AWS App Runner will no longer be open to new customers starting April 30, 2026. If you would like to use App Runner, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS App Runner availability change](https://docs.aws.amazon.com/apprunner/latest/dg/apprunner-availability-change.html). # Networking with App Runner Networking This chapter describes networking configurations for your AWS App Runner services. From this chapter you will learn the following: + How to configure your incoming traffic for private and public endpoints. For more information, see [Setting up networking configurations for incoming traffic](network-incoming.md). + How to configure your outgoing traffic to access to other applications running in an Amazon VPC. For more information, see [Enabling VPC access for outgoing traffic](network-vpc.md). **Topics** + [ # Terminology ](network-terms.md) + [ # Setting up networking configurations for incoming traffic ](network-incoming.md) + [ # Enabling VPC access for outgoing traffic ](network-vpc.md) # Terminology Terminology In order to know how to customize your network traffic to suit your needs, let’s understand the following terms that are used in this chapter. ## General Terms To know what is needed to associate with an Amazon Virtual Private Cloud (VPC), let’s understand the following terms: + *VPC*: An *Amazon VPC* is a logically isolated virtual network that gives you complete control over your virtual networking environment, including resource placement, connectivity, and security. It is a virtual network that closely resembles a traditional network that you'd operate in your own data center. + *VPC interface endpoint*: *VPC interface endpoint*, an AWS PrivateLink resource, connects a VPC to an endpoint service. Create a VPC interface endpoint to send traffic to endpoint services that use a Network Load Balancer to distribute traffic. Traffic destined for the endpoint service is resolved using DNS. + *Regions*: Each *Region* is a separate geographic area where you can host an App Runner service. + *Availability Zones*: An *Availability Zone* is an isolated location within an AWS Region. It is one or more discrete data centers with redundant power, networking, and connectivity. Availability Zones help you to make production applications highly available, fault tolerant, and scalable. + *Subnets*: A *subnet* is a range of IP addresses in your VPC. A subnet must reside in a single Availability Zone. You can launch an AWS resource into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the internet. + *Security groups*: A *security group* controls the traffic that is allowed to reach and leave the resources that it is associated with. Security groups provide an additional layer of security to protect the AWS resources in each subnet, giving you more control over your network traffic. When you create a VPC, it comes with a default security group. You can create additional security groups for each VPC. You can associate a security group only with resources within the VPC for which it is created. + *Dual-stack*: A *dual-stack* is an address type that supports network traffic from both IPv4 and IPv6 endpoints. ## Term specific to configuring outgoing traffic VPC Connector A *VPC Connector* is an App Runner resource that enables App Runner service to access applications that run in a private Amazon VPC. ## Terms specific to configuring incoming traffic To know how you can make your services privately accessible only from within an Amazon VPC, let’s understand the following terms: + *VPC Ingress Connection*: *VPC Ingress Connection* is an App Runner resource that provides an App Runner endpoint for incoming traffic. App Runner assigns the VPC Ingress Connection resource behind the scenes when you choose **Private endpoint** on the App Runner console for your incoming traffic. The VPC Ingress Connection resource connects your App Runner service to the VPC interface endpoint of the Amazon VPC. **Note** If you are using App Runner API, the VPC Ingress Connection resource is not automatically created. + *Private endpoint*: *Private endpoint* is an App Runner console option that you select to configure the incoming network traffic to be accessible from only within an Amazon VPC. # Setting up networking configurations for incoming traffic Incoming traffic You can configure your service to receive incoming traffic from private or public endpoint. A **Public Endpoint** is the default configuration. It opens your service to any incoming traffic from the public internet. It also provides you with the flexibility to choose between IPv4 or dual-stack (IPv4 and IPv6) address types for your service. A **Private endpoint** only allows traffic from an Amazon VPC to access your App Runner service. This is achieved by setting up a VPC interface endpoint, an AWS PrivateLink resource, for your App Runner service. Thereby, creating a private connection between the Amazon VPC and your App Runner service. It also provides you with the flexibility to choose between IPv4 or dual-stack (IPv4 and IPv6) address types for your service. The following are the topics that are covered as part of setting up your network configurations for incoming traffic: + How to configure your incoming traffic