By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AppRunner VPC connector with Internet Access

0

Hello !

I have one public API service running in Apprunner. Also I'm using a documentDB service to handle my NoSQL database. The database and Apprunner instance is running in the same VPC I've followed the tutorial here and connected the service to the database successfully. -> https://aws.amazon.com/blogs/containers/observability-for-aws-app-runner-vpc-networking/

Now I want to connect some public services on internet to get some data and make relations in the database. I can fetch some resources from online in some script I've added to the build step however inside from app I can't fetch. The request timeouts

My VPC has default 6 public subnets and has been already connected with an internet gateway.

Build command I'm using npm install && npm run test:axios && npm run build

Test Axios script: ( This works perfectly )

// Import axios
const axios = require('axios');
// Make a request for a user with a given ID
async function main() {
  const result = await axios.get('https://catfact.ninja/fact');
  console.log(result.data);
}
main();

This is my simplified main application script: (TIMEOUT ERROR) Error description:

Error: connect ETIMEDOUT 104.131.8.184:443
at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1278:16) {
errno: -110,
code: 'ETIMEDOUT',
syscall: 'connect',
address: '104.131.8.184',
port: 443 }

const networkTester = async () => {
  const https = require('node:https');

  console.log('NETWORK TESTER');
  https
    .get('https://catfact.ninja/fact', (res) => {
      console.log('statusCode:', res.statusCode);
      console.log('headers:', res.headers);

      res.on('data', (d) => {
        process.stdout.write(d);
      });
    })
    .on('error', (e) => {
      console.error(e);
    });
};

networkTester();
Topics
Networking & Content DeliveryDatabaseComputeContainers
Tags
Amazon VPCAmazon DocumentDBAWS App Runner
Language
English
thesoulkiller
asked 8 months ago544 views
1 Answer
0
Accepted Answer

Hello.
As described in the following document, we thought that a NAT Gateway might be necessary to access public external services, etc.
https://aws.amazon.com/jp/blogs/aws/new-for-app-runner-vpc-support/

When connected to a VPC, all outbound traffic from your AppRunner service will be routed based on the VPC routing rules. Services will not have access to the public internet (including AWS APIs) unless allowed by a route to a NAT Gateway. You can also set up VPC endpoints to connect to AWS APIs such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB to avoid NAT traffic.

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
  • thesoulkiller
    8 months ago

    So I have to create a public NAT Gateway with elastic IP for that public subnet which I included in the VPC connector settings, right ?

  • Riku_Kobayashi EXPERT
    8 months ago

    Yes, a NAT Gateway must be created. After creating the NAT Gateway, add a route to the NAT Gateway to the route table of the subnet used for the VPC connector.

  • thesoulkiller
    8 months ago

    Thank you! I've created a public NAT gateway and add routing of subnet IP block to that NAT gateway, however still apprunner instance can't access to the internet. Should I add some extra configuration to the NAT gateway to connect internet ?

  • thesoulkiller
    8 months ago

    I've connected the apprunner instance to a new private subnet, then added a NAT gateway to the private subnet to a public subnet. Now it's working smoothly

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content