Bug: isPubliclyAccessible set to FALSE prevents a domain name from being allocated

[cwensel]

When attempting to create a VPC Ingress Connection for an Interface VPC Endpoint, it is required the AppRunner instance have isPubliclyAccessible set to false on the Network Configuration.

But a domain name is never allocated to the new instance after startup (aws console shows a _ link).

This prevents the VPC Ingress Connection from being created with the following error:

Attribute 'ServiceUrl' does not exist.

It is presumed creating a VPC Ingress Connection for a VPC Endpoint is the only way to have another AppRunner access an AppRunner instance (e.g via REST). If there is an alternative, please advise.

• https://docs.aws.amazon.com/apprunner/latest/dg/network-incoming.html
• https://docs.aws.amazon.com/apprunner/latest/dg/security-vpce.html
• https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html

FWIW, CloudFormation is missing the ability to attach a Custom Domain, so this path hasn't been attempted.

[ThomasFahrner-Amazon]

Hi @cwensel,

Thank you for reaching out. Creating a "private" Service (one where isPubliclyAccessible is set to false) will intentionally omit any ServiceUrl from the Service response.

As you mentioned, you'll need to create a VpcIngressConnection in order to reach the Service. This should not yield any errors from a missing ServiceUrl. Could you share more about where you see your error?

• https://docs.aws.amazon.com/apprunner/latest/api/API_CreateVpcIngressConnection.html

The VpcIngressConnection resource will then contain a DomainName with which you can access your private Service.

You may also optionally associate a Custom Domain with the Service which will contain VpcDNSTargets.

• https://docs.aws.amazon.com/apprunner/latest/api/API_AssociateCustomDomain.html#apprunner-AssociateCustomDomain-response-VpcDNSTargets.

[cwensel]

@ThomasFahrner-Amazon thanks for the quick feedback.

I'll follow up on your references.

Quick note, via the CDK, if I set isPubliclyAccessible false (via L1 constructs), the AppRunner deploy fails with the above error.

I originally attributed the failure to my creating a custom VPC Ingress Connection, but after commenting that out, the stack still failed to deploy.

To summarize my new findings, simply creating a "private" AppRunner instance fails on deploy with Attribute 'ServiceUrl' does not exist.

[cwensel]

Sorry, the CloudFormation logs may have led me astray.. There is an Output construct that references the URL, removing this and re-testing.

[cwensel]

Yeah, that was it..

an Output Construct was attempting to export the URL, which (per your comments) doesn't exist by design.

Sorry for the fire-drill, and thanks for the additional references!

[ThomasFahrner-Amazon]

Awesome, no problem.