to make your service privately available only from within an Amazon VPC. For more information, see [Enabling Private endpoint for incoming traffic](network-pl.md). + How to configure your service to receive internet traffic from the dual-stack address type. For more information, see [Enabling dual stack for public incoming traffic](network-dual-stack.md). ## Headers Headers With App Runner you can access the original source IPv4 and IPv6 addresses of the traffic entering your application. The original source IP addresses are preserved by assigning the `X-Forwarded-For` request header to them. This enables your applications to fetch the original source IP addresses when needed. **Note** If your service is configured to use private endpoint, then `X-Forwarded-For` request header cannot be used to access original source IP addresses. If used, it retrieves false values. # Enabling Private endpoint for incoming traffic Enable Private endpoint By default when you create an AWS App Runner service, the service is accessible over the internet. However, you can also make your App Runner service private and only accessible from within an Amazon Virtual Private Cloud (Amazon VPC). With your App Runner service private, you have complete control over incoming traffic, adding an additional layer of security. This is helpful in a variety of use cases, including running internal APIs, corporate web applications, or applications that are still in development that require a greater level of privacy and security, or have the need to meet specific compliance requirements. **Note** If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules. To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html). When your App Runner service is private, you can access your service from within an Amazon VPC. An internet gateway, NAT device, or VPN connection isn’t required. **Note** App Runner supports IPv4 and dual-stack, (both IPv4 and IPv6), for both incoming traffic and outgoing traffic. ## Considerations + Before you set up a VPC interface endpoint for App Runner, review [Considerations](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints) in the *AWS PrivateLink Guide*. + VPC endpoint policies are not supported for App Runner. By default, full access to App Runner is allowed through the VPC interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to App Runner through the VPC interface endpoint. + If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules. + After you enable a Private endpoint, your service is only accessible from your VPC, and can’t be accessed from the internet. + For higher availability, it's recommended that you select at least two subnets across Availability Zone different for the VPC interface endpoint. We don’t recommend using only one subnet. + If you're choosing the dual stack option for the IP address type, ensure your subnets can support dual-stack traffic. + You can use the same VPC interface endpoint to access multiple App Runner services in a VPC. For information on the terms used in this section, see [Terminology](network-terms.md). ## Permissions The following is the list of permissions required to enable **Private endpoint**: + ec2:CreateTags + ec2:CreateVpcEndpoint + ec2:ModifyVpcEndpoint + ec2:DeleteVpcEndpoints + ec2:DescribeSubnets + ec2:DescribeVpcEndpoints + ec2:DescribeVpcs ## VPC interface endpoint A VPC interface endpoint is an *AWS PrivateLink* resource that connects an Amazon VPC to an endpoint service. You can specify which Amazon VPC you would like your App Runner service to be accessible in by passing a VPC interface endpoint. To create a VPC interface endpoint specify the following: + The Amazon VPC to enable the connectivity. + Add Security groups. By default, a security group is assigned to VPC interface endpoint. You can choose to associate a custom security group to bring further control to incoming network traffic. + Add subnets. To ensure higher availability, it is recommended to select at least two subnets for each Availability Zone from which you’ll access the App Runner service. A network interface endpoint is created in each subnet that you enable for the VPC interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for App Runner. A requester-managed network interface is a network interface that an AWS service creates in your VPC on your behalf. + If you are using the API, add the App Runner VPC interface endpoint `Servicename`. For example, ``` com.amazonaws.region.apprunner.requests ``` You can create a VPC interface endpoint using one of the following AWS services: + App Runner console. For more information, see [Manage Private endpoint](network-pl-manage.md). + Amazon VPC console or API, and AWS Command Line Interface (AWS CLI). For more information, see [Access AWS services through AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) in the *AWS PrivateLink Guide*. **Note** You’re charged for each VPC interface endpoint that you use based on [AWS PrivateLink Pricing](https://aws.amazon.com/privatelink/pricing/). Therefore, for better cost efficiency, you can use the same VPC interface endpoint to access multiple App Runner services within a VPC. However, for better isolation, consider associating a different VPC interface endpoint