AWS App Runner will no longer be open to new customers starting April 30, 2026. If you would like to use App Runner, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS App Runner availability change](https://docs.aws.amazon.com/apprunner/latest/dg/apprunner-availability-change.html).
# Setting up networking configurations for incoming traffic
You can configure your service to receive incoming traffic from private or public endpoint.
A **Public Endpoint** is the default configuration. It opens your service to any incoming traffic from the public internet. It also provides you with the flexibility to choose between IPv4 or dual-stack (IPv4 and IPv6) address types for your service.
A **Private endpoint** only allows traffic from an Amazon VPC to access your App Runner service. This is achieved by setting up a VPC interface endpoint, an AWS PrivateLink resource, for your App Runner service. Thereby, creating a private connection between the Amazon VPC and your App Runner service. It also provides you with the flexibility to choose between IPv4 or dual-stack (IPv4 and IPv6) address types for your service.
The following are the topics that are covered as part of setting up your network configurations for incoming traffic:
+ How to configure your incoming traffic to make your service privately available only from within an Amazon VPC. For more information, see [Enabling Private endpoint for incoming traffic](network-pl.md).
+ How to configure your service to receive internet traffic from the dual-stack address type. For more information, see [Enabling dual stack for public incoming traffic](network-dual-stack.md).
## Headers
With App Runner you can access the original source IPv4 and IPv6 addresses of the traffic entering your application. The original source IP addresses are preserved by assigning the `X-Forwarded-For` request header to them. This enables your applications to fetch the original source IP addresses when needed.
**Note**
If your service is configured to use private endpoint, then `X-Forwarded-For` request header cannot be used to access original source IP addresses. If used, it retrieves false values.
# Enabling Private endpoint for incoming traffic
By default when you create an AWS App Runner service, the service is accessible over the internet. However, you can also make your App Runner service private and only accessible from within an Amazon Virtual Private Cloud (Amazon VPC).
With your App Runner service private, you have complete control over incoming traffic, adding an additional layer of security. This is helpful in a variety of use cases, including running internal APIs, corporate web applications, or applications that are still in development that require a greater level of privacy and security, or have the need to meet specific compliance requirements.
**Note**
If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules.
To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html).
When your App Runner service is private, you can access your service from within an Amazon VPC. An internet gateway, NAT device, or VPN connection isn’t required.
**Note**
App Runner supports IPv4 and dual-stack, (both IPv4 and IPv6), for both incoming traffic and outgoing traffic.
## Considerations
+ Before you set up a VPC interface endpoint for App Runner, review [Considerations](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints) in the *AWS PrivateLink Guide*.
+ VPC endpoint policies are not supported for App Runner. By default, full access to App Runner is allowed through the VPC interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to App Runner through the VPC interface endpoint.
+ If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules.
+ After you enable a Private endpoint, your service is only accessible from your VPC, and can’t be accessed from the internet.
+ For higher availability, it's recommended that you select at least two subnets across Availability Zone different for the VPC interface endpoint. We don’t recommend using only one subnet.
+ If you're choosing the dual stack option for the IP address type, ensure your subnets can support dual-stack traffic.
+ You can use the same VPC interface endpoint to access multiple App Runner services in a VPC.
For information on the terms used in this section, see [Terminology](network-terms.md).
## Permissions
The following is the list of permissions required to enable **Private endpoint**:
+ ec2:CreateTags
+ ec2:CreateVpcEndpoint
+ ec2:ModifyVpcEndpoint
+ ec2:DeleteVpcEndpoints
+ ec2:DescribeSubnets
+ ec2:DescribeVpcEndpoints
+ ec2:DescribeVpcs
## VPC interface endpoint
A VPC interface endpoint is an *AWS PrivateLink* resource that connects an Amazon VPC to an endpoint service. You can specify which Amazon VPC you would like your App Runner service to be accessible in by passing a VPC interface endpoint. To create a VPC interface endpoint specify the following:
+ The Amazon VPC to enable the connectivity.
+ Add Security groups. By default, a security group is assigned to VPC interface endpoint. You can choose to associate a custom security group to bring further control to incoming network traffic.
+ Add subnets. To ensure higher availability, it is recommended to select at least two subnets for each Availability Zone from which you’ll access the App Runner service. A network interface endpoint is created in each subnet that you enable for the VPC interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for App Runner. A requester-managed network interface is a network interface that an AWS service creates in your VPC on your behalf.
