This chapter covers AWS App Runner, a fully managed service for deploying containerized web applications and APIs with minimal configuration. For the DVA-C02 exam, App Runner is a key topic under Domain 3: Deployment, Objective 3.1 (Deploy container-based applications). Approximately 10-15% of exam questions touch on container deployment services, and App Runner appears in at least 2-3 questions. Understanding App Runner's architecture, scaling, networking, and integration with CI/CD pipelines is essential for choosing the right deployment strategy.
Jump to a section
Imagine you run a food delivery business. You need to cook meals (run containerized applications) and deliver them to customers (handle HTTP requests). AWS App Runner is like a fully managed restaurant kitchen with a drive-through window. You provide the recipe (your container image) and the ingredients (source code or image registry), and App Runner handles everything else: it preheats the ovens (provisions the compute environment), cooks your meal (builds and deploys the container), packages it (scales instances), and serves customers (routes traffic via an automatically assigned URL). You don't worry about gas lines (networking), cleanliness (patching), or hiring chefs (infrastructure management). The kitchen automatically scales: if a lunch rush hits (traffic spike), it fires up more stoves (provisions additional instances) and balances orders across them (load balancing). When the rush ends, it turns off extra stoves (scales down to zero). You only pay for the time the stoves are actually cooking (compute time per request or per instance). The kitchen also handles health checks: if a stove malfunctions (instance fails), it immediately replaces it and redirects orders elsewhere. You never see the back-of-house complexity—just your recipe and the satisfied customers.
What is AWS App Runner?
AWS App Runner is a fully managed service that enables developers to quickly deploy containerized web applications and APIs without managing infrastructure. It automatically builds, deploys, scales, and load balances applications from source code (stored in GitHub or AWS CodeCommit) or from an existing container image in Amazon ECR (Elastic Container Registry) or Docker Hub.
App Runner is designed for applications that are:
Stateless (no persistent local storage)
HTTP-based (web apps, REST APIs, microservices)
Containerized (Docker) or can be built from source (e.g., Node.js, Python, Java, Go, .NET Core, Ruby, PHP)
How App Runner Works Internally
When you create an App Runner service, the following steps occur:
1. Source Configuration: You specify the source of your application. Options: - Source code from a repository: Provide a connection to GitHub or AWS CodeCommit. App Runner uses a build configuration file (apprunner.yaml) or detects the runtime automatically. - Container image from a registry: Provide the image URI from Amazon ECR (public or private) or Docker Hub.
Build and Deploy: If using source code, App Runner clones the repository, builds the container image using the Dockerfile or build command, and pushes it to an internal ECR repository. If using an existing image, it pulls the image directly.
Provisioning: App Runner provisions the underlying compute resources (AWS Fargate containers) in a managed VPC. You do not manage EC2 instances or clusters.
Networking: App Runner assigns a default domain name (e.g., abcdef123456.us-east-1.awsapprunner.com) with an automatic TLS certificate (HTTPS). You can optionally configure a custom domain and bring your own certificate via AWS Certificate Manager (ACM).
Health Checks: App Runner performs periodic health checks (configurable: path, interval, timeout, healthy/unhealthy thresholds) on the application. If an instance fails health checks, it is replaced.
6. Scaling: App Runner automatically scales the number of instances based on request traffic. You can configure: - Min instances: Minimum number of instances running (default 1, can be 0 for cost savings). - Max instances: Maximum number of instances (default 10, max 200). - Concurrency: Maximum number of concurrent requests per instance (default 100).
Load Balancing: An internal Application Load Balancer (ALB) distributes incoming traffic across healthy instances.
Key Components and Defaults
Service: The top-level resource representing your application. It has a unique ARN.
Auto Scaling Configuration: Defines min/max instances and concurrency.
Health Check Configuration: Path (default /), interval (default 10 seconds), timeout (default 5 seconds), healthy threshold (default 1), unhealthy threshold (default 5).
Instance Configuration: CPU (default 1 vCPU) and memory (default 2 GB). Supported sizes: 0.25 vCPU/0.5 GB, 0.5 vCPU/1 GB, 1 vCPU/2 GB, 2 vCPU/4 GB, 4 vCPU/8 GB.
