containersSAP-C02DEA-C01DOP-C02

AWS App Runner: The Zero-Ops Container Launcher

Deploy containerized web apps and APIs at scale — no infrastructure management required.

Updated 2026-02-21

Overview

AWS App Runner is a fully managed service that lets developers deploy containerized web applications and APIs directly from source code or a container image, without managing servers, clusters, or load balancers. It automatically handles provisioning, scaling, load balancing, and TLS termination, making it ideal for teams that want container benefits without operational overhead. App Runner bridges the gap between raw container orchestration (ECS/EKS) and traditional PaaS (Elastic Beanstalk), offering automatic scale-to-zero cost optimization.

Rapidly deploy and auto-scale containerized web services and APIs without provisioning or managing any underlying infrastructure.

Use When

Deploying microservices or REST/GraphQL APIs from container images or source code with minimal operational overhead
Startups or small teams that need production-grade auto-scaling without a dedicated DevOps team
Workloads that need to scale to zero during off-hours to eliminate idle compute costs
CI/CD pipelines where automatic redeployment on new container image pushes (ECR) or code commits is required
Rapid prototyping and MVP deployments where time-to-production matters more than fine-grained infrastructure control

Avoid When

Workloads requiring persistent storage volumes or stateful applications — App Runner has no native persistent disk support; use ECS/EKS with EFS instead
Applications needing fine-grained VPC control, custom security groups on ingress, or complex multi-subnet networking topologies — ECS on Fargate provides deeper VPC integration
Batch processing, long-running background jobs, or non-HTTP workloads — App Runner is HTTP/HTTPS-only; use AWS Batch or ECS tasks instead
Cost-sensitive, highly predictable traffic workloads where Reserved pricing on EC2 or Savings Plans on Fargate would yield better economics than App Runner's per-vCPU/memory model

Key Features

Automatic scaling (horizontal)

Scales in/out based on concurrent requests per instance

Scale to zero

Minimum instances can be set to 0; cold starts apply

Automatic TLS/HTTPS

No ACM management required; custom domains supported

Source code deployment (GitHub/Bitbucket)

App Runner builds and deploys from source automatically

Container image deployment (ECR)

Public and private ECR repositories supported

Automatic deployment on image push

Triggers on new ECR image or code commit

VPC connector (outbound to private VPC)

Required to reach RDS, ElastiCache, etc.

AWS Secrets Manager integration

Secrets injected as environment variables at runtime

AWS Systems Manager Parameter Store integration

Parameters injected as environment variables

AWS X-Ray tracing

Built-in distributed tracing, no sidecar needed

Amazon CloