Amazon announced App Runner private services, allowing for AWS App Runner services to be privately accessible within an Amazon VPC. AWS App Runner simplifies deploying and operating containerized web applications by handling many operational tasks. This release builds upon the previously released App Runner VPC support which allows for communication between App Runner services and applications running within a VPC.
Previously, connecting an App Runner service to a service running within an Amazon Virtual Private Cloud (VPC) required that the VPC service have a public endpoint. Earlier this year, the ability to create VPC connectors for App Runner services was added. With a VPC connector, it is possible to specify which VPC, subnets, and security groups to use for private networking. A single VPC connector can be used with one or more App Runner services.
When in use, all outbound traffic from the App Runner service will be based on the VPC routing rules. This means that services will not have public access, including to AWS APIs, unless allowed by a route to a NAT gateway or via VPC endpoints.
The latest release adds support for App Runner private services, allowing for services to be privately accessible within a VPC. This feature makes use of AWS PrivateLink for the interface VPC endpoint. It is possible to specify from which VPC access should be allowed, by passing an interface VPC endpoint to the App Runner service. These private endpoints ensure that the App Runner service is only accessible via one or more defined VPCs and not from the public internet.
AWS Copilot was also updated to support creating App Runner private services. AWS Copilot is a command-line interface tool for developing, releasing, and operating containerized applications on AWS. It supports Amazon Elastic Container Service (ECS), AWS Fargate, and AWS App Runner.
Private services can be enabled via Copilot by updating the Request-Driven Web Service manifest with:
http:
private: true
This will restrict the service to be reachable only by other services within the Copilot environment. This setting automatically creates a VPC endpoint to App Runner that is shared across all private services within that environment. An existing App runner VPC endpoint can be imported using the endpoint
key:
http:
private:
endpoint: vpce-12345
App Runner private services are currently available in the following regions: US East (N. Virginia), US West (Oregon), US East (Ohio), Asia Pacific (Tokyo), and Europe (Ireland). It can be used via the AWS Management Console and from the AWS Copilot CLI. App Runner VPC support is available in all regions that App Runner is in, and is available with no additional costs beyond the costs associated with the allocated resources and associated data transfer.