The question is the same as

Security group outbound rule allowing all traffic

Route table routing outbound traffic to internet gateway

Route table association with all subnets (non-explicit. Default, didn't change)

How I know that my service has no outbound Internet access:

• I'm making a request google.com
• I've made a log before, after, and in catch of the request.
• Log happens before, but then nothing happens. And my API that invokes this request keeps loading forever (until it Gateway Timeouts after 5 minutes).

So, what is wrong in my configuration above/How can I give outbound Internet access to the service?
And btw, I can access the service itself (i.e., inbound traffic) through the domain generated by App Runner.

A related discussion: https://github.com/aws/apprunner-roadmap/issues/109

CodePudding user response：

According to the official App Runner documentation, you must use a NAT Gateway to provide Internet access to App Runner applications running in a VPC.

You mentioned you already tried to use a NAT Gateway in your question, but I think you configured it incorrectly. Please bear in mind the following:

• Your VPC needs both public and private subnets configured in order to properly use a NAT Gateway. Public subnets are subnets that have a route to the Internet Gateway. Private subnets are subnets that have a route to the NAT Gateway.
• The NAT Gateway itself must reside in a public subnet.
• The App Runner application must be configured to run only in private subnets.