for each of your App Runner services. ## VPC Ingress Connection A *VPC Ingress Connection* is an App Runner resource that specifies an App Runner endpoint for incoming traffic. App Runner assigns the VPC Ingress Connection resource behind the scenes when you choose **Private endpoint** on the App Runner console for your incoming traffic. Choose this option to only allow traffic from an Amazon VPC to access your App Runner service. The VPC Ingress Connection resource connects your App Runner service to the VPC interface endpoint of the Amazon VPC. You can create a VPC Ingress Connection resource only if you are using the API operations to configure the network settings for incoming traffic. For more information how to create VPC Ingress Connection resource, see [CreateVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateVpcIngressConnection.html.html) in the *AWS App Runner API Reference*. **Note** One VPC Ingress Connection resource of the App Runner can connect to one VPC interface endpoint of the Amazon VPC. Also, you can only create one VPC Ingress Connection resource for each App Runner service. ## Private endpoint Private endpoint is an App Runner console option that you can choose if you only want to receive incoming traffic from an Amazon VPC. Choosing the **Private endpoint** option on the App Runner console provides you with the option to connect your service to a VPC by configuring its *VPC interface endpoint*. Behind the scenes, App Runner assigns a VPC Ingress Connection resource to the VPC interface endpoint that you configure. ## Summary Make your service private by only allowing traffic from an Amazon VPC to access your App Runner service. To achieve this, you create a VPC interface endpoint for the selected Amazon VPC using either App Runner or Amazon VPC. On the App Runner console, you create a VPC interface endpoint when you enable the **Private endpoint** for the **Incoming traffic**. App Runner then automatically creates a *VPC Ingress Connection* resource and connects to the VPC interface endpoint and your App Runner service. This creates a private service connection that ensures that only traffic from the selected VPC can access your App Runner service. # Managing Private endpoints Manage Private endpoints Manage the Private endpoint for the incoming traffic using one of the following methods: + [App Runner console](#network-pl-manage.console) + [App Runner API or AWS CLI](#network-pl-manage.api) **Note** If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules. To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html). ## App Runner console When you [create a service](manage-create.md) using the App Runner console, or when you [update its configuration later](manage-configure.md), you can choose to configure the incoming traffic. To configure your incoming traffic, choose one of the following. + **Public endpoint**: To make your service accessible to all services over the internet. By default, **Public endpoint** is selected. + **Private endpoint**: To make your App Runner service accessible from only within an Amazon VPC. ### Enable Private endpoint Enable a **Private endpoint** by associating it with VPC interface endpoint of the Amazon VPC you want to access. You can either create a new VPC interface endpoint or choose an existing one. **To create a VPC interface endpoint** 1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region. 1. Go to **Networking** section under **Configure service**. 1. Choose **Private endpoint**, for **Incoming network traffic**. Options to connect to a VCP using VPC interface endpoint opens. 1. Choose **Create new endpoint**. The **Create new VPC interface endpoint** dialog-box opens. 1. Enter a name for VPC interface endpoint. 1. Choose the required VPC interface endpoint from the available drop-down list. 1. Choose security group from the drop-down list. Adding security groups provides an additional layer of security to the VPC interface endpoint. It’s recommended to choose two or more security groups. If you don’t choose a security group, App Runner assigns a default security group to the VPC interface endpoint. Ensure that the security group rules don't block the resources that want to communicate with your App Runner service. The security group rules must allow resources that will interact with your App Runner service. **Note** If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules. To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html). 1. Choose the required subnets from the drop-down list. It is recommended to select at least two subnets for each Availability Zone from which you’ll access the App Runner service. **Note** If you're configuring the endpoint for dual stack make sure that your infrastructure and VPC endpoint supports dual-stack traffic. 1. (Optional) Choose **Add new tag** and enter the tag key and the tag value. 1. Choose **Create**. The **Configure service** page opens showing the message of successful creation of VPC interface endpoint on the top bar. **To choose an existing VPC interface endpoint** 1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region. 1. Go to **Networking** section under **Configure service**. 