App runner times out when connecting to RDS instance

[sefasenturk95]

So I try to spin up an app runner instance but every time it tries to run it throws a i/o timeout. I tried the following:

1. Made sure the security group is set up correctly and accepts the connections from/to the RDS instance
2. Made sure the RDS instance and app runner instance are in the same region
3. Made sure they are using the same VPC / connect to the correct VPC via the VPC connector (I am just using the default VPC in my region eu-west-1)
4. Set up an VPC endpoint for RDS using the interface.
5. Made the database publicly accessible

Here some screenshots of my setup:

App Runner

VPC Subnets

Security group

RDS Instance

VPC Endpoint

And the error I get:

I am trying things for a couple days now and I cannot see it. I have exactly the same set up on another AWS account and there it seems to work. I am looking now for a couple of days I am not seeing it.. Anyone can point me in the right direction?

[richmungla]

@sefasenturk95 I had this same issue while deploying a keycloak instance

So I haven't fully fixed my issue but I've taken some steps to debug

I created a simple node js application that has two endpoints. One hello world, the other to test the db connection with the credentials I provide (hardcoded since its an image in a private repo that I will delete once done)

I tested that the node app can connect to the rds locally and in the container locally. The I pushed it to ECR and created an app runner instance.

When testing this simple app the service deployed successfully and when testing the DB connection it worked :). This showed me that the issue is not my networking / vpc issue. So now I'm trying to figure out why keycloak specifically is refusing to connect but atleast i'm one step in the right direction.

This may help you too, in debugging your issue

while testing maybe allow your rds to be publicly accessible as you narrow down the issue

[richmungla]

Update I managed to fix my problem

Turns out my env variables were being cached locally by the docker build. I had to clear all unused volumes (event though i had not specified one) then I deleted the containers then deleted all previously built images.

After this i did a new build and it could pick the new variables. So my issue after validating the network was also that my image was shipped with wrong values (I did this because it was dev but i've learnt a valuable lesson) so it could not connect to the DB too

hope this helps someone :)

[sefasenturk95]

Hey @richmungla, thank you for your response. I ended up fixing it by creating 3 private subnets and a NAT gateway in a public subnet and routing to that using the routing table of the private subnets. This fixed the issue for me.

[kaitohattori]

I was facing same issue.

In my case, the cause was missing pass the TLS certificate.

After set the certificate, the issue was resolved. https://docs.aws.amazon.com/en_us/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

func registerTLS(certFilePath string, tlsKeyName string) {
    pem, err := os.ReadFile(certFilePath)
    if err != nil {
        log.Fatalln(err)
    }

    certPool := x509.NewCertPool()
    if ok := certPool.AppendCertsFromPEM(pem); !ok {
        log.Fatalln("failed to append pem.")
    }

    err = mysql.RegisterTLSConfig(tlsKeyName, &tls.Config{
        RootCAs: certPool,
    })
    if err != nil {
        log.Fatalln(err)
    }
}

dsn := "<user>:<password>@tcp(<host>:<port>)/<database>?charset=utf8mb4&parseTime=True&tls=<tlsKeyName>&loc=Local"