Networking: App Runner services run in a managed VPC. For access to resources in your own VPC (e.g., RDS, ElastiCache), you can enable VPC ingress using VPC Connector (creates an elastic network interface in your VPC).
Observability: CloudWatch metrics (request count, latency, 4xx/5xx errors, instance count) and logs (application logs, access logs).
CI/CD: Automatic deployments when source code or image is updated. You can configure a deployment trigger (automatic or manual).
Configuration and Verification Commands
Using AWS CLI:
# Create a service from source code
aws apprunner create-service --service-name my-service \
--source-configuration '{"AuthenticationConfiguration":{},"CodeRepository":{"RepositoryUrl":"https://github.com/user/repo","SourceCodeVersion":{"Type":"BRANCH","Value":"main"},"CodeConfiguration":{"ConfigurationSource":"API","CodeConfigurationValues":{"Runtime":"NODEJS_16","BuildCommand":"npm install && npm run build","StartCommand":"npm start"}}}}' \
--instance-configuration '{"Cpu":"1 vCPU","Memory":"2 GB"}'
# Create a service from an image in ECR
aws apprunner create-service --service-name my-image-service \
--source-configuration '{"AuthenticationConfiguration":{},"ImageRepository":{"ImageIdentifier":"123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest","ImageRepositoryType":"ECR"}}'
# List services
aws apprunner list-services
# Describe service
aws apprunner describe-service --service-arn arn:aws:apprunner:us-east-1:123456789012:service/my-service/abc123
# Start deployment
aws apprunner start-deployment --service-arn arn:aws:apprunner:us-east-1:123456789012:service/my-service/abc123Interactions with Related Technologies
AWS Fargate: App Runner uses Fargate as the underlying compute engine but abstracts it completely. You cannot see or manage Fargate tasks directly.
AWS CodePipeline/CodeBuild: App Runner can integrate with CodePipeline for more complex CI/CD pipelines, but its native integration is simpler.
AWS CloudFormation: App Runner services can be defined in CloudFormation templates (resource type AWS::AppRunner::Service).
AWS WAF: You can associate a web ACL with App Runner for web application firewall protection.
AWS X-Ray: Tracing can be enabled for request tracing.
AWS PrivateLink: VPC Connector uses PrivateLink to connect to your VPC.
Limitations and Exam Traps
App Runner does not support Windows containers.
App Runner does not support custom networking (e.g., assigning specific subnets). The VPC Connector is for egress traffic only (your app accessing resources in your VPC). Ingress traffic always goes through the public endpoint.
App Runner does not support WebSocket connections (though HTTP/2 is supported).
The default domain is always HTTPS. Custom domains require a certificate in ACM in the same region.
App Runner does not support attaching an ALB directly; the internal ALB is not customer-managed.
App Runner services are regional. For disaster recovery, you must deploy in multiple regions and use Route 53 routing.
App Runner does not support blue/green deployments natively. However, you can create two services and switch traffic using a custom domain or Route 53.
The minimum instance count can be set to 0 (scale to zero) to save costs when idle. However, there may be a cold start delay (typically a few seconds) when traffic arrives.
Define Source Configuration
Choose between source code from a repository (GitHub or CodeCommit) or a container image from ECR/Docker Hub. For source code, you must provide a repository URL, branch, and build configuration (runtime, build command, start command). App Runner will clone the repo and build the image. For container images, you provide the image URI and repository type (ECR or Docker Hub). If using a private ECR repository, you must grant App Runner permissions via a service role. If using Docker Hub, you can provide credentials for private images. Exam tip: The exam often tests the distinction between source code and image deployment, and the required permissions.
Configure Build and Deploy Settings
If using source code, App Runner needs to build the container. You can specify build commands inline or use an `apprunner.yaml` file in the repository. The build environment supports common runtimes: Python 3.7-3.11, Node.js 12-18, Java 8/11/17, .NET Core 3.1/6, Go 1.x, Ruby 2.7/3.0, PHP 8.0/8.1. If no build command is specified, App Runner uses a default based on the runtime. The deployment is automatic when changes are pushed to the branch. For container images, App Runner pulls the image and deploys it. You can configure manual or automatic deployment triggers. Exam tip: Know that automatic deployments from ECR require image tag immutability or a specific tag (e.g., `latest`).