1. Choose **Private endpoint**, for **Incoming network traffic**. Options to connect to a VPC using VPC interface endpoint opens. A list of available VPC interface endpoints is shown. 1. Choose the required VPC interface endpoint listed under **VPC interface endpoints**. 1. Choose **Next** to create your service. App Runner enables the Private endpoint. **Note** After your service is created you can choose to edit the Security groups and Subnets associated with the VPC interface endpoint, if required. To check the details of the **Private endpoint**, go to your service and expand the **Networking** section under **Configuration** tab. It shows details of the VPC and the VPC interface endpoint associated with the **Private endpoint**. ### Update VPC interface endpoint After your App Runner service is created, you can edit the VPC interface endpoint associated with the Private endpoint. **Note** You cannot update the **Endpoint name** and the **VPC** fields. **To update VPC interface endpoint** 1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region. 1. Go to your service and choose **Networking configurations** on the left panel. 1. Choose **Incoming traffic** to view the VPC interface endpoints associated with the respective services. 1. Choose the VPC interface endpoint you want to edit. 1. Choose **Edit**. The dialog-box to edit the VPC interface endpoint opens. 1. Choose the required **Security groups** and **Subnets** and click **Update**. The page showing the VPC interface endpoint details opens with the message of successful update of the VPC interface endpoint on the top bar. **Note** If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules. To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html). ### Delete VPC interface endpoint If you don’t want your App Runner service to be privately accessible, you can set your incoming traffic to **Public**. Changing to **Public** removes the Private endpoint, but it doesn’t delete the VPC interface endpoint **To delete VPC interface endpoint** 1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region. 1. Go to your service and choose **Networking configurations** on the left panel. 1. Choose **Incoming traffic** to view the VPC interface endpoints associated with the respective services. **Note** Before deleting a VPC interface endpoint, remove it from all the services its connected to by updating your service. 1. Choose **Delete**. If there are services connected to VPC interface endpoint, then you receive a **Cannot delete VPC interface endpoint** message. If there are no services connected to the VPC interface endpoint, you receive a message to confirm the deletion. 1. Choose **Delete**. The **Network configurations** page opens for the **Incoming traffic** with the message of successful deletion of the VPC interface endpoint on the top bar. ## App Runner API or AWS CLI You can deploy an application on App Runner that is only accessible from within an Amazon VPC. For information on permissions required to make your service private, see [Permissions](network-pl.md#network-pl.permissions). **To create a private service connection to Amazon VPC** 1. Create a VPC interface endpoint, an AWS PrivateLink resource, to connect to App Runner. To do this, specify subnets and security groups to associate with the application. The following is an example of creating a VPC interface endpoint. **Note** If your App Runner application requires source IP/CIDR incoming traffic control rules, you must use security group rules for private endpoints instead of [WAF web ACLs](waf.md). This is because we currently don’t support forwarding request source IP data to App Runner private services associated with WAF. As a result, source IP rules for App Runner private services that are associated with WAF web ACLs do not adhere to IP based rules. To learn more about infrastructure security and security groups, including best practices, see the following topics in the *Amazon VPC User Guide*: [Control network traffic](https://docs.aws.amazon.com/vpc/latest/userguide/infrastructure-security.html#control-network-traffic) and [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-security-groups.html). **Example** ``` aws ec2 create-vpc-endpoint --vpc-endpoint-type: Interface --service-name: com.amazonaws.us-east-1.apprunner.requests --subnets: subnet1, subnet2 --security-groups: sg1 ``` 1. Reference the VPC interface endpoint by using the [CreateService](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html) or [UpdateService](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateService.html) App Runner API actions through the CLI. Configure your service to not be publicly accessible. Set `IsPubliclyAccessible` to `False` in the `IngressConfiguration` member of the `NetworkConfiguration` parameter. Optionally you can set the `IpAddressType` field to `IPV4` or `DUAL_STACK`. If not set, this value defaults to IPV4. The following example references the VPC interface endpoint. **Example** ``` aws apprunner create-service --network-configuration: { "IngressConfiguration": { "IsPubliclyAccessible": False }, "IpAddressType": "IPV4" } --service-name: com.amazonaws.us-east-1.apprunner.requests --source-configuration: ``` 1. Call the `create-vpc-ingress-connection` API action to create the VPC Ingress