Custom VPC with outgoing connections to the internet is complicated to set up

[TuureKaunisto]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Selecting custom VPC for outgoing network traffic makes outgoing connections to the internet fail despite the VPC in question having an internet gateway configured. The need for a NAT Gateway is explained in the documentation. An example of exactly how it needs to be configured would be nice but even nicer would be not having to worry about it at all and just have an option to retain outbound connectivity despite having a VPC connection to e.g. a database in RDS.

For our very basic use case (similar to this): an application with a database connection and the ability to connect to the internet, this is not the case and we're left with these suboptimal options:

• Configure the NAT Gateway
  • Complicated to set up and maintain
  • A little bit costly (~ $90 / month for a basic 3 AZ setup + extra cost for traffic)
• Use the default outgoing network traffic configuration
  • This requires that the DB accepts connections from the internet and we lose the added security of the VPC

The reason we're using AppRunner is to avoid having to configure VPC, Subnets, Route Tables, Security Groups, ACLs, NAT Gateways etc. and this rather basic use case of having both db and outbound connectivity requires us to do exactly that.

How we configured the NAT Gateway to get outbound internet connections working

• Create a new VPC in the console
  • Use the VPC and more option
  • @jedwardblack: be sure to leave both DNS Options checked (Enable DNS hostnames & Enable DNS resolution)
  • We selected Number of Availability Zones: 2 and NAT gateways in 1 AZ to minimise costs during testing
  • This creates the Nat Gateway(s) and required Subnets and Route tables for you. In our case 2 private and 2 public subnets are created and by default the public subnets are connected to the internet gateway and the private subnets are connected to the NAT Gateway(s)
• Move the database to the new VPC
  • In the RDS console create a Subnet group with the private subnets that were created a moment ago
  • If you need to connect to the DB from the outside, also add a single public subnet (and a security group that allows access from your IP address). Note: adding multiple public subnets seem to break the configuration.
  • RDS > Select instance > Modify > DB Subnet group > Select newly created Subnet group
  • Select Apply immediately and then Modify DB instance
  • Wait for the database status to turn back to available before testing
• Create a new VPC connector in the App Runner console Configuration > Networking tab > Outgoing section
  • Select the newly created VPC and only the private subnets
  • Wait for the changes to get deployed before testing

Tell us about your request What do you want us to build?

An option to keep outgoing internet connectivity while also connecting to a database instance in RDS via a VPC without going through the tedious process of setting up NAT Gateways and the bits and bobs that they require in order to work.

[yaronlevi]

@TuureKaunisto We are experiencing exactly what you are describing. Currently using Render, but considering a move to App Runner. But the issue you’ve described is exactly what we are trying to avoid.

[fernando88to]

with the same problem

[cade-coreschedule]

Any insight from the App Runner team? Connecting to a database is part and parcel of a web application or API backend - the star use cases for App Runner. It doesn't make sense that it's not supported out of the box.

[sqpollen]

Having great difficulties with this, its far easier on Google Cloudrun.

[jsheld]

There is one blog post I recently went through that discusses using App Runner and VPC connectors. See (https://aws.amazon.com/blogs/aws/new-for-app-runner-vpc-support/. I chose not to do the database authentication via IAM (simply passed credentials through as environment variables). I am in the process of trying to reproduce this issue but meanwhile, see if that post helps (just be sure to use AL2023 if you intend to follow along).

[ShwareAPI]

Doc: When connected to a VPC, all outbound traffic from your AppRunner service will be routed based on the VPC routing rules. Services will not have access to the public internet (including AWS APIs) unless allowed by a route to a NAT Gateway.

If AppRunner requires complex configuration and additional NAT costs to connect to basic databases and public networks, the advantages of App Runner will be lost.

We switched the application back to EKS until this issue can be easily resolved.

[RichiCoder1]

You'd still have to deal with VPC complexity, but if can create an IPv6 only VPC then you can use egress-only gateways which don't have a steady state cost like NAT Gateways. I'd strongly recommend this, especially now that most of AWS Services finally support IPv6.

[wanisfahmyDE]

@RichiCoder1 good hint! did you get app runner to work with an egress only internet gateway? the aws docs still mention "App Runner currently only supports IPv4."

[RichiCoder1]

good hint! did you get app runner to work with an egress only internet gateway? the aws docs still mention "App Runner currently only supports IPv4."

Ah foo. I thought they finally added dual stack support, but it looks like that's only for the Public LB. Just gave it a try and App Runner will indeed reject a VPC Connector configured against an IPv6-only subnet.

On that note, be sure to go upvote https://github.com/aws/apprunner-roadmap/issues/114

[erwinv]

For non-production deployments (QA, UAT, staging, etc.), there is an option to run your own NAT instance on EC2 instead of using a NAT gateway. It will not have the same performance (throughput and autoscaling) of the managed solution but for test environments it should be good enough while being ~10x cheaper.

Here's the AMI: https://github.com/AndrewGuenther/fck-nat

[jedwardblack]

Another thing to look out for when configuring outbound internet for an App Runner instance residing in a VPC:

When creating your VPC using the VPC and more wizard, be sure to leave both DNS Options checked (Enable DNS hostnames & Enable DNS resolution).

For some reason I had disabled those options which was preventing outbound internet even though all of the other configuration was just as @TuureKaunisto had outlined.

[hiporox]

Any updates from the AWS team? This seems like a pretty basic use case that should be addressed

[thangaraj-HPE]

i am also still facing the same issue

[FabricioMarrone]

Similar issue here, trying to make an App Runner service to connect to a ElastiCache Redis instance that lives under a VPC. Tried configuring the App Runner service to use an outgoing custom VPC (setting the same VPC where the redis server is) but can't make it work. I can't believe the amount of time that I'm wasting on this.

And also, the App Runner service needs internet access too, to connect to external things, which makes things even more complicated.

I dunno, It's a pretty basic use case IMO

[UnderpantsGnome]

This page covers what you need to do to enable outbound traffic through your VPC.

Basically a Security Group, a VCP connector and add the VPC connector to the service.

I'm using this to route outbound (originated from the service) to use a VPN or a NAT instance that's setup in the VPC depending on the destination, in addition to all of our AWS services (RDS, Redis, etc).