+ If you are using the API, add the App Runner VPC interface endpoint `Servicename`. For example,
```
com.amazonaws.region.apprunner.requests
```
You can create a VPC interface endpoint using one of the following AWS services:
+ App Runner console. For more information, see [Manage Private endpoint](network-pl-manage.md).
+ Amazon VPC console or API, and AWS Command Line Interface (AWS CLI). For more information, see [Access AWS services through AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) in the *AWS PrivateLink Guide*.
**Note**
You’re charged for each VPC interface endpoint that you use based on [AWS PrivateLink Pricing](https://aws.amazon.com/privatelink/pricing/). Therefore, for better cost efficiency, you can use the same VPC interface endpoint to access multiple App Runner services within a VPC. However, for better isolation, consider associating a different VPC interface endpoint for each of your App Runner services.
## VPC Ingress Connection
A *VPC Ingress Connection* is an App Runner resource that specifies an App Runner endpoint for incoming traffic. App Runner assigns the VPC Ingress Connection resource behind the scenes when you choose **Private endpoint** on the App Runner console for your incoming traffic. Choose this option to only allow traffic from an Amazon VPC to access your App Runner service. The VPC Ingress Connection resource connects your App Runner service to the VPC interface endpoint of the Amazon VPC. You can create a VPC Ingress Connection resource only if you are using the API operations to configure the network settings for incoming traffic. For more information how to create VPC Ingress Connection resource, see [CreateVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateVpcIngressConnection.html.html) in the *AWS App Runner API Reference*.
**Note**
One VPC Ingress Connection resource of the App Runner can connect to one VPC interface endpoint of the Amazon VPC. Also, you can only create one VPC Ingress Connection resource for each App Runner service.
## Private endpoint
Private endpoint is an App Runner console option that you can choose if you only want to receive incoming traffic from an Amazon VPC. Choosing the **Private endpoint** option on the App Runner console provides you with the option to connect your service to a VPC by configuring its *VPC interface endpoint*. Behind the scenes, App Runner assigns a VPC Ingress Connection resource to the VPC interface endpoint that you configure.
## Summary
Make your service private by only allowing traffic from an Amazon VPC to access your App Runner service. To achieve this, you create a VPC interface endpoint for the selected Amazon VPC using either App Runner or Amazon VPC. On the App Runner console, you create a VPC interface endpoint when you enable the **Private endpoint** for the **Incoming traffic**. App Runner then automatically creates a *VPC Ingress Connection* resource and connects to the VPC interface endpoint and your App Runner service. This creates a private service connection that ensures that only traffic from the selected VPC can access your App Runner service.
# Managing Private endpoints
Manage the Private endpoint for the incoming traffic using one of the following methods:
+ [App Runner console](#network-pl-manage.console)
+ [App Runner API or AWS CLI](#network-pl-manage.api)
**Note**
If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules.
To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html).
## App Runner console
When you [create a service](manage-create.md) using the App Runner console, or when you [update its configuration later](manage-configure.md), you can choose to configure the incoming traffic.
To configure your incoming traffic, choose one of the following.
+ **Public endpoint**: To make your service accessible to all services over the internet. By default, **Public endpoint** is selected.
+ **Private endpoint**: To make your App Runner service accessible from only within an Amazon VPC.
### Enable Private endpoint
Enable a **Private endpoint** by associating it with VPC interface endpoint of the Amazon VPC you want to access. You can either create a new VPC interface endpoint or choose an existing one.
**To create a VPC interface endpoint**
1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region.
1. Go to **Networking** section under **Configure service**.
1. Choose **Private endpoint**, for **Incoming network traffic**. Options to connect to a VCP using VPC interface endpoint opens.
1. Choose **Create new endpoint**. The **Create new VPC interface endpoint** dialog-box opens.
1. Enter a name for VPC interface endpoint.
1. Choose the required VPC interface endpoint from the available drop-down list.
1. Choose security group from the drop-down list. Adding security groups provides an additional layer of security to the VPC interface endpoint. It’s recommended to choose two or more security groups. If you don’t choose a security group, App Runner assigns a default security group to the VPC interface endpoint. Ensure that the security group rules don't block the resources that want to communicate with your App Runner service. The security group rules must allow resources that will interact with your App Runner service.