Connection resource for App Runner and associate it with the VPC interface endpoint you created in the previous step. It returns a domain name that is used to access your service in the specified VPC. The following is an example of creating a VPC Ingress Connection resource. **Example Request** ``` aws apprunner create-vpc-ingress-connection --service-arn: --ingress-vpc-configuration: {"VpcId":, "VpceId": } --vpc-ingress-connection-name: ``` **Example Response** ``` { "VpcIngressConnectionArn": , "VpcIngressConnectionName": , "ServiceArn": , "Status": "PENDING_CREATION", "AccountId": , "DomainName": , "IngressVpcConfiguration": {"VpcId":, "VpceId":}, "CreatedAt": } ``` ### Update VPC Ingress Connection You can update the VPC Ingress Connection resource. The VPC Ingress Connection must be in one of the following states to be updated: + AVAILABLE + FAILED\$1CREATION + FAILED\$1UPDATE The following is an example of updating a VPC Ingress Connection resource. **Example Request** ``` aws apprunner update-vpc-ingress-connection --vpc-ingress-connection-arn: ``` **Example Response** ``` { "VpcIngressConnectionArn": , "VpcIngressConnectionName": , "ServiceArn": , "Status": "FAILED_UPDATE", "AccountId": , "DomainName": , "IngressVpcConfiguration": {"VpcId":, "VpceId":}, "CreatedAt": } ``` ### Delete VPC Ingress Connection You can delete the VPC Ingress Connection resource if you no longer need the private connection to the Amazon VPC. The VPC Ingress Connection must be in one of the following states to be deleted: + AVAILABLE + FAILED CREATION + FAILED UPDATE + FAILED DELETION The following is an example of deleting a VPC Ingress Connection **Example Request** ``` aws apprunner delete-vpc-ingress-connection --vpc-ingress-connection-arn: ``` **Example Response** ``` { "VpcIngressConnectionArn": , "VpcIngressConnectionName": , "ServiceArn": , "Status": "PENDING_DELETION", "AccountId": , "DomainName": , "IngressVpcConfiguration": {"VpcId":, "VpceId":}, "CreatedAt": , "DeletedAt": } ``` Use the following App Runner API actions to manage the private inbound traffic for your service. + [CreateVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateVpcIngressConnection.html) – Create a new VPC Ingress Connection resource. App Runner requires this resource when you want to associate your App Runner service to an Amazon VPC endpoint. + [ListVpcIngressConnections](https://docs.aws.amazon.com/apprunner/latest/api/API_ListVpcIngressConnections.html) – Return a list of AWS App Runner VPC Ingress Connection endpoints that are associated with your AWS account. + [DescribeVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_DescribeVpcIngressConnection.html) – Return a full description of AWS App Runner VPC Ingress Connection resource. + [UpdateVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateVpcIngressConnection.html) – Update the AWS App Runner VPC Ingress Connection resource. + [DeleteVpcIngressConnection](https://docs.aws.amazon.com/apprunner/latest/api/API_DeleteVpcIngressConnection.html) – Delete an App Runner VPC Ingress Connection resource that’s associated with the App Runner service. For more information on using App Runner API, see [App Runner API Reference guide](https://docs.aws.amazon.com/apprunner/latest/api/). # Enabling IPv6 for incoming traffic Enable IPv6 for App Runner's endpoints If you want your service to receive incoming network traffic from IPv6 addresses, or from both IPv4 and IPv6 addresses, choose the **Dual-stack** address type for the endpoint. When you’re creating a new application, you can find this setting under **Configure service** > **Networking** section. The following procedures explain how to enable IPv4 or dual-stack (IPv6 and IPv4) using the App Runner console or the App Runner API. ## Managing dual stack for incoming traffic Manage dual stack for endpoint Manage the dual-stack address type for incoming traffic using one of the following methods: + [App Runner console](#network-dual-stack-manage.console) + [App Runner API or AWS CLI](#network-dual-stack-manage.api) **Note** The following procedures explain how to manage the network address type for **public** incoming traffic. For information about managing dual-stack or IPv4 address types for **private** endpoints, see [Managing Private endpoints](network-pl-manage.md). ### App Runner console You can choose dual-stack address type for the incoming internet traffic, when you create a service using the App Runner console, or when you update its configuration later. **To enable dual-stack address type** 1. When [creating](manage-create.md) or [updating](manage-configure.md) a service, expand the **Networking** section under **Configure service**. 1. Choose **Public endpoint** for **Incoming network traffic**. If you select **Public endpoint**, the **Endpoint IP address type** option opens. See [Managing Private endpoints](network-pl-manage.md) for a procedure to manage dual-stack or IPv4 address types for private endpoints. 1. Expand **Endpoint IP address type** to view the following IP address types. + **IPv4** + **Dual-stack (IPv4 and IPv6)** **Note** If you do not expand **Endpoint IP address type** to make a selection, then App Runner assigns IPv4 as the default configuration. 