この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。
いわさです。
先日 App Runner でプライベートアクセスがサポートしましたね。
本日のアップデートで AWS Copilot でも App Runner のプライベートアクセスモードがサポートされました。
App Runner 自体はこれまでも AWS Copilot でサポートされていました。
導入方法としてマニフェストの変更が必要です。
Copilot も プライベートな App Runner も利用は初めてですが、先人たちの記事のおかげで簡単に導入・確認が出来ました。
Copilot から通常通り App Runner をデプロイ
まずは通常どおり App Runner をデプロイしてパブリックアクセスの確認を行ってみたいと思います。
冒頭の記事と同様に Nginx コンテナイメージを使って確認を行います。
% copilot init
Note: It's best to run this command in the root of your Git repository.
Welcome to the Copilot CLI! We're going to walk you through some questions
to help you get set up with a containerized application on AWS. An application is a collection of
containerized services that operate together.
Use existing application: No
Application name: hoge
Workload type: Request-Driven Web Service
Service name: nginx
Docker daemon is not responsive; Copilot won't build from a Dockerfile.
Image: public.ecr.aws/nginx/nginx:latest
Port: 80
Ok great, we'll set up a Request-Driven Web Service named nginx in application hoge listening on port 80.
✔ Proposing infrastructure changes for stack hoge-infrastructure-roles
- Creating the infrastructure for stack hoge-infrastructure-roles [create complete] [92.0s]
- A StackSet admin role assumed by CloudFormation to manage regional stacks [create complete] [41.2s]
- An IAM role assumed by the admin role to create ECR repositories, KMS keys, and S3 buckets [create complete] [41.5s]
✔ The directory copilot will hold service manifests for application hoge.
✔ Wrote the manifest for service nginx at copilot/nginx/manifest.yml
Your manifest contains configurations like your container size and port (:80).
- Update regional resources with stack set "hoge-infrastructure" [succeeded] [0.0s]
All right, you're all set for local development.
Deploy: Yes
✔ Wrote the manifest for environment test at copilot/environments/test/manifest.yml
- Update regional resources with stack set "hoge-infrastructure" [succeeded] [0.0s]
- Update regional resources with stack set "hoge-infrastructure" [succeeded] [132.4s]
- Update resources in region "ap-northeast-1" [create complete] [132.7s]
- ECR container image repository for "nginx" [create complete] [4.1s]
- KMS key to encrypt pipeline artifacts between stages [create complete] [120.8s]
- S3 Bucket to store local artifacts [create complete] [1.1s]
✔ Proposing infrastructure changes for the hoge-test environment.
- Creating the infrastructure for the hoge-test environment. [create complete] [87.6s]
- An IAM Role for AWS CloudFormation to manage resources [create complete] [42.3s]
- An IAM Role to describe resources in your environment [create complete] [37.5s]
✔ Provisioned bootstrap resources for environment test in region ap-northeast-1 under application hoge.
✔ Provisioned bootstrap resources for environment test.
✔ Proposing infrastructure changes for the hoge-test environment.
- Creating the infrastructure for the hoge-test environment. [update complete] [81.3s]
- An ECS cluster to group your services [create complete] [6.4s]
- A security group to allow your containers to talk to each other [create complete] [0.0s]
- An Internet Gateway to connect to the public internet [create complete] [16.8s]
- Private subnet 1 for resources with no internet access [create complete] [4.2s]
- Private subnet 2 for resources with no internet access [create complete] [2.3s]
- A custom route table that directs network traffic for the public subnets [create complete] [14.2s]
- Public subnet 1 for resources that can access the internet [create complete] [7.0s]
- Public subnet 2 for resources that can access the internet [create complete] [4.2s]
- A private DNS namespace for discovering services within the environment [create complete] [47.4s]
- A Virtual Private Cloud to control networking of your AWS resources [create complete] [14.4s]
✔ Proposing infrastructure changes for stack hoge-test-nginx
- Creating the infrastructure for stack hoge-test-nginx [create complete] [442.9s]
- An IAM role to control permissions for the containers in your service [create complete] [38.2s]
- An App Runner service to run and manage your containers [create complete] [394.6s]
✔ Deployed service nginx.
Recommended follow-up action:
- You can access your service at https://qnvwsmqmpe.ap-northeast-1.awsapprunner.com over the internet.