Set Instance and Scaling Configuration
Configure CPU and memory per instance (0.25 vCPU/0.5 GB to 4 vCPU/8 GB). Set minimum instances (default 1, can be 0) and maximum instances (default 10, max 200). Set concurrency (default 100 requests per instance). App Runner automatically scales based on request load. If minimum is 0, the service scales to zero when idle, causing cold starts. Exam tip: The exam may ask about scaling behavior—e.g., if concurrency is 100 and max instances is 10, the service can handle up to 1000 concurrent requests. Also, scaling to zero is a cost-saving feature but introduces latency.
Configure Health Checks and Observability
Set health check path (default `/`), interval (default 10 seconds), timeout (default 5 seconds), healthy threshold (default 1), unhealthy threshold (default 5). App Runner uses these to determine instance health. Unhealthy instances are replaced. Enable CloudWatch logs and metrics. You can also enable tracing with AWS X-Ray. Exam tip: Health check configuration is a common exam point—know the defaults and that the unhealthy threshold is 5 consecutive failures.
Configure Networking and Custom Domain
App Runner assigns a default domain with HTTPS. Optionally, add a custom domain and validate ownership via DNS (CNAME record). The custom domain must have a TLS certificate in ACM (same region). For egress traffic to your VPC resources, create a VPC Connector. The VPC Connector attaches an ENI in your VPC subnets. App Runner does not support inbound traffic to a private VPC endpoint—all traffic goes through the public endpoint. Exam tip: VPC Connector is for egress only; inbound traffic is always public. Custom domain validation requires a CNAME record.
Deploy and Monitor
App Runner builds (if needed) and deploys the service. The service status transitions from `OPERATION_IN_PROGRESS` to `RUNNING`. If deployment fails, App Runner provides logs in CloudWatch. Monitor metrics like request count, latency, error rates, and instance count. Use CloudWatch alarms for scaling or error thresholds. Exam tip: The exam tests the ability to troubleshoot deployment failures by checking logs and IAM permissions. Also, know that App Runner automatically updates the service when a new image tag is pushed if automatic deployment is enabled.
Enterprise Scenario 1: Microservice API for a SaaS Platform
A SaaS company needs to deploy a stateless REST API microservice that handles authentication and user management. The team uses App Runner because it abstracts infrastructure and integrates with their GitHub repository. They configure automatic deployments from the main branch. The service uses Node.js 18 with a build command npm install && npm run build and start command npm start. They set minimum instances to 2 for high availability and maximum to 20 to handle traffic spikes during peak hours. Concurrency is set to 200 requests per instance. They enable VPC Connector to access an RDS database in their VPC. In production, they observe that cold starts occur when scaling from 2 to 3 instances during a spike, but the auto-scaling handles it within seconds. They use CloudWatch alarms to notify if error rates exceed 1%. The main challenge was configuring the VPC Connector correctly—the ENI must be in a subnet with a route to a NAT gateway for internet access (App Runner instances need internet to pull images). Misconfiguring security groups caused connectivity issues. They also learned that App Runner does not support sticky sessions, so their stateless design was appropriate.
Enterprise Scenario 2: Containerized Web App with Custom Domain
A marketing agency hosts a customer-facing web application built with Python Flask and served via uWSGI. They containerize the app and push the image to Amazon ECR. They create an App Runner service pointing to the image, set minimum instances to 1, and maximum to 10. They configure a custom domain app.example.com with a TLS certificate from ACM. They set health check path to /health and interval to 5 seconds. During a campaign launch, traffic surges and the service scales to 10 instances. The application handles the load without issues. However, they notice that the default health check path / was returning a 302 redirect, causing health checks to fail. They fixed it by setting the health check path to /health. They also enabled access logs to analyze traffic patterns. The main performance consideration is that App Runner's scaling is based on requests per instance, not CPU/memory, so they monitor concurrency to avoid overwhelming instances.