**Note**
If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules.
To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html).
1. Choose the required subnets from the drop-down list. It is recommended to select at least two subnets for each Availability Zone from which you’ll access the App Runner service.
**Note**
If you're configuring the endpoint for dual stack make sure that your infrastructure and VPC endpoint supports dual-stack traffic.
1. (Optional) Choose **Add new tag** and enter the tag key and the tag value.
1. Choose **Create**. The **Configure service** page opens showing the message of successful creation of VPC interface endpoint on the top bar.
**To choose an existing VPC interface endpoint**
1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region.
1. Go to **Networking** section under **Configure service**.
1. Choose **Private endpoint**, for **Incoming network traffic**. Options to connect to a VPC using VPC interface endpoint opens. A list of available VPC interface endpoints is shown.
1. Choose the required VPC interface endpoint listed under **VPC interface endpoints**.
1. Choose **Next** to create your service. App Runner enables the Private endpoint.
**Note**
After your service is created you can choose to edit the Security groups and Subnets associated with the VPC interface endpoint, if required.
To check the details of the **Private endpoint**, go to your service and expand the **Networking** section under **Configuration** tab. It shows details of the VPC and the VPC interface endpoint associated with the **Private endpoint**.
### Update VPC interface endpoint
After your App Runner service is created, you can edit the VPC interface endpoint associated with the Private endpoint.
**Note**
You cannot update the **Endpoint name** and the **VPC** fields.
**To update VPC interface endpoint**
1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region.
1. Go to your service and choose **Networking configurations** on the left panel.
1. Choose **Incoming traffic** to view the VPC interface endpoints associated with the respective services.
1. Choose the VPC interface endpoint you want to edit.
1. Choose **Edit**. The dialog-box to edit the VPC interface endpoint opens.
1. Choose the required **Security groups** and **Subnets** and click **Update**. The page showing the VPC interface endpoint details opens with the message of successful update of the VPC interface endpoint on the top bar.
**Note**
If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules.
To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html).
### Delete VPC interface endpoint
If you don’t want your App Runner service to be privately accessible, you can set your incoming traffic to **Public**. Changing to **Public** removes the Private endpoint, but it doesn’t delete the VPC interface endpoint
**To delete VPC interface endpoint**
1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region.
1. Go to your service and choose **Networking configurations** on the left panel.
1. Choose **Incoming traffic** to view the VPC interface endpoints associated with the respective services.
**Note**
Before deleting a VPC interface endpoint, remove it from all the services its connected to by updating your service.
1. Choose **Delete**.
If there are services connected to VPC interface endpoint, then you receive a **Cannot delete VPC interface endpoint** message. If there are no services connected to the VPC interface endpoint, you receive a message to confirm the deletion.
1. Choose **Delete**. The **Network configurations** page opens for the **Incoming traffic** with the message of successful deletion of the VPC interface endpoint on the top bar.
## App Runner API or AWS CLI
You can deploy an application on App Runner that is only accessible from within an Amazon VPC.
For information on permissions required to make your service private, see [Permissions](network-pl.md#network-pl.permissions).
**To create a private service connection to Amazon VPC**
1. Create a VPC interface endpoint, an AWS PrivateLink resource, to connect to App Runner. To do this, specify subnets and security groups to associate with the application. The following is an example of creating a VPC interface endpoint.
**Note**
If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules.
To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html).
**Example**
```
aws ec2 create-vpc-endpoint
--vpc-endpoint-type: Interface
--service-name: com.amazonaws.us-east-1.apprunner.requests
--subnets: subnet1, subnet2
--security-groups: sg1
```
1. Reference the VPC interface endpoint by using the [CreateService](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html) or [UpdateService](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateService.html) App Runner API actions through the CLI. Configure your service to not be publicly accessible. Set `IsPubliclyAccessible` to `False` in the `IngressConfiguration` member of the `NetworkConfiguration` parameter. Optionally you can set the `IpAddressType` field to `IPV4` or `DUAL_STACK`. If not set, this value defaults to IPV4. The following example references the VPC interface endpoint.
