1

The question is the same as this one but has screenshots of AWS resources' configurations.

Situation:

  • A backend is hosted as an App Runner service.
  • The backend needs to communicate with a private RDS instance. So, the App Runner service is add to a VPC.
  • Backend can now communicate with the RDS instance.

Expected:

  • Backend should also be able to make HTTP requests to the Internet.

Actual:

  • Any HTTP request from the backend to the Internet takes forever/times out.

Checklist:

  • An Internet gateway is connected.
  • Route table is set to route 0.0.0.0/0 to the Internet gateway.
  • Security group allows outbound access.

I've tried also putting a NAT gateway in place of the Internet gateway and set up the route table accordingly. But the behaviour was the same. Screenshots below are without the NAT gateway configuration.

Screenshots:

VPC Connector configuration on App Runner service

enter image description here

Security group outbound rule allowing all traffic

enter image description here

Route table routing outbound traffic to internet gateway

enter image description here

Route table association with all subnets (non-explicit. Default, didn't change)

enter image description here

How I know that my service has no outbound Internet access:

  • I'm making a request google.com
  • I've made a log before, after, and in catch of the request.
  • Log happens before, but then nothing happens. And my API that invokes this request keeps loading forever (until it Gateway Timeouts after 5 minutes). enter image description here

So, what is wrong in my configuration above/How can I give outbound Internet access to the service?
And btw, I can access the service itself (i.e., inbound traffic) through the domain generated by App Runner.

A related discussion: https://github.com/aws/apprunner-roadmap/issues/109

Hossam El-Deen
  • 972
  • 1
  • 13
  • 27
  • 1
    Why not log the actual exception? The only thing that can be assumed from that try/catch is _something_ is not working. It may quite be outbound traffic is blocked, but you need to be sure. – Metro Smurf Oct 30 '22 at 00:23
  • Based on your suggestion, I've logged the exception. It seems to confirm the issue is indeed timeout. The log is now: "Inside IsAuthorized - http client request threw an exception System.Threading.Tasks.TaskCanceledException: The request was canceled due to the configured HttpClient.Timeout of 100 seconds elapsing." – Hossam El-Deen Oct 30 '22 at 01:38

1 Answers1

3

According to the official App Runner documentation, you must use a NAT Gateway to provide Internet access to App Runner applications running in a VPC.

You mentioned you already tried to use a NAT Gateway in your question, but I think you configured it incorrectly. Please bear in mind the following:

  • Your VPC needs both public and private subnets configured in order to properly use a NAT Gateway. Public subnets are subnets that have a route to the Internet Gateway. Private subnets are subnets that have a route to the NAT Gateway.
  • The NAT Gateway itself must reside in a public subnet.
  • The App Runner application must be configured to run only in private subnets.
Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Do I understand you correctly that it is wrong to connect a VPC Connector to the public subnets only and expect the application to have internet access through the IGW? – adonig Dec 18 '22 at 13:07
  • @adonig That's correct, for applications running on certain services that don't assign public IPs, like App Runner and AWS Lambda. For applications running on other services like EC2 or Fargate, with public IP assignments enabled, all you need is the IGW. – Mark B Dec 18 '22 at 16:56
  • Can I just associate EIPs with the fargate ENIs created by App Runner's VPC connector in the public subnets to enable internet access? [It seems like it works](https://repost.aws/questions/QUC8NjoSGtTcu5V4Fkoiw_vA/app-runner-service-cannot-access-internet-when-added-to-a-vpc) and saves a lot of money that one would spend for NAT Gateways otherwise. – adonig Dec 18 '22 at 23:34
  • It seems like any type of scaling would break that. For example if the container needs to be restarted due to an issue with the underlying server, If you aren't there to immediately assign an elastic IP, then it's going to lose Internet connectivity. – Mark B Dec 19 '22 at 12:51
  • That's interesting. What kind of events that you know of would cause a disassociation of the EIP? I believe I might be able to have a lambda periodically check for dangling EIPs and reassociate them if necessary. I'm not too familiar with EventBridge but maybe there exists an event so the reassociation can happen immediately. EDIT: It looks like [CloudTrail has a DisassociateAddress event](https://repost.aws/questions/QU9RX9K675RwOh5iinuci6Hg/is-there-any-way-to-track-eip-allocation-and-releases). – adonig Dec 19 '22 at 17:11
  • @adonig you're really tacking a lot of your questions onto another person's question at this point. Please post a separate question on StackOverflow if you need more help with something specific. – Mark B Dec 19 '22 at 17:38
  • Thanks. I think I understood why you mentioned breaking scaling. We can only have five EIPs and if the service really scales to a lot of tasks, we might have more ENIs than EIPs. That's tricky. Maybe AWS should keep AppRunner's default NAT Gateway in case the user associates the VPC Connector with the public subnets or isolated private subnets and only route traffic that goes to private subnets to the connector. – adonig Dec 19 '22 at 18:09
  • This answer had the correct details for us to figure out how to set up the NAT Gateway. If you're struggling to get it working, you can find the steps we took as part of this issue we opened: https://github.com/aws/apprunner-roadmap/issues/192 – Tuure Jun 09 '23 at 08:39