Containers

Announcing AWS App Runner Private Services

Earlier this year we announced the general availability of App Runner VPC support. This feature enabled your services to communicate with databases and other applications hosted in an Amazon Virtual Private Cloud (Amazon VPC). Today, we released App Runner private services, and now customers can strengthen the security posture of their applications and meet their networking compliance needs by making their App Runner service privately accessible within an Amazon VPC. This feature is powered by an AWS PrivateLink interface VPC endpoint. Customers can specify from which Amazon VPC they want to allow access to their App Runner service, by passing an interface VPC Endpoint.

In this post I am going to show you how to create a private App Runner service and control the access to this service, exposing it only to a specified Amazon VPC.

Before we start, I would like to explain some terminology that we use for the network flow of traffic, in and out of your App Runner service.

Incoming traffic is the path that traffic will flow into your service. The options that are now available for these paths are:

  • Public endpoint: the endpoint of your service is accessible from the public internet
  • Private endpoint: the service will only be exposed to one or more VPCs you define, but will not be accessible from the public internet

diagram of the flow of traffic for an incoming public endpoint

diagram of the flow of traffic for an incoming private endpoint

Outgoing traffic is the path that traffic will use out from your service to access data outside of the managed App runner Amazon VPC. The options that are available are:

  • Public access: All outbound traffic will go through the App Runner managed Amazon VPC
  • Custom VPC: All outbound traffic will go through an Amazon VPC that you define, and this VPC will need to have a suitable route to the internet, through an AWS NAT gateway.

diagram of the flow of traffic for an outgoing public access

diagram of the flow of traffic for an outgoing custom VPC

Prerequisites

  • A default VPC in a region of your choice (you can also use an existing VPC in your account) and for the purposes of this blog post I will be using the N. Virginia (us-east-1) region.

Walkthrough

To create a new private App Runner service, go to the App Runner Console and select Create an App Runner service.

I am going to use the hello-app-runner container image on the Amazon ECR Public Gallery.

I select Container registry, Amazon ECR Public and enter the URI for the container image public.ecr.aws/aws-containers/hello-app-runner:latest.

Select Next.

screenshot of App Runner wizard: source and deployment

I give the service the name of private-services-demo and allocate the service 1vCPU and 2GB of memory. I also configure the service to use port 8000.

screenshot of App Runner wizard: configure service

Scrolling down further to the networking section is where I configure how the traffic will flow in and out of my service. To configure a private service, under the Incoming network traffic I select Private endpoint and here I need to configure the VPC interface Endpoint that will be used for this connection. Since this is the first private service I am creating, I click on Create new endpoint.

screenshot of App Runner wizard: networking configuration

I give the endpoint the name of appruner-private-service-endpoint, and select the VPC that I would like to allow access to my service from, select a security group to attach to this endpoint and select the subnets in the VPC that the endpoint will be deployed to. Click Create.

Creating a VPC endpoint will incur a cost, please refer to the AWS PrivateLink pricing page (https://thinkwithwp.com/privatelink/pricing/) for more information.

screenshot of App Runner wizard: create new VPC interface endpoint

For the purpose of this blog post I am going to select Public access for the Outgoing network traffic path and then click Next at the bottom of the page.

screenshot of App Runner wizard: outgoing network traffic

Review your configuration and click Create & deploy at the bottom of the page.

screenshot of App Runner wizard: review configuration

After your service has deployed let’s have a look at the details of the service on the Service overview page.

screenshot of App Runner service details page

You can see that the service is configured to use a Private endpoint for Incoming traffic and the Private endpoint status will show which VPC your service is connected to. You will also have the Default domain (FQDN) where you can access your service, in my case 4gjrsymimh.us-east-1.awsapprunner.com.

To verify that the service is exposed only to the resources inside the VPC, I run a dig command to resolve the FQDN of my service. As you can see from the output below, the query resolves to the private IP addresses of the endpoint in the three subnets that I chose during the deployment.

dig +short 4gjrsymimh.us-east-1.awsapprunner.com

172.31.5.127
172.31.35.3
172.31.21.237

With this release we also have a new Network Configuration page where you can find information about the VPC endpoints in use, for all your App Runner services in the region.

screenshot of App Runner Networking configuration page

When I click on the id of the VPC endpoint I can see more information (which subnets are used, the security groups attached and which services are using this endpoint) all conveniently located in the App Runner console.

screenshot of VPC endpoint details

I can also modify my deployed service and make it public, without having to recreate the service.

Select the service from the list of services in the console, and select the configuration tab.

screenshot of App Runner service configuration page

Click the Edit button under the Configure service section.

screenshot of Service, Edit button

Under the Networking section, change the configuration to Public endpoint. Scroll down and click Save changes.

screenshot of App Runner wizard: Change incoming network traffic

After your service has been updated you will see that the information in the Service Overview will be updated to reflect that the service is now public and no longer connected to a VPC.

screenshot of App Runner service details page

To verify that my application is now accessible from the public internet, I run the same dig command as before to resolve the FQDN of my service, and I now see that it using public IPv4 addresses.

dig +short 4gjrsymimh.us-east-1.awsapprunner.com

52.4.244.172
52.207.35.2
44.206.106.249
23.20.77.141
107.21.252.24

Please note, when you change a service from a Private endpoint to a Public endpoint, the VPC endpoint, is not deleted, you will need to remove it in the VPC endpoints console.

Cleanup

To remove the resources that you created during this post, do the following.

  • Delete private-services-demoApp Runner service
  • Delete the apprunner-private-service-endpoint VPC endpoint

Conclusion

In this post, I showed you how to create a private App Runner service that is accessible only a specified VPC in your account to, how you can modify your service between a Public endpoint and a Private Endpoint, and how you get all the network information about your services in the Network configuration page.

AWS App Runner is available today in US East (N. Virginia), US West (Oregon), US East (Ohio), Asia Pacific (Tokyo), Europe (Ireland). You can use App Runner with the AWS Management Console and AWS Copilot CLI.

AWS App Runner’s roadmap is publicly accessible at https://github.com/aws/apprunner-roadmap/projects/1. Feel free to review the roadmap items, suggest new features and vote for the ones that you would like us to prioritize.