Centralized observability for AWS App Runner services

In enterprise organizations, it can sometimes be hard for engineering teams to move quickly. Teams must demonstrate they have a plan for keeping software up to date, they must pass security reviews to ensure the application architecture doesn’t introduce vulnerabilities into the environment, and they must think about how to instrument the application so there is good visibility into the workload. Juggling these requirements will oftentimes slow down engineering teams from innovating often and deploying code quickly. In this blog post, I’ll discuss how AWS App Runner makes it easy for engineering teams to deploy code and how it satisfies the needs of cloud teams to ensure containers are frequently patched, the cloud infrastructure remains secure, and provides cloud teams with good visibility into the deployed workload.

Making sure containers are kept up to date

AWS App Runner was introduced in May 2021 as the simplest way to build and run containerized applications. With App Runner, you don’t need to worry about setting up CI/CD pipelines or managing infrastructure. If you’re already used to deploying containers, you simply provide App Runner with the container image of your application. When App Runner detects a new version of your container that matches your container image URI, App Runner can be configured to automatically deploy a new version of your service.

For teams that haven’t yet transitioned to containers, App Runner takes on the heavy lifting of containerizing the application code for you. When you set up an App Runner application with a source code repository, App Runner can be configured to automatically deploy when a new push is detected to the source code branch. With each service update that is being pushed, App Runner will containerize the application and updates the runtime for your service to the latest version. If your application requires a specific version of a managed runtime, you can specify that as well. This automatic process removes the undifferentiated work of keeping containers patched and up to date.

Keeping the infrastructure secure

When deploying a new website, engineering teams typically need to configure an Amazon Virtual Private Cloud (Amazon VPC), Amazon EC2 instances, Elastic Load Balancing, and security groups. However, there is risk that a misconfiguration in the Amazon VPC, security group, or EC2 instance could result in an insecure environment that could lead to compromise. Central cloud governance teams will often strive to put guardrails in place so that engineering teams have just enough rights to set up their application but not enough rights to materially change the security posture of the enterprise’s cloud environment. However, getting all of these guardrails in place can be error-prone and, in many cases, results in the cloud team becoming a bottleneck in the deployment process.

App Runner provides the best of both worlds by giving engineers the ability to deploy their application and configuring the application’s infrastructure according to AWS’s best practice security guidance. When you deploy an application with App Runner, it automatically provisions all resources you need in a secure manner that complies with AWS’s security best practices.

When an application is deployed through App Runner, the service automatically places the application in an  Amazon VPC, and it creates an application load balancer and a security group that are controlled by the App Runner service. This process ensures that applications have boundaries between them and an organization’s other Amazon VPC and on-premises networks. When an application is launched, it is configured to support TLS connections, which ensures that application data is encrypted in transit. App Runner protects your application at rest by encrypting all stored copies of your application source using either your own customer-managed key (CMK) or an AWS-managed CMK.

By configuring and controlling the environment that an application is deployed into, App Runner ensures that deployed applications comply with AWS best-practice security guidance. By ensuring apps are always deployed according to best practices, cloud teams can spend their time on other enterprise issues. This also allows engineering teams to innovate quickly and deploy applications as fast as they want to.

Gaining visibility into the workload deployed and how it’s performing

Finally, cloud teams want visibility into workloads that are being deployed so they can ensure enterprise applications are able to maintain reliability, availability, and performance requirements. App Runner makes visibility into workloads easy by providing a number of metric graphs within the App Runner console. These metrics include the application’s latency, request, and response metrics.

Creating automated dashboards

This solution below demonstrates a standard and unified way for observability across multiple App Runner services. This is done via an AWS CloudFormation template that automatically builds an Amazon CloudWatch dashboard for any new applications deployed via App Runner. By automatically putting App Runner metrics on a CloudWatch dashboard, it can make it easier for centralized cloud teams to monitor applications deployed with App Runner.

This solution builds an Amazon EventBridge rule, an AWS Lambda function, and an AWS IAM role that gives the AWS Lambda function appropriate permissions. Once an AWS App Runner deployment has been completed, an event is automatically sent to Amazon EventBridge. Amazon EventBridge then calls an AWS Lambda function to create a CloudWatch dashboard for the deployed AWS App Runner service. The dashboard is then available to view in Amazon CloudWatch. See Figure 1.

Figure 1: The solution architecture to automatically create Amazon CloudWatch dashboards for a new AWS App Runner service.

This solution is for demonstration purposes only and should not be deployed in your production environment. Select the Launch Stack button to set up the template in your account.

After the stack is created, the EventBridge rule sends all App Runner service status changes where the service is in a RUNNING state to a Lambda function (see Figure 2). When the Lambda function is invoked, it creates a CloudWatch dashboard for the metric graphs that App Runner provides by default in the App Runner console.

Figure 2: The AWS EventBridge rule that creates a CloudWatch dashboard for App Runner applications.

Once the CloudFormation stack has been launched, I can test it out by following the steps in the AWS App Runner launch blog. This blog post shows how to deploy a sample hello world application with AWS App Runner. Once the sample code has been launched by AWS App Runner, I can view a CloudWatch dashboard for my newly deployed application. See Figure 3.

Figure 3: Viewing an application’s CloudWatch dashboard through a centralized monitoring account.

Many cloud teams have a centralized monitoring account, which is used to view metrics and dashboards across all of the organization’s AWS accounts. You can configure a cross-account cross-Region CloudWatch console by following these instructions. When cross-account cross-Region CloudWatch functionality is configured, you can gain cross-account visibility into dashboards, metrics, and alarms across all configured accounts.

In a multi-account scenario, it is common for an engineering account to be configured to automatically provide cross-account visibility to a centralized monitoring account. The CloudFormation template above can be run in the engineering account to provide a CloudWatch dashboard for engineering workloads. If cross-account cross-Region functionality is enabled, this dashboard will automatically appear in the monitoring account so that the centralized cloud team has visibility into the workload through their centralized account.

Through this process, centralized cloud teams can easily see dashboards of all running App Runner applications across all AWS accounts. Engineering teams have the ability to deploy when they need to, and centralized cloud teams have visibility into those deployed workloads.

Clean Up

To ensure you don’t continue to be charged for any resources, make sure to delete the CloudFormation template associated with this blog post.

With App Runner, you only pay for provisioned memory and CPU when your application is running. App Runner charges add-ons for automatic build and deployments. For the latest App Runner pricing, see the App Runner pricing page.

With Amazon EventBridge, you pay for events published to your event bus. For the latest Amazon EventBridge pricing, see the Amazon EventBridge pricing page.

With AWS Lambda, you pay for the number of requests to each Lambda function and the duration of the processing time. For the latest AWS Lambda pricing, see the AWS Lambda pricing page.

Finally, with Amazon CloudWatch, you pay for the number of CloudWatch metrics and each CloudWatch dashboard that you use. For the latest Amazon CloudWatch pricing, see the Amazon CloudWatch pricing page.


App Runner takes away the undifferentiated heavy lifting of deploying an application by helping you ensure App Runner-built containers are kept up to date, your infrastructure is secure and built in a way that follows AWS’s best practice recommendations, and it provides visibility into the state of the workload that is running. AWS App Runner makes it easy for engineering teams to deploy code but also satisfies the security and compliance needs of cloud teams.

To get started with App Runner, check out the Getting started with App Runner guide.

Mike George

Mike George

Mike George is a Principal Solutions Architect based out of Salt Lake City, Utah. He enjoys helping customers solve their technology problems. His interests include software engineering, security, artificial intelligence (AI), and machine learning (ML).