Scenario 3: Internal Dashboard with Zero Scaling
An internal IT team deploys a dashboard that is used occasionally during business hours. They set minimum instances to 0 to save costs. When a user accesses the dashboard after idle time, there is a 5-10 second cold start delay as App Runner provisions a new instance. They find this acceptable. They use a private ECR repository and configure automatic deployment when a new image is pushed. The main challenge was ensuring that the IAM execution role had permissions to pull from ECR. They also learned that with min=0, the first request may timeout if the cold start takes too long, so they set a higher idle timeout in their application.
The DVA-C02 exam tests AWS App Runner under Domain 3: Deployment, Objective 3.1 (Deploy container-based applications). Specific subtopics include:
Understanding App Runner's source options (source code vs. container image)
Configuring build and deployment settings
Scaling configuration (min/max instances, concurrency)
Networking (default domain, custom domain, VPC Connector)
Health checks and monitoring
IAM roles and permissions
Integration with other services (ECR, GitHub, CloudWatch, ACM)
Common Wrong Answers and Why Candidates Choose Them:
Wrong: App Runner supports WebSockets. Candidates confuse App Runner with other services like API Gateway. Reality: App Runner only supports HTTP/1.1 and HTTP/2, not WebSockets.
Wrong: App Runner allows you to attach an ALB directly. Candidates think they can use their own load balancer. Reality: App Runner has an internal ALB that is not customer-managed. You cannot attach a custom ALB.
Wrong: VPC Connector allows inbound traffic from VPC. Candidates assume the connector works both ways. Reality: VPC Connector is only for egress traffic from App Runner to your VPC. Inbound traffic always comes through the public endpoint.
Wrong: App Runner supports Windows containers. Candidates may assume all container services support Windows. Reality: App Runner only supports Linux containers.
Specific Numbers and Values That Appear on the Exam: - Default min instances: 1, max instances: 10, concurrency: 100. - Max instances limit: 200. - Health check defaults: interval 10s, timeout 5s, healthy threshold 1, unhealthy threshold 5. - Supported CPU/Memory: 0.25 vCPU/0.5 GB, 0.5/1, 1/2, 2/4, 4/8. - Cold start time: typically a few seconds (varies).
Edge Cases and Exceptions:
- If you set min instances to 0, the service scales to zero. The first request after idle triggers a cold start. The exam may ask about this behavior.
- Automatic deployments from ECR: If the image tag is mutable (e.g., latest), App Runner does not automatically redeploy when the tag is updated unless you configure it to watch for changes. Best practice is to use immutable tags.
- Custom domain validation: You must add a CNAME record to your DNS. The certificate must be in the same region as the App Runner service.
How to Eliminate Wrong Answers: - If a question mentions WebSockets or Windows, eliminate App Runner immediately. - If the question requires a private endpoint (inbound from VPC), App Runner is not the right choice; consider ALB + ECS Fargate or API Gateway VPCLink. - If the question mentions blue/green deployments, App Runner does not natively support it; consider CodeDeploy with ECS. - Always check the networking requirements: App Runner is public-facing by default.
App Runner is a fully managed service for deploying containerized web apps and APIs from source code or container images.
It automatically builds, deploys, scales, and load balances applications with minimal configuration.
Default scaling: min instances 1, max instances 10, concurrency 100 requests per instance.
Health check defaults: interval 10s, timeout 5s, healthy threshold 1, unhealthy threshold 5.
App Runner does not support WebSockets, Windows containers, or inbound VPC private endpoints.
VPC Connector is for egress traffic only; inbound traffic is always public.
Custom domains require a TLS certificate in ACM in the same region and DNS validation via CNAME.
Minimum instances can be set to 0 for cost savings, but cold starts may occur on first request.
App Runner integrates with CloudWatch for logs and metrics, and with X-Ray for tracing.
Automatic deployments from ECR require configuration and work best with immutable image tags.
These come up on the exam all the time. Here's how to tell them apart.
