apprunner-roadmap icon indicating copy to clipboard operation
apprunner-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

Custom VPC with outgoing connections to the internet is complicated to set up

Open TuureKaunisto opened this issue 2 years ago • 18 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Selecting custom VPC for outgoing network traffic makes outgoing connections to the internet fail despite the VPC in question having an internet gateway configured. The need for a NAT Gateway is explained in the documentation. An example of exactly how it needs to be configured would be nice but even nicer would be not having to worry about it at all and just have an option to retain outbound connectivity despite having a VPC connection to e.g. a database in RDS.

For our very basic use case (similar to this): an application with a database connection and the ability to connect to the internet, this is not the case and we're left with these suboptimal options:

  • Configure the NAT Gateway
  • Use the default outgoing network traffic configuration
    • This requires that the DB accepts connections from the internet and we lose the added security of the VPC

The reason we're using AppRunner is to avoid having to configure VPC, Subnets, Route Tables, Security Groups, ACLs, NAT Gateways etc. and this rather basic use case of having both db and outbound connectivity requires us to do exactly that.

How we configured the NAT Gateway to get outbound internet connections working

  • Create a new VPC in the console
    • Use the VPC and more option
    • @jedwardblack: be sure to leave both DNS Options checked (Enable DNS hostnames & Enable DNS resolution)
    • We selected Number of Availability Zones: 2 and NAT gateways in 1 AZ to minimise costs during testing
    • This creates the Nat Gateway(s) and required Subnets and Route tables for you. In our case 2 private and 2 public subnets are created and by default the public subnets are connected to the internet gateway and the private subnets are connected to the NAT Gateway(s)
  • Move the database to the new VPC
    • In the RDS console create a Subnet group with the private subnets that were created a moment ago
    • If you need to connect to the DB from the outside, also add a single public subnet (and a security group that allows access from your IP address). Note: adding multiple public subnets seem to break the configuration.
    • RDS > Select instance > Modify > DB Subnet group > Select newly created Subnet group
    • Select Apply immediately and then Modify DB instance
    • Wait for the database status to turn back to available before testing
  • Create a new VPC connector in the App Runner console Configuration > Networking tab > Outgoing section
    • Select the newly created VPC and only the private subnets
    • Wait for the changes to get deployed before testing

Tell us about your request What do you want us to build?

An option to keep outgoing internet connectivity while also connecting to a database instance in RDS via a VPC without going through the tedious process of setting up NAT Gateways and the bits and bobs that they require in order to work.

TuureKaunisto avatar Jun 08 '23 13:06 TuureKaunisto

@TuureKaunisto We are experiencing exactly what you are describing. Currently using Render, but considering a move to App Runner. But the issue you’ve described is exactly what we are trying to avoid.

yaronlevi avatar Jun 09 '23 22:06 yaronlevi

with the same problem

fernando88to avatar Jun 14 '23 15:06 fernando88to

Any insight from the App Runner team? Connecting to a database is part and parcel of a web application or API backend - the star use cases for App Runner. It doesn't make sense that it's not supported out of the box.

cade-coreschedule avatar Jul 26 '23 22:07 cade-coreschedule

Having great difficulties with this, its far easier on Google Cloudrun.

sqpollen avatar Aug 11 '23 06:08 sqpollen

There is one blog post I recently went through that discusses using App Runner and VPC connectors. See (https://aws.amazon.com/blogs/aws/new-for-app-runner-vpc-support/. I chose not to do the database authentication via IAM (simply passed credentials through as environment variables). I am in the process of trying to reproduce this issue but meanwhile, see if that post helps (just be sure to use AL2023 if you intend to follow along).

jsheld avatar Aug 29 '23 18:08 jsheld

Doc: When connected to a VPC, all outbound traffic from your AppRunner service will be routed based on the VPC routing rules. Services will not have access to the public internet (including AWS APIs) unless allowed by a route to a NAT Gateway.

If AppRunner requires complex configuration and additional NAT costs to connect to basic databases and public networks, the advantages of App Runner will be lost.

We switched the application back to EKS until this issue can be easily resolved.

ShwareAPI avatar Nov 07 '23 10:11 ShwareAPI

You'd still have to deal with VPC complexity, but if can create an IPv6 only VPC then you can use egress-only gateways which don't have a steady state cost like NAT Gateways. I'd strongly recommend this, especially now that most of AWS Services finally support IPv6.

RichiCoder1 avatar Nov 07 '23 20:11 RichiCoder1

@RichiCoder1 good hint! did you get app runner to work with an egress only internet gateway? the aws docs still mention "App Runner currently only supports IPv4."

wanis-fahmy avatar Nov 07 '23 21:11 wanis-fahmy

good hint! did you get app runner to work with an egress only internet gateway? the aws docs still mention "App Runner currently only supports IPv4."

Ah foo. I thought they finally added dual stack support, but it looks like that's only for the Public LB. Just gave it a try and App Runner will indeed reject a VPC Connector configured against an IPv6-only subnet.

On that note, be sure to go upvote https://github.com/aws/apprunner-roadmap/issues/114

RichiCoder1 avatar Nov 07 '23 23:11 RichiCoder1

For non-production deployments (QA, UAT, staging, etc.), there is an option to run your own NAT instance on EC2 instead of using a NAT gateway. It will not have the same performance (throughput and autoscaling) of the managed solution but for test environments it should be good enough while being ~10x cheaper.

Here's the AMI: https://github.com/AndrewGuenther/fck-nat

erwinv avatar Nov 09 '23 00:11 erwinv

Another thing to look out for when configuring outbound internet for an App Runner instance residing in a VPC:

When creating your VPC using the VPC and more wizard, be sure to leave both DNS Options checked (Enable DNS hostnames & Enable DNS resolution).

For some reason I had disabled those options which was preventing outbound internet even though all of the other configuration was just as @TuureKaunisto had outlined.

jedwardblack avatar Jan 13 '24 14:01 jedwardblack

Any updates from the AWS team? This seems like a pretty basic use case that should be addressed

hiporox avatar Apr 15 '24 22:04 hiporox

i am also still facing the same issue

thangaraj-HPE avatar Apr 25 '24 05:04 thangaraj-HPE