1. Choose **Dual-stack (IPv4 and IPv6)**. 1. Choose **Next** and then **Create & Deploy** if you are creating a service. Else, choose **Save changes** if you are updating a service. When the service is deployed, your application starts receiving network traffic from both IPv4 and IPv6 endpoints. **To change the address type** 1. Follow the steps to [update](manage-configure.md) a service and navigate to Networking. 1. Navigate to **Endpoint IP address type** under **Incoming network traffic** and select the required address type. 1. Choose **Save changes.** Your service is updated with your selection. ### App Runner API or AWS CLI When you call the [CreateService](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html) or [UpdateService](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateService.html) App Runner API actions, use the `IpAddressType` member of the `NetworkConfiguration` parameter to specify the address type. The supported values that you can specify are `IPv4` and `DUAL_STACK`. Specify `DUAL_STACK` if you want your service to receive internet traffic from IPv4 and IPv6 endpoints. If you do not specify any value for `IpAddressType`, by default IPv4 is applied. **Note** For private endpoint examples, see [App Runner API or AWS CLI](network-pl-manage.md#network-pl-manage.api). The following is the example to create a service with the dual stack as IP address. This example calls an `input.json` file. **Example Request to create a service with dual stack support** ``` aws apprunner create-service \ --cli-input-json file://input.json ``` **Example Contents of `input.json`** ``` { "ServiceName": "example-service", "SourceConfiguration": { "ImageRepository": { "ImageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest", "ImageConfiguration": { "Port": "8000" }, "ImageRepositoryType": "ECR_PUBLIC" }, "NetworkConfiguration": { "IpAddressType": "DUAL_STACK" } } } ``` **Example Response** ``` { "Service": { "ServiceName": "example-service", "ServiceId": "", "ServiceArn": "arn:aws:apprunner:us-east-2:123456789012:service/example-service/", "ServiceUrl": "1234567890.us-east-2.awsapprunner.com", "CreatedAt": "2023-10-16T12:30:51.724000-04:00", "UpdatedAt": "2023-10-16T12:30:51.724000-04:00", "Status": "OPERATION_IN_PROGRESS", "SourceConfiguration": { "ImageRepository": { "ImageIdentifier": "public.ecr.aws/aws-containers/hello-app-runner:latest", "ImageConfiguration": { "Port": "8000" }, "ImageRepositoryType": "ECR_PUBLIC" }, "AutoDeploymentsEnabled": false }, "InstanceConfiguration": { "Cpu": "1024", "Memory": "2048" }, "HealthCheckConfiguration": { "Protocol": "TCP", "Path": "/", "Interval": 5, "Timeout": 2, "HealthyThreshold": 1, "UnhealthyThreshold": 5 }, "AutoScalingConfigurationSummary": { "AutoScalingConfigurationArn": "arn:aws:apprunner:us-east-2:123456789012:autoscalingconfiguration/DefaultConfiguration/1/00000000000000000000000000000001", "AutoScalingConfigurationName": "DefaultConfiguration", "AutoScalingConfigurationRevision": 1 }, "NetworkConfiguration": { "IpAddressType": "DUAL_STACK", "EgressConfiguration": { "EgressType": "DEFAULT" }, "IngressConfiguration": { "IsPubliclyAccessible": true } } }, "OperationId": "24bd100b1e111ae1a1f0e1115c4f11de" } ``` For more information on the API parameter, see [NetworkConfiguration](https://docs.aws.amazon.com/apprunner/latest/api/API_NetworkConfiguration.html). # Enabling VPC access for outgoing traffic Outgoing traffic By default, your AWS App Runner application can send messages to public endpoints. This includes your own solutions, AWS services, and any other public website or web service. Your application can even send messages to public endpoints of applications that run in a VPC from [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC). If you don't configure a VPC when you launch your environment, App Runner uses the default VPC, which is public. You can choose to launch your environment in a custom VPC to customize networking and security settings for outgoing traffic. You can enable your AWS App Runner service to access applications that run in a private VPC from Amazon Virtual Private Cloud (Amazon VPC). After you do this, your application can connect with and send messages to other applications that are hosted in an [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC). Examples are an Amazon RDS database, Amazon ElastiCache, and other private services that are hosted in a private VPC. ## VPC Connector You can associate your service with a VPC by creating a VPC endpoint from the App Runner console, called VPC Connector. To create a VPC Connector, specify the VPC, one or more subnets, and optionally one or more security groups. After you configure a VPC Connector, you can use it with one or more App Runner services. ### One-time latency If you configure your App Runner service with a custom VPC connector for outbound traffic, it may experience a one-time startup latency of two to five minutes. The startup process waits until the VPC Connector is ready to connect to other resources before it sets the service status to *Running*. You can configure a service with a custom VPC connector when you first create it, or you can do so afterward by doing a service update. Note that if you reuse the *same* VPC connector configuration