AWS App Runner
Fully managed, no infrastructure visibility
Automatic HTTPS with default domain
Built-in auto scaling with concurrency control
Supports only containerized applications
No support for WebSockets or Windows
AWS Elastic Beanstalk (Docker)
Managed but provides more control (EC2 instances, load balancer)
Requires manual HTTPS setup via ELB or CloudFront
Auto scaling based on metrics (e.g., CPU)
Supports multiple platforms (Docker, Python, Node.js, etc.)
Supports WebSockets and custom environment configurations
AWS App Runner
Simpler setup, no cluster or task definition complexity
Automatic scaling and load balancing built-in
Limited to HTTP traffic
No direct control over task placement or networking
Best for simple web apps and APIs
Amazon ECS with Fargate
Full control over task definitions, clusters, and networking
Requires manual configuration of scaling and load balancer
Supports any TCP/UDP traffic, WebSockets, and gRPC
Can run in private VPC with private IPs
Best for complex microservices and batch jobs
Mistake
App Runner requires you to manage EC2 instances or ECS clusters.
Correct
App Runner is fully managed; you do not see or manage any underlying compute. It uses AWS Fargate internally but abstracts it completely.
Mistake
App Runner can be deployed inside a VPC with a private IP address.
Correct
App Runner services are always public-facing. They have a public endpoint. VPC Connector only allows egress to your VPC, not ingress.
Mistake
App Runner supports Windows containers.
Correct
App Runner only supports Linux-based containers. Windows containers are not supported.
Mistake
You can use App Runner for long-running background tasks or WebSocket connections.
Correct
App Runner is designed for HTTP-based web applications and APIs. It does not support WebSockets or long-running background processes (max request timeout is 15 minutes).
Mistake
App Runner automatically deploys every time a new image tag is pushed to ECR.
Correct
Automatic deployment from ECR only works if you configure it to watch for updates. By default, App Runner deploys the specified image tag once. If the tag is mutable (e.g., `latest`), you need to manually trigger a deployment or use continuous deployment with a pipeline.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, App Runner services are always public-facing. They have a public endpoint that is accessible from the internet. To create a private API within a VPC, consider using an internal ALB with ECS Fargate, or API Gateway with a VPC link. App Runner's VPC Connector only allows egress traffic from your app to resources in your VPC, not inbound traffic from your VPC.
You can set the minimum number of instances to 0 in the auto-scaling configuration. When no requests are received for a period, App Runner scales down to zero instances. The next request triggers a cold start, during which a new instance is provisioned. This can take a few seconds. During that time, the request may timeout if the application's timeout is too low. Cold starts can be mitigated by setting a minimum of at least 1 instance, but that incurs cost.
You need to create an IAM execution role that grants App Runner permission to pull images from ECR. The role must have a trust policy allowing `apprunner.amazonaws.com` to assume it. The role should include the managed policy `AWSAppRunnerServicePolicyForECRAccess` or a custom policy with `ecr:GetDownloadUrlForLayer`, `ecr:BatchGetImage`, `ecr:BatchCheckLayerAvailability`, and `ecr:GetAuthorizationToken`. This role is specified when creating the service.
No, App Runner does not support WebSocket connections. It is designed for HTTP/1.1 and HTTP/2 traffic only. If you need WebSocket support, consider using Amazon ECS with an ALB that supports WebSockets, or API Gateway WebSocket APIs.
In the App Runner console, under the service's networking settings, you can add a custom domain. You must provide the domain name (e.g., `app.example.com`). App Runner will provide a CNAME target. You need to add a CNAME record in your DNS provider pointing your domain to that target. Additionally, you must have an SSL/TLS certificate in AWS Certificate Manager (ACM) in the same region. App Runner will use that certificate to serve HTTPS. Domain ownership is validated via the CNAME record.
App Runner does not natively support blue/green deployments. When you update a service, App Runner performs a rolling update, replacing instances gradually. For blue/green deployments, you would need to create two separate App Runner services (blue and green) and switch traffic between them using a custom domain or Route 53 weighted routing. Alternatively, consider using AWS CodeDeploy with ECS.
The maximum request timeout is 15 minutes. If your application requires longer processing, you should design it to offload work to a background job queue (e.g., SQS) and return a 202 Accepted response. App Runner is not designed for long-running connections.
You've just covered AWS App Runner for Container Deployments — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?