**Example**
```
aws apprunner create-service
--network-configuration:
{
"IngressConfiguration":
{
"IsPubliclyAccessible": False
},
"IpAddressType": "IPV4"
}
--service-name: com.amazonaws.us-east-1.apprunner.requests
--source-configuration:
```
1. Call the `create-vpc-ingress-connection` API action to create the VPC Ingress Connection resource for App Runner and associate it with the VPC interface endpoint you created in the previous step. It returns a domain name that is used to access your service in the specified VPC. The following is an example of creating a VPC Ingress Connection resource.
**Example Request**
```
aws apprunner create-vpc-ingress-connection
--service-arn:
--ingress-vpc-configuration: {"VpcId":, "VpceId": }
--vpc-ingress-connection-name:
```
**Example Response**
```
{
"VpcIngressConnectionArn": ,
"VpcIngressConnectionName": ,
"ServiceArn": ,
"Status": "PENDING_CREATION",
"AccountId": ,
"DomainName": ,
"IngressVpcConfiguration": {"VpcId":, "VpceId":},
"CreatedAt":
}
```
### Update VPC Ingress Connection
You can update the VPC Ingress Connection resource. The VPC Ingress Connection must be in one of the following states to be updated:
+ AVAILABLE
+ FAILED\$1CREATION
+ FAILED\$1UPDATE
The following is an example of updating a VPC Ingress Connection resource.
**Example Request**
```
aws apprunner update-vpc-ingress-connection
--vpc-ingress-connection-arn:
```
**Example Response**
```
{
"VpcIngressConnectionArn": ,
"VpcIngressConnectionName": ,
"ServiceArn": ,
"Status": "FAILED_UPDATE",
"AccountId": ,
"DomainName": ,
"IngressVpcConfiguration": {"VpcId":, "VpceId":},
"CreatedAt":
}
```
### Delete VPC Ingress Connection
You can delete the VPC Ingress Connection resource if you no longer need the private connection to the Amazon VPC.
The VPC Ingress Connection must be in one of the following states to be deleted:
+ AVAILABLE
+ FAILED CREATION
+ FAILED UPDATE
+ FAILED DELETION
The following is an example of deleting a VPC Ingress Connection
**Example Request**
```
aws apprunner delete-vpc-ingress-connection
--vpc-ingress-connection-arn:
```
**Example Response**
```
{
"VpcIngressConnectionArn": ,
"VpcIngressConnectionName": ,
"ServiceArn": ,
"Status": "PENDING_DELETION",
"AccountId": ,
"DomainName": ,
"IngressVpcConfiguration": {"VpcId":, "VpceId":},
"CreatedAt": ,
"DeletedAt":
}
```
Use the following App Runner API actions to manage the private inbound traffic for your service.
+ [CreateVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateVpcIngressConnection.html) – Create a new VPC Ingress Connection resource. App Runner requires this resource when you want to associate your App Runner service to an Amazon VPC endpoint.
+ [ListVpcIngressConnections](https://docs.aws.amazon.com/apprunner/latest/api/API_ListVpcIngressConnections.html) – Return a list of AWS App Runner VPC Ingress Connection endpoints that are associated with your AWS account.
+ [DescribeVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_DescribeVpcIngressConnection.html) – Return a full description of AWS App Runner VPC Ingress Connection resource.
+ [UpdateVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateVpcIngressConnection.html) – Update the AWS App Runner VPC Ingress Connection resource.
+ [DeleteVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_DeleteVpcIngressConnection.html) – Delete an App Runner VPC Ingress Connection resource that’s associated with the App Runner service.
For more information on using App Runner API, see [App Runner API Reference guide](https://docs.aws.amazon.com/apprunner/latest/api/).
# Enabling IPv6 for incoming traffic
If you want your service to receive incoming network traffic from IPv6 addresses, or from both IPv4 and IPv6 addresses, choose the **Dual-stack** address type for the endpoint. When you’re creating a new application, you can find this setting under **Configure service** > **Networking** section. The following procedures explain how to enable IPv4 or dual-stack (IPv6 and IPv4) using the App Runner console or the App Runner API.
## Managing dual stack for incoming traffic
Manage the dual-stack address type for incoming traffic using one of the following methods:
+ [App Runner console](#network-dual-stack-manage.console)
+ [App Runner API or AWS CLI](#network-dual-stack-manage.api)
**Note**
The following procedures explain how to manage the network address type for **public** incoming traffic. For information about managing dual-stack or IPv4 address types for **private** endpoints, see [Managing Private endpoints](network-pl-manage.md).