for another service there wont be any latency. The VPC connector configuration is based on the security group and subnet combination. For a given VPC connector configuration, the latency only happens once, during the initial creation of the VPC Connector Hyperplane ENIs (elastic network interfaces). ### More about Custom VPC connectors and AWS Hyperplane The VPC connectors in App Runner are based on AWS Hyperplane, the internal Amazon network system that's behind several AWS resources, such as [Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html), [NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html), and [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/). The AWS Hyperplane technology provides high throughput and low latency capabilities, along with a higher degree of sharing. A Hyperplane ENI is created in your subnets when you create a VPC connector and associate it with your service. A VPC connector configuration is based on a security group and subnet combination, and you can reference the same VPC Connector across multiple App Runner services. As a result, the underlying Hyperplane ENIs are shared across your App Runner services. This sharing is feasible, even as you scale up the number of tasks required to handle the request load, and results in more efficient utilization of the IP space in your VPC. For more information, see [Deep Dive on AWS App Runner VPC Networking](https://aws.amazon.com/blogs/containers/deep-dive-on-aws-app-runner-vpc-networking/) in the *AWS Container Blog*. ## Subnet Each subnet is in a specific Availability Zone. For high availability, we recommend that you select subnets across at least three Availability Zones. If the Region has less than three Availability Zones, we recommend you select your subnets across all the supported Availability Zones. When selecting a subnet for your VPC, ensure that you choose a private subnet, not a public subnet. This is because, when you create a VPC Connector, the App Runner service creates a Hyperplane ENI in each of the subnets. Each Hyperplane ENI is assigned a private IP address only and is tagged with a tag of the *AWSAppRunnerManaged* key. If you choose a public subnet, errors will occur when running your App Runner service. However, if your service needs to access some services that are on the internet or other public AWS services, see [Considerations when selecting a subnet](#network-vpc.considerations-subnet). ### Considerations when selecting a subnet + When you connect your service to a VPC, the outbound traffic doesn't have access to the public internet. All outbound traffic from your application is directed through the VPC that your service is connected to. All networking rules for the VPC apply to the outbound traffic of your application. This means that your services can't access the public internet and AWS APIs. To gain access, do one of the following: + Connect the subnets to the internet through a [NAT Gateway.](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) + Set up [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) for the AWS services that you want to access. Your service stays within the Amazon VPC by using AWS PrivateLink. + Some Availability Zones in some AWS Regions don't support the subnets that can be used with App Runner services. If you choose subnets in these Availability Zones, your service fails to be created or updated. For these situations, App Runner provides a detailed error message pointing to the unsupported subnets and Availability Zones. When this occurs, troubleshoot by removing the unsupported subnets from your request, and then try again. + The subnets you select must all have the same IP address type, either IPv4 or dual-stack. ## Security group You can optionally specify the security groups that App Runner uses to access AWS under the specified subnets. If you don't specify security groups, App Runner uses the default security group of the VPC. The default security group allows all outbound traffic. Adding a security group provides an additional layer of security to the VPC Connectors, giving you more control over the network traffic. The VPC Connector is only used for outbound communication from your application. You use outbound rules to allow communication to the desired destination endpoints. You must also ensure that any security groups that are associated with the destination resource have the appropriate inbound rules. Otherwise, these resources can't accept traffic that comes from the VPC Connector security groups. **Note** When you associate your service with a VPC, the following traffic isn't affected: **Inbound traffic** – Incoming messages that your application receives are unaffected by an associated VPC. The messages are routed through the public domain name that's associated with your service and don't interact with the VPC. **App Runner traffic** – App Runner manages several actions on your behalf, such as pulling source code and images, pushing logs, and retrieving secrets. The traffic that these actions generate isn't routed through your VPC. To know more about how AWS App Runner integrates with Amazon VPC, see [AWS App Runner VPC Networking](https://aws.amazon.com/blogs/containers/deep-dive-on-aws-app-runner-vpc-networking/). ## Manage