- Be a part of the Copilot ✨community✨!
Ask or answer a question, submit a feature request...
Visit ? https://aws.github.io/copilot-cli/community/get-involved/ to see how!デプロイ完了後アクセスしてみましょう。
問題なく外部からアクセスが出来ました。
デプロイされた App Runner の設定を見てみると以下のようにパブリックとなっていますね。
マニフェスト修正とデプロイ
先程の init と deploy でマニフェストファイルが生成されているはずです。
こちらを修正することでプライベートアクセスを有効化します。
copilot/nginx/manifest.yml
# The manifest for the "nginx" service.
# Read the full specification for the "Request-Driven Web Service" type at:
# https://aws.github.io/copilot-cli/docs/manifest/rd-web-service/
# Your service name will be used in naming your resources like log groups, App Runner services, etc.
name: nginx
# The "architecture" of the service you're running.
type: Request-Driven Web Service
image:
# The name of the Docker image.
location: public.ecr.aws/nginx/nginx:latest
# Port exposed through your container to route traffic to it.
port: 80
http:
private: true
# private:
# endpoint: vpce-12345
# http:
# healthcheck:
# path: /
# healthy_threshold: 3
# unhealthy_threshold: 5
# interval: 10s
# timeout: 5s
# Number of CPU units for the task.
cpu: 1024
# Amount of memory in MiB used by the task.
memory: 2048上記ハイライト部分が設定箇所でその中のコメントアウトしている部分のように既存の VPC エンドポイントを指定することも可能です。
上記のように変更をデプロイしてみます。
前提として、この機能が実装されているのは AWS Copilot の v1.23.0 からです。
% copilot --version
copilot version: v1.23.0
% copilot svc deploy
Only found one service, defaulting to: nginx
Only found one environment, defaulting to: test
✔ Proposing infrastructure changes for stack hoge-test-nginx
- Updating the infrastructure for stack hoge-test-nginx [update complete] [261.8s]
- The ingress connection from your environment to this service [create complete] [24.1s]
- Update your environment's shared resources [update complete] [145.6s]
- A security group for App Runner private services [create complete] [6.0s]
- VPC Endpoint to connect environment to App Runner for private services [create complete] [122.0s]
- An IAM role to update your environment stack [create complete] [40.7s]
- An App Runner service to run and manage your containers [update complete] [23.9s]
✔ Deployed service nginx.
Recommended follow-up action:
- You can access your service at https://qnvwsmqmpe.ap-northeast-1.awsapprunner.com from your internal network.先程と同じクライアント環境からアクセスができなくなりました。
名前解決の結果もプライベート IP アドレスになっていますね。
% nslookup qnvwsmqmpe.ap-northeast-1.awsapprunner.com
Server: 127.0.2.2
Address: 127.0.2.2#53
Non-authoritative answer:
Name: qnvwsmqmpe.ap-northeast-1.awsapprunner.com
Address: 10.0.2.181
Name: qnvwsmqmpe.ap-northeast-1.awsapprunner.com
Address: 10.0.3.162これは Copilot によってデプロイされた VPC のプライベートサブネット内の IP アドレスですね。
プライベートネットワーク上から
では今度はプライベートネットワーク上から App Runner にアクセスしてみましょう。
まずは App Runner の VPC エンドポイントに使われているセキュリティグループを確認します。
このセキュリティグループは以下の xxx-test-EnvironmentSecurityGroup-XXX からの全てのトラフィックがデフォルトで許可されています。
VPC 内に EC2 インスタンスを作成しこちらのセキュリティグループをアタッチします。
SSM セッションマネージャーでリモートアクセスし、App Runner の URL へ HTTP リクエストを送信してみます。
sh-4.2$ curl https://qnvwsmqmpe.ap-northeast-1.awsapprunner.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>Nginx のデフォルトページを表示することが出来ました。
さいごに
本日は AWS Copilot でプライベートエンドポイントモードの AWS App Runner がサポートされましたので試してみました。
設定としてとてもシンプルでマニフェスト上でプライベート用のフラグを有効化するだけでした。
他にも今回の Copilot のアップデートでは Amazon Aurora Serverless v2 がストレージオプションとしてサポートされていました。このあたりも今度試してみたいと思います。
5