### App Runner console
You can choose dual-stack address type for the incoming internet traffic, when you create a service using the App Runner console, or when you update its configuration later.
**To enable dual-stack address type**
1. When [creating](manage-create.md) or [updating](manage-configure.md) a service, expand the **Networking** section under **Configure service**.
1. Choose **Public endpoint** for **Incoming network traffic**. If you select **Public endpoint**, the **Endpoint IP address type** option opens.
See [Managing Private endpoints](network-pl-manage.md) for a procedure to manage dual-stack or IPv4 address types for private endpoints.
1. Expand **Endpoint IP address type** to view the following IP address types.
+ **IPv4**
+ **Dual-stack (IPv4 and IPv6)**
**Note**
If you do not expand **Endpoint IP address type** to make a selection, then App Runner assigns IPv4 as the default configuration.
1. Choose **Dual-stack (IPv4 and IPv6)**.
1. Choose **Next** and then **Create & Deploy** if you are creating a service. Else, choose **Save changes** if you are updating a service.
When the service is deployed, your application starts receiving network traffic from both IPv4 and IPv6 endpoints.
**To change the address type**
1. Follow the steps to [update](manage-configure.md) a service and navigate to Networking.
1. Navigate to **Endpoint IP address type** under **Incoming network traffic** and select the required address type.
1. Choose **Save changes.** Your service is updated with your selection.
### App Runner API or AWS CLI
When you call the [CreateService](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html) or [UpdateService](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateService.html) App Runner API actions, use the `IpAddressType` member of the `NetworkConfiguration` parameter to specify the address type. The supported values that you can specify are `IPv4` and `DUAL_STACK`. Specify `DUAL_STACK` if you want your service to receive internet traffic from IPv4 and IPv6 endpoints. If you do not specify any value for `IpAddressType`, by default IPv4 is applied.
**Note**
For private endpoint examples, see [App Runner API or AWS CLI](network-pl-manage.md#network-pl-manage.api).
The following is the example to create a service with the dual stack as IP address. This example calls an `input.json` file.
**Example Request to create a service with dual stack support**
```
aws apprunner create-service \
--cli-input-json file://input.json
```
**Example Contents of `input.json`**
```
{
"ServiceName": "example-service",
"SourceConfiguration": {
"ImageRepository": {
"ImageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest",
"ImageConfiguration": {
"Port": "8000"
},
"ImageRepositoryType": "ECR_PUBLIC"
},
"NetworkConfiguration": {
"IpAddressType": "DUAL_STACK"
}
}
}
```
**Example Response**
```
{
"Service": {
"ServiceName": "example-service",
"ServiceId": "",
"ServiceArn": "arn:aws:apprunner:us-east-2:123456789012:service/example-service/",
"ServiceUrl": "1234567890.us-east-2.awsapprunner.com",
"CreatedAt": "2023-10-16T12:30:51.724000-04:00",
"UpdatedAt": "2023-10-16T12:30:51.724000-04:00",
"Status": "OPERATION_IN_PROGRESS",
"SourceConfiguration": {
"ImageRepository": {
"ImageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest",
"ImageConfiguration": {
"Port": "8000"
},
"ImageRepositoryType": "ECR_PUBLIC"
},
"AutoDeploymentsEnabled": false
},
"InstanceConfiguration": {
"Cpu": "1024",
"Memory": "2048"
},
"HealthCheckConfiguration": {
"Protocol": "TCP",
"Path": "/",
"Interval": 5,
"Timeout": 2,
"HealthyThreshold": 1,
"UnhealthyThreshold": 5
},
"AutoScalingConfigurationSummary": {
"AutoScalingConfigurationArn": "arn:aws:apprunner:us-east-2:123456789012:autoscalingconfiguration/DefaultConfiguration/1/00000000000000000000000000000001",
"AutoScalingConfigurationName": "DefaultConfiguration",
"AutoScalingConfigurationRevision": 1
},
"NetworkConfiguration": {
"IpAddressType": "DUAL_STACK",
"EgressConfiguration": {
"EgressType": "DEFAULT"
},
"IngressConfiguration": {
"IsPubliclyAccessible": true
}
}
},
"OperationId": "24bd100b1e111ae1a1f0e1115c4f11de"
}
```
For more information on the API parameter, see [NetworkConfiguration](https://docs.aws.amazon.com/apprunner/latest/api/API_NetworkConfiguration.html).