apprunner-roadmap
apprunner-roadmap copied to clipboard
aws
How can I expose private app runner services using api gateway.
I have few app runner services that I want to expose via api gateway, How can I achieve that!!
I trying following the solution no.2 mentioned in this comment. but I was not able to make it work.
I will explain what I did here:
- created the app runner service with private incoming traffic [select private subnets from my vpc, with security group that have 443, 80 ingress enabled]
- app runner service was only accessible within vpc [verified with an curl request to app runner https url from ec2]
- created an target group that targets private ip address of app runner requests endpoint, selected my vpc, TCP protocol , PORT 443, IP Type ipv4, also heath check protocol as TCP
- Created an Internal NLB, with IP Type ipv4, selected my vpc's private subnets, TCP Listner, Port 443 and select target group created in step 3.
- In Api Gateway, created VPCLink for HTTP api , selected my VPC and it's private subnets and correct security group, selected HTTP API type, used $default stage, in Routes added ANY /{proxy+} , and for integrations I select route I created earlier and select private resource and select my NLB and VPClink
when I hit the apigateway url, I was not proxied to app runner service. am I missing something ?
also it the above mentioned comment, that person said we can reuse these supporting non app runner resources for running multiple private app runner services.
please help!!!
I have same problem, I follow this AWS official tutorial video https://www.youtube.com/watch?v=H5OKe8jXnX0&list=PLMs16T14YDqhokZkF7PFW89EfOGYuGwmp&index=, but not works for me. The api gateway tests return HTTP 500, and I don't see any traffic or logs in apprunner service or NLB metrics.
Execution log for request 97adf511-639b-4d47-b3fc-e501499f2f55 Sun Dec 03 17:30:04 UTC 2023 : Starting execution for request: 97adf511-639b-4d47-b3fc-e501499f2f55 Sun Dec 03 17:30:04 UTC 2023 : HTTP Method: GET, Resource Path: / Sun Dec 03 17:30:04 UTC 2023 : Method request path: {} Sun Dec 03 17:30:04 UTC 2023 : Method request query string: {} Sun Dec 03 17:30:04 UTC 2023 : Method request headers: {} Sun Dec 03 17:30:04 UTC 2023 : Method request body before transformations: Sun Dec 03 17:30:04 UTC 2023 : Endpoint request URI: https://example.us-east-1.awsapprunner.com/ Sun Dec 03 17:30:04 UTC 2023 : Endpoint request headers: {x-amzn-apigateway-api-id=k90ul4ho11, User-Agent=AmazonAPIGateway_k90ul4ho11, Host=example.us-east-1.awsapprunner.com} Sun Dec 03 17:30:04 UTC 2023 : Endpoint request body after transformations: Sun Dec 03 17:30:04 UTC 2023 : Sending request to https://example.us-east-1.awsapprunner.com/ Sun Dec 03 17:30:14 UTC 2023 : Execution failed due to configuration error: There was an internal error while executing your request Sun Dec 03 17:30:14 UTC 2023 : Method completed with status: 500
I've solved my problem. The problem it was a loadbalancer security option "Enforce inbound rules on PrivateLink traffic", this setting needs to be disabled.
More details: https://repost.aws/knowledge-center/api-gateway-500-error-vpc?sc_channel=sm&sc_campaign=Support&sc_publisher=YOUTUBE&sc_country=global&sc_geo=GLOBAL&sc_outcome=AWS%20Support&sc_content=Support&trk=Support&linkId=246337659
https://www.google.com/search?q=Enforce+inbound+rules+on+AWS+PrivateLink&rlz=1C5CHFA_enBR1072BR1073&oq=Enforce+inbound+rules+on+AWS+PrivateLink&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIHCAEQIRigATIHCAIQIRigAdIBBzU2NGowajGoAgCwAgA&sourceid=chrome&ie=UTF-8
Hi @filipponova, Thanks for reaching out. We are currently working on a blog to publish the guidelines on integrating an private App Runner service with API Gateway, will update the link once the blog gets officially published. thanks
@hariohmprasath was this ever posted?
I'm currently trying to put AppRunner behind an Interface VPC Endpoint (so that an API Gateway can see it), which requires the AppRunner instance to not be publicly accessible.
[updated] removed irrelevant error
