I've set up an AWS App Runner service, which works fine. Currently for networking it's configured as public access, but I'd like to change this to a VPC so that I can connect the service to an RDS instance without having to open the database up to the world.
When I change the networking config to use my default security group, the service is unable to access the Internet. Cloning a git repo from Bitbucket brings up the error: ssh: Could not resolve hostname bitbucket.org: Try again
... and trying to run npm install brings up:
npm ERR! network request to https://registry.npmjs.org/gulp failed, reason: connect ETIMEDOUT 104.16.24.35:443
My security group has an outgoing rule allowing all traffic out to any destination. My RDS instance is in the same VPC/security group and I'm able to connect to this without issue (currently I've opened up port 3306 to the world). Everything else I've read from a bunch of Googling seems fine: route tables, internet gateways, firewall rules, etc.
Any help would be much appreciated!
Probably too late to be really helpful but moving the App Runner to a VPC sends all outgoing traffic to the VPC. The two options given in the docs are
Adding NAT gateways to each VPC
Setting up VPC endpoints
Documented within the first bullet point of the Considerations when selecting a subnet section https://docs.aws.amazon.com/apprunner/latest/dg/network-vpc.html