VPC access **Note** If you create an outbound traffic VPC connector for a service, the service startup process that follows will experience a one-time latency. You can set this configuration for a new service when you create it, or afterward, with a service update. For more information, see [One-time latency](#network-vpc.VPC-connector.latency) in the *Networking with App Runner* chapter of this guide. Manage VPC access for your App Runner services using one of the following methods: ------ #### [ App Runner console ] When you [create a service](manage-create.md) using the App Runner console, or when you [update its configuration later](manage-configure.md), you can choose to configure your outgoing traffic. Look for the **Networking** configuration section on the console page. For **Outgoing network traffic**, choose in the following: + **Public access**: To associate your service with public endpoints of other AWS services. + **Custom VPC**: To associate your service with a VPC from Amazon VPC. Your application can connect with and send messages to other applications that are hosted in an Amazon VPC. **To enable Custom VPC** 1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region. 1. Go to **Networking** section under **Configure service**. ![\[App Runner console configuration page showing networking options\]](http://docs.aws.amazon.com/apprunner/latest/dg/images/network-vpc-config-network.png) 1. Choose **Custom VPC**, for **Outgoing network traffic**. 1. In the navigation pane, choose **VPC connector**. If you created the VPC connectors, the console displays a list of VPC connectors in your account. You can choose an existing VPC connector and choose **Next** to review your configuration. Then, move to the last step. Alternatively, you can add a new VPC connector using the following steps. 1. Choose **Add new** to create a new VPC connector for your service. Then, the **Add new VPC connector** dialog box opens. ![\[App Runner console showing Add new VPC connector dialog\]](http://docs.aws.amazon.com/apprunner/latest/dg/images/network-vpc-add-new.png) 1. Enter a name for your VPC connector and select the required VPC from the available list. 1. For **Subnets** select one subnet for each Availability Zone that you plan to access the App Runner service from. For better availability, choose three subnets. Or, if there are less than three subnets, choose all available subnets. **Note** Make sure you assign *private* subnets to the VPC connector. If you assign public subnets to VPC connector, your service fails to create or rolls back automatically during an update. If your outgoing traffic is dual-stack, make sure that all of the subnets that you select are configured for dual-stack in the VPC Console. 1. (Optional) For **Security group**, select the security groups to associate with the endpoint network interfaces. 1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value. 1. Choose **Add**. The details of the VPC connector you created appear under **VPC connector**. 1. Choose **Next** to review your configuration, and then choose **Create and deploy**. App Runner creates a VPC connector resource for you, and then associates it with your service. If the service is successfully created, the console shows the service dashboard, with a **Service overview** of the new service. ------ #### [ App Runner API or AWS CLI ] When you call the [CreateService](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html) or [UpdateService](https://docs.aws.amazon.com/apprunner/latest/api/API_UpdateService.html) App Runner API actions, use the `EgressConfiguration` member of the `NetworkConfiguration` parameter to specify a VPC connector resource for your service. Use the following App Runner API actions to manage your VPC Connector resources. + [CreateVpcConnector](https://docs.aws.amazon.com/apprunner/latest/api/API_CreateVpcConnector.html) – Creates a new VPC connector. + [ListVpcConnectors](https://docs.aws.amazon.com/apprunner/latest/api/API_ListVpcConnectors.html) – Returns a list of the VPC connectors that are associated with your AWS account. The list includes full descriptions. + [DescribeVpcConnector](https://docs.aws.amazon.com/apprunner/latest/api/API_DescribeVpcConnector.html) – Returns a full description of a VPC connector. + [DeleteVpcConnector](https://docs.aws.amazon.com/apprunner/latest/api/API_DeleteVpcConnector.html) – Deletes a VPC connector. If you reach the VPC connector quota for your AWS account, you might need to delete unnecessary VPC connectors. To deploy an application on App Runner that has outbound access to a VPC, you must first create a VPC Connector. You can do this by specifying one or more subnets and security groups to associate with the application. You can then reference the VPC Connector in the **Create** or **UpdateService** through the CLI, as illustrated in the following example: ``` cat > vpc-connector.json < service.json < ", "ImageConfiguration": { "Port": "8000" }, "ImageRepositoryType": "ECR" } }, "NetworkConfiguration": { "EgressConfiguration": { "EgressType": "VPC", "VpcConnectorArn": "arn:aws:apprunner:..../my-vpc-connector" } } } EOF aws apprunner create-service \ --cli-input-json file:///service.js ``` ------