Integrate AWS Transit Gateway with AWS App Runner Private Services
AWS App Runner is a fully managed service for running web applications and API servers with little to no infrastructure. It deploys your application containers in the AWS Cloud, automatically scaling and load-balancing requests. Once deployed your AWS App Runner service gets a service URL that your clients can send HTTPS requests to. In November 2022, AWS App Runner announced support for private services, which enables private access to AWS App Runner services from within an Amazon Virtual Private Cloud (VPC). The use case explained in this blog post is an extension to what has been described in the Deep Dive on AWS App Runner Private Services post.
Using the private AWS App Runner service feature in conjunction with AWS Transit Gateway you can securely expose containerized web applications and API services to other services in other AWS accounts, Amazon VPCs, or networks external to the Amazon VPC (e.g., on-premises networks). AWS Transit Gateway is a network transit hub that you can use to interconnect your Virtual Private Cloud (Amazon VPC) and on-premises networks.
This post demonstrates the AWS App Runner networking configuration required to create a private service in one Amazon VPC that can be accessed via networks connected to an AWS Transit Gateway.
In this solution, we deploy the hello-app-runner as a private AWS App Runner service that has a VPC Endpoint in the main VPC. We connect the two Amazon VPCs via an AWS Transit Gateway. We can then connect to the private AWS App Runner private service from the second VPC connected to the AWS Transit Gateway. To test the private service, we create a Windows instance as a client to browse the service URL. Alternatively, customers may choose to connect to the private AWS App Runner from their on-premises network connected via an AWS Site-to-Site VPN, VPC or AWS Direct Connect to the AWS Transit Gateway. The public Amazon Route 53 record for the URL of App Runner private service resolves to private IPs from the VPC, therefore if you try to connect to service from on-premises, you don’t need to configure an Amazon Route 53 Resolver or config an on-premises DNS server.
The following diagrams shows the solution overview:
Connecting to an AWS App Runner private service works the same in AWS region as it is on-premises, therefore we don’t cover the on-premises part. If you’re interested to try it, then you can follow the post Simulating Site-to-Site VPN Customer Gateways Using strongSwan to create a Site-to-Site VPN connection and test it.
For simplicity in this walkthrough, we create two VPCs in the same account, and connect them via an AWS Transit Gateway:
To deploy the solution, we perform the following steps:
- Create the base networking using Terraform
- Create a Windows Amazon Elastic Compute Cloud (Amazon EC2) instance
- Deploy sample AWS App Runner service
The following are prerequisite steps for the solution:
- An AWS account with administrative privileges
- To run the Terraform Infrastructure as code, we create a AWS Cloud9 Read the documentation Creating an EC2 Environment. You can also use AWS Cloudshell.
Create the base networking using Terraform
To deploy the base networking complete the following steps:
- In your AWS Cloud9 Linux terminal clone the infrastructure as code. The parameters specified in the tfvars file define the VPC and subnet CIDR blocks. If you would like to update the CIDR blocks or other parameters, make your changes in this file.
- Next, run the Terraform commands in the repository path and enter Yes when it shows you the plan of resources to create.
- Create a Windows instance (Microsoft Windows Server 2022 Base) named secondry-windows-instance in the public subnet of the Secondary VPC following this guide create a Windows instance and access them using RDP. It is recommended to restrict the inbound rule of your Security Group for RDP to your IP or a range of controlled IPs. The Windows instance types micro and t2.micro are free tier eligible.
Deploy the Sample AWS App Runner service
You can use AWS App Runner to create and manage services based on two types of service source: source code and source image. To deploy the sample application with AWS App Runner, we use the Container image that is available in the Amazon ECR public repository.
Create our sample AWS App Runner service
- From AWS Console go to the AWS App Runner service and click on Create an App Runner service.
- Set up the service with Repository Type as Container repository.
- As the Provider set Amazon ECR Public.
- For the Container image URI enter: ecr.aws/aws-containers/hello-app-runner:latest
- For Service name enter hello-app-runner
- For Port enter 8000:
- Next, we create the VPC interface endpoint. In the Networking section, for Incoming network traffic choose Private endpoint
- Select Create new endpoint:
- For Endpoint name enter private-endpoint-apprunner
- For VPC select Main VPC(10.0.0.0/20) and one subnet in each Availability Zone:
- Now in the Networking section, for Incoming network traffic the newly created private endpoint should be selected.
- For the Outgoing network traffic, choose Custom VPC.
- Next, we create a VPC connector for this service by clicking Add new
- Set the VPC Connector name to vpc-connector-apprunner
- Next, for Security Groups select the default security group, take note of the default security group as we will update the inbound rule later. If you don’t have a default security group or you don’t want to use it, follow this link to create new security group.
- Then select Add:
- Select Next, and then Create and deploy:
You can see the logs of the service from the AWS App Runner console or Amazon CloudWatch.
- When the service is deployed successfully it would be in the Running status:
- To enable the private resources in the VPCs to have access to our private AWS App Runner service, we need to update the default Security Group that we used for AWS App Runner service to have inbound rules enabled for HTTPS requests that come from our CIDR ranges: 10.0.0.0/20 and 10.0.16.0/20:
Finally, we can now test the Default domain URL of the service, using the browser of the secondary-windows-instance. You should be able to see the hello-app-runner page:
You successfully deployed the hello-app-runner as a private AWS App Runner service and accessed it from another VPC connected to the VPC which your AWS App Runner service is deployed via an AWS Transit Gateway.
To delete the resources created as part of this blog follow the following steps:
- Go to the AWS Runner in the AWS Management console:
- From service page, delete the App Runner service.
- From Networking configuration, go to Outgoing traffic and delete the created VPC Connector.
- From Networking configuration, go to Incoming traffic, select the endpoint and delete the created VPC interface endpoints.
- Go to the Amazon EC2 service in the AWS Management console and delete the secondary-windows-instance Amazon EC2 instances by selecting Terminate instance from the Instance state option.
- To delete the VPCs, Transit gateway and its attachments, from the AWS Cloud9 Linux terminal run the following command:
- Delete the changes you made to the default security group for inbound rules.
In this post, we showed you how to deploy a private AWS App Runner service and connect via an AWS Transit Gateway. AWS App Runner supports public and private endpoint modes for incoming traffic to your AWS App Runner service. This helps to create different use cases (run containerized web applications, API services, backend web services, and websites) which needs public or private endpoints. With the private endpoint mode, you can deploy applications which are only accessible from your trusted VPCs and on-premises networks.
For more details on AWS App Runner features you can find on the AWS App Runner public roadmap on GitHub.