Open TuureKaunisto opened 1 year ago
@TuureKaunisto We are experiencing exactly what you are describing. Currently using Render, but considering a move to App Runner. But the issue you’ve described is exactly what we are trying to avoid.
with the same problem
Any insight from the App Runner team? Connecting to a database is part and parcel of a web application or API backend - the star use cases for App Runner. It doesn't make sense that it's not supported out of the box.
Having great difficulties with this, its far easier on Google Cloudrun.
There is one blog post I recently went through that discusses using App Runner and VPC connectors. See (https://aws.amazon.com/blogs/aws/new-for-app-runner-vpc-support/. I chose not to do the database authentication via IAM (simply passed credentials through as environment variables). I am in the process of trying to reproduce this issue but meanwhile, see if that post helps (just be sure to use AL2023 if you intend to follow along).
Doc: When connected to a VPC, all outbound traffic from your AppRunner service will be routed based on the VPC routing rules. Services will not have access to the public internet (including AWS APIs) unless allowed by a route to a NAT Gateway.
If AppRunner requires complex configuration and additional NAT costs to connect to basic databases and public networks, the advantages of App Runner will be lost.
We switched the application back to EKS until this issue can be easily resolved.
You'd still have to deal with VPC complexity, but if can create an IPv6 only VPC then you can use egress-only gateways which don't have a steady state cost like NAT Gateways. I'd strongly recommend this, especially now that most of AWS Services finally support IPv6.
@RichiCoder1 good hint! did you get app runner to work with an egress only internet gateway? the aws docs still mention "App Runner currently only supports IPv4."
good hint! did you get app runner to work with an egress only internet gateway? the aws docs still mention "App Runner currently only supports IPv4."
Ah foo. I thought they finally added dual stack support, but it looks like that's only for the Public LB. Just gave it a try and App Runner will indeed reject a VPC Connector configured against an IPv6-only subnet.
On that note, be sure to go upvote https://github.com/aws/apprunner-roadmap/issues/114
For non-production deployments (QA, UAT, staging, etc.), there is an option to run your own NAT instance on EC2 instead of using a NAT gateway. It will not have the same performance (throughput and autoscaling) of the managed solution but for test environments it should be good enough while being ~10x cheaper.
Here's the AMI: https://github.com/AndrewGuenther/fck-nat
When creating your VPC using the VPC and more wizard, be sure to leave both DNS Options checked (Enable DNS hostnames & Enable DNS resolution).
For some reason I had disabled those options which was preventing outbound internet even though all of the other configuration was just as @TuureKaunisto had outlined.
Any updates from the AWS team? This seems like a pretty basic use case that should be addressed
i am also still facing the same issue
Similar issue here, trying to make an App Runner service to connect to a ElastiCache Redis instance that lives under a VPC. Tried configuring the App Runner service to use an outgoing custom VPC (setting the same VPC where the redis server is) but can't make it work. I can't believe the amount of time that I'm wasting on this.
And also, the App Runner service needs internet access too, to connect to external things, which makes things even more complicated.
I dunno, It's a pretty basic use case IMO
This page covers what you need to do to enable outbound traffic through your VPC.
Basically a Security Group, a VCP connector and add the VPC connector to the service.
I'm using this to route outbound (originated from the service) to use a VPN or a NAT instance that's setup in the VPC depending on the destination, in addition to all of our AWS services (RDS, Redis, etc).
Community Note
Selecting custom VPC for outgoing network traffic makes outgoing connections to the internet fail despite the VPC in question having an internet gateway configured. The need for a NAT Gateway is explained in the documentation. An example of exactly how it needs to be configured would be nice but even nicer would be not having to worry about it at all and just have an option to retain outbound connectivity despite having a VPC connection to e.g. a database in RDS.
For our very basic use case (similar to this): an application with a database connection and the ability to connect to the internet, this is not the case and we're left with these suboptimal options:
The reason we're using AppRunner is to avoid having to configure VPC, Subnets, Route Tables, Security Groups, ACLs, NAT Gateways etc. and this rather basic use case of having both db and outbound connectivity requires us to do exactly that.
How we configured the NAT Gateway to get outbound internet connections working
Tell us about your request What do you want us to build?
An option to keep outgoing internet connectivity while also connecting to a database instance in RDS via a VPC without going through the tedious process of setting up NAT Gateways and the bits and bobs that they require in order to work.