- Newest
- Most votes
- Most comments
The VPC connectivity issues you described with AppRunner are likely due to networking configuration problems. A few things you can try:
Ensure the subnets used in the VPC Connectors are private subnets, not public. Public subnets will cause errors.
Verify security group ingress/egress rules on the VPC Connector and downstream resources like RDS allow communication between them.
Test connectivity directly from an EC2 instance in the same VPC to rule out issues outside of AppRunner.
If direct tests fail, contact AWS Support to troubleshoot further.
If direct tests succeed, enable ENI flow logs to check if traffic is entering the ENI:
- Launch the EC2 console and go to Network Interfaces
- Select the AppRunner ENIs
- Choose "Create flow log"
This will help identify if the issue is at the ENI level. No official workaround currently but enabling flow logs is one approach to gather more insights. The underlying cause could be transient networking or configuration issues. I'd check the AppRunner documentation or contact Support for the latest recommendations.
Thank you for the details. I should have mentioned I am using VPC Connector within a private subnet. It has security group associated to specifically grant access to the RDS. I also have a Bastion host within the same private subnet and it does immediately have connectivity to the database and internet. Again, the issue is that the connectivity is sporadic and once connectivity starts working say after 1 hour, I can repeatedly tear down the AppRunner stack (including VPC Connector) and connectivity will work flawlessly. Something very strange is going on...
I've checked VPC Flow logs and see no DENYs, I have not however checked the ENI flow logs. In fact, I've just had a check of this, that is great advice yes, I see my AppRunner ENI's I'll create flow logs for those and monitor for DENYs etc
Of course this is just an issue on initial deployment of infra but of course I want pushbutton pipeline deployment I don't want to need to manually intervene, especially when (the unlikely) issue occurs that an incident occurs and due to DR and recovery I need to urgently redeploy a stack in another region etc
Let me check into ENI logs...
Relevant content
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago