3 Javascript SDK stream file from bucket (GetObjectCommand)
- How to bypass expectation of S3 server 100-contiune response in Boto3 put_object method
- Disabling AWS X-ray in FastAPI Lambda application
- Cannot Connect To AWS Elasticache Redis Cluster From Local Machine
- How do i access AWS SAM-CLI through bash on windows?
- Reporting AWS Tools RDS or Redshift?
- What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster?
- Configure Selenium Nodes without a JSON file
- Is there a CLI command on Azure to see console messages of a VM that is not booting up?