You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
In our setup we use a central "network account" which contains networking infrastructure for all company's accounts, such as Direct connect, TGW and shared VPC with subnets and interface endpoints. These subnets are then shared via Resource Access Manager to all other accounts. A new AWS account is created for each application (or sometimes for a specific devops team) and we wanted to run private App Runner instances in some of those accounts. Unfortunately, in this architecture App Runner is not able to create a service with private VPC ingress, as it does not "see" the interface endpoint in the shared VPCs / subnets.
Describe alternatives you've considered
I think the alternative would be to build a new VPC dedicated to App Runner services, with its own subnets and App Runner interface endpoint and connect it via TGW attachment to the existing VPC. But I suspect this approach brings up new issues mainly with security and controlling access to App Runner instances, as there would be now many users/teams accessing this account and we would need to prevent them from modifying/destroying each other's instances. Also there is a fixed cost for TGW attachment, regardless if the instances are idle etc..
The text was updated successfully, but these errors were encountered:
Community Note
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
In our setup we use a central "network account" which contains networking infrastructure for all company's accounts, such as Direct connect, TGW and shared VPC with subnets and interface endpoints. These subnets are then shared via Resource Access Manager to all other accounts. A new AWS account is created for each application (or sometimes for a specific devops team) and we wanted to run private App Runner instances in some of those accounts. Unfortunately, in this architecture App Runner is not able to create a service with private VPC ingress, as it does not "see" the interface endpoint in the shared VPCs / subnets.
Describe alternatives you've considered
I think the alternative would be to build a new VPC dedicated to App Runner services, with its own subnets and App Runner interface endpoint and connect it via TGW attachment to the existing VPC. But I suspect this approach brings up new issues mainly with security and controlling access to App Runner instances, as there would be now many users/teams accessing this account and we would need to prevent them from modifying/destroying each other's instances. Also there is a fixed cost for TGW attachment, regardless if the instances are idle etc..
The text was updated successfully, but these errors were encountered: