You just learned how to use Docker, and you can build and push Docker images to a Docker registry (this could be Docker registry, Quay.io, Harbour, or Amazon ECR). You also know how to use Docker-compose, which is an awesome tool for orchestrating Docker containers locally.

The next step is to get this Docker-packaged application into the hands of users. Doing some googling, you find out that there are so many tools out there for deploying Docker-based applications. The challenge here is not only choosing the right tool or service to deploy the Docker image, it has to be a tool that adequately has the features desired in a standard environment.

There are several key features that a standard application environment should have for efficient application management. These features should align with the six pillars of the AWS well-architected framework. These six pillars provide a solid foundation for the design and deployment of any infrastructure. The six pillars of the well-architected framework are summarized below:

Cost Pillar: Your infrastructure should be cost-effective and optimally provisioned, avoiding both over-provisioning and under-provisioning.
Security Pillar: explains how to architect a highly secure environment by deploying different security processes and tools.
Operational Excellence Pillar: what processes are on the ground to ensure the environment is properly managed; updates, patches, improvements.
Performance Efficiency Pillar: observability implementations and ensuring your system performs adequately.
Sustainability Pillar: deployment of resource-efficient infrastructure to reduce the carbon footprint on the planet
Reliability Pillar: Build a resilient system that can scale up and down based on demand, and use serverless and managed services for more efficient infrastructure.

These six tenets should guide how any infrastructure should be deployed and managed. The next step is choosing the right service.

Why App Runner fits the bill

The knowledge of the principles for deploying an efficient Docker application has been explained in the previous paragraph. Other things that were not mentioned earlier are as follows:

Easy to manage (with an intuitive interface)
Serverless (no servers to manage, scale, or patch).
No need for a DevOps Engineer
No knowledge of CI/CD is required.
Turn-key option to scale a single instance to multiple instances.
Full Observability Stack.
Security on VPC and WAF (Web Application Firewall).

Many tools are in AWS that have some of these features, but one of them that stands out is AWS AppRunner. According to the AWS Product page;

AWS App Runner builds and deploys web applications automatically, load balances traffic with encryption, scales to meet your traffic needs, and allows for the configuration of how services are accessed and communicate with other AWS applications in a private Amazon VPC.

This makes AppRunner a full-stack infrastructure service for all Docker-based application needs. The following are the features of App Runner:

Automated CI/CD ((Well-Architected Operational Excellence and Reliability)
Autoscaling/Easy to Scale (Well-Architected Performance Efficiency, Sustainability)
Environment Variables Management (with Parameter Store and Secrets Manager Integration) (Well-Architected Operational Excellence)
Networking Configuration. (Well-Architected Security Pillar)
Observability (Logs, Metrics, Traces). (Well-Architected Operational Excellence).
Custom Domain.
WAF (Web Application Firewall). (Well-Architected Security Pillar)

Features of App Runner

Automated CI/CD
App Runner has an automated CI/CD feature built into it that enables it to build and deploy code into your environment. App Runner can connect to your code repository on Github. The CI/CD supports the following languages: Python, NodeJs/JavaScript, Java, .NET, PHP, Ruby, and Golang.

To enable CI/CD and deployment in App Runner, add the following script to your repository code.

version: 1.0
service:
  name: my-flask-app-service
  sourceConfiguration:
    authenticationConfiguration:
      connectionArn: arn:aws:apprunner:region:account-id:connection/connection-id # Optional, if using private repository
    autoDeploymentsEnabled: true
    imageRepository:
      imageIdentifier: <your-dockerhub-username>/my-flask-app:latest
      imageRepositoryType: ECR_PUBLIC # Can be ECR or ECR_PUBLIC
  instanceConfiguration:
    cpu: 1 vCPU
    memory: 2 GB
  healthCheckConfiguration:
    path: /
    interval: 10
    timeout: 5
    healthyThreshold: 3
    unhealthyThreshold: 3
  environment:
    - name: FLASK_ENV
      value: production
    - name: PORT
      value: 8080
  tags:
    - key: environment
      value: production
  encryptionConfiguration:
    kmsKey: arn:aws:kms:region:account-id:key/key-id # Optional, for specifying a custom KMS key

buildConfiguration:
  runtime: python3
  buildCommand: pip install -r requirements.txt
  startCommand: python app.py

The example above is for building a python3 application for an image stored in the ECR Public registry.

This varies by language. In the case of Docker images; the image can be built by any other CI/CD tool, pushed to the ECR registry (public or private), and updated in the App Runner application. This will automatically deploy the newly updated image in the App Runner instance. That step does not require any additional CD process or flow on the App Runner side. App Runner handles the deployment internally and can roll back a deployment to the previous deployment if a deployment fails.

Another good feature is the environment variables feature in AWS App Runner.

Easy to Scale
Scaling an App Runner instance takes very few steps. You can increase the number of instances of a running service by increasing the minimum number of instances and setting a threshold for the maximum. There is also the option to increase the number of requests an instance can handle by increasing the concurrency number.

Simplified Docker Deployments with AWS App Runner: An Introduction to AWS AppRunner 5

Environment Variables

App Runner has different options for injecting environment variables into an app. The three options available are, plain, Secrets Manager, or Parameter Store. These three options give the user the flexibility to choose. The recommended approach to sensitive credentials is to either use Secrets Manager or Parameter Store and not to store plan credentials directly on the App Runner service or directly on your code base. For more information read the config section of the 12-factor app here. App Runner will need access to be able to retrieve credentials from either Secrets Manager or Parameter Store, where the sensitive credentials have been stored. This ensures the security of the credentials the app needs to run.

What is an app without its network configuration and integration with VPC? Next, let us talk about Networking in App Runner.

Networking Configuration
App Runner has a good integration with Amazon VPC. It has configurations to manage both Inbound and Outbound network configurations. App Runner service can run on the public internet or within a specific VPC via VPC Endpoints. The following screenshot shows the networking configuration for an App Runner service.

The screenshot above shows settings for Incoming and Outgoing network traffic. For Incoming traffic, selecting a Public Endpoint means the service will be accessible from the internet. Choosing a Private Endpoint means the service will operate within a VPC endpoint. Similar options are available for Outgoing traffic configuration.

When the application is deployed, it is important to know if the application is running smoothly, or if there are any bugs. The next section is on the observability of App Runner services.

Observability (Logs, Metrics, Traces)
AWS App Runner embodies the three core pillars of an observability stack. Logs, Metrics, and Traces. For the logs, App Runner has deployment logs to show if a deployment was successful or failed and what made the deployment fail in the scenario where it failed. It also has application logs, which show the logs generated by the application. These logs are stored in Amazon CloudWatch log groups. While App Runner has a summarized view of logs, more details can be filtered from Amazon CloudWatch by following the link View in Cloudwatch as shown in the screenshot below.

There is also the option to search through the logs, download the logs, and filter logs with different time ranges.

For Metrics, you can view the most common metrics needed to understand the status and behavior of an application right from the App Runner dashboard without going elsewhere. In the App Runner instance, click on the Metrics tab. This will show the metrics of the running instance, such as Request Count, CPU Utilization, Memory Utilization, HTTP 2xx Count, HTTP 4xx Count, HTTP 5xx Count, and Request Latency. A sample of the metrics dashboard is shown in the screenshot below

With this, you can effectively monitor the behavior of your application without the need to configure anything. The next feature is the Custom Domain, which is common to most services in the same jurisdiction.
The last pillar of the observability stack is Traces. App Runner integrates with Amazon X-Ray for traces. The code will need to be instrumented and configured with Amazon X-Ray. Then, X-Ray is enabled in the App Runner instance for it to start sending telemetry data to X-Ray for analysis.

Custom Domain
When a service is deployed to App Runner, it automatically generates a random URL for the app. This URL is owned by App Runner for the application. App Runner has the option that allows the configuration of a custom domain name different from what it generates. This option is under the Domain tab of a deploying/running application on App Runner.

After configuring the custom domain on App Runner, the next step is to profile it on the DNS provider. On the DNS management tool, create a new entry for the subdomain, and the value will be the original DNS address of the App Runner service. The record will be a CNAME record because the value of the App Runner URL is usually a subdomain, in the pattern of abcxyz.region.awsapprunner.com. It does not matter where the domain is registered; App Runner is able to work with any domain registrar, as shown in the following screenshot.

Simplified Docker Deployments with AWS App Runner: An Introduction to AWS AppRunner 9

The screenshot above shows you can use any Domain registrar with AWS App Runner, so the Custom Domain linking is not tied to Amazon Route 53.

In addition to network security, App Runner enhances web application security with AWS WAF support. The following section addresses this feature.

WAF (Web Application Firewall)

No AWS service provides a Firewall attachment out of the box. Most times, you need to attach a CloudFront Edge or Application Load Balancer to be able to use the AWS WAF service. AWS AppRunner supports WAF. It can be attached to the App Runner service. See the screenshot below for the configuration on how to attach the AWS WAF AWS App.

You must first create the WAF rules in the AWS WAF console before it can be attached to the App Runner service.

One more……
AWS App Runner includes a feature that allows you to pause a service. When a service is paused, AWS does not charge for CPU and memory, leading to potential cost savings. This is beneficial for scenarios where the service does not need to run 24/7, allowing you to pause it temporarily to save costs and resume it when needed.

With these wonderful features listed above, other limitations are available in the AWS App Runner that need to be mentioned. They are:

Important Notes/Limitations

1. App Runner does not allow you to listen/bind your application on port 80.

2. When Configuring Environment variables from the UI Console, AWS App Runner has a maximum of 50 environment variables from the CLI, it can be more than 50.

3. It provides an Ephemeral storage of 3GB. So your Docker image should be less than 2GB. To allow space for the image and storage. See more in the documentation here.

4. The Docker image must be from Amazon ECR, either a Private or Public ECR registry.

5. Apprunner does not support Websockets and GRPC protocol.

6. It does not support stateful apps.

Alongside these features, understanding the cost of running a single application in AWS App Runner is important. The following section provides a detailed breakdown of the costs for running an App Runner instance with 1 vCPU and 2 GB RAM.

Pricing

The AWS App Runner pricing is simple and very clear. It does not have any hidden charges that will break the bank. The service is serverless, meaning that the cost is more predictable. Charges still apply for Outbound traffic. According to the official AWS App Runner page, these are the pricing details.

Based on the diagram above, let us calculate an example cost for an App Runner service;

running continuously for a month (30 days) with the following configuration:

vCPU: 1 vCPU
Memory: 2 GB
Outbound Data Transfer: 100 GB per month

1. Compute and Memory Costs
Assume the following (hypothetical) pricing:

vCPU: $0.064 per vCPU-hour
Memory: $0.007 per GB-hour

Calculation:

Compute: 1 vCPU * 24 hours/day * 30 days * $0.064/vCPU-hour = $46.08
Memory: 2 GB * 24 hours/day * 30 days * $0.007/GB-hour = $10.08

Total Compute and Memory Cost: $46.08 + $10.08 = $56.16

2. Data Transfer Costs
Assume the following (hypothetical) pricing:

Outbound Data Transfer: $0.09 per GB

Calculation:

Outbound Data Transfer: 100 GB * $0.09/GB = $9.00

Total Monthly Cost
Total Cost = Compute and Memory Costs + Data Transfer Costs Total Cost = $56.16 + $9.00 = $65.16

The total cost of running a 1vCPU and 2GB RAM service with 100GB of Outbound data transfer is $65.16 in one month.

in conclusion…..

Conclusion

This article explains the features of AWS Apprunner and how it aligns with the six Pillars of the AWS Well-Architected Framework. It also explains the main features of AWS App Runner and how it is a full-stack serverless infrastructure service. It also explains the security features that come with App Runner which are VPC Private Endpoint and AWS WAF which integrates easily into the service. Finally, it explained the cost of running the service for a 1vCPU and 2GB of RAM for a month.

References / Further Reading

AWS AppRunner Product Page: https://aws.amazon.com/apprunner/

AWS Web Application Firewall: https://aws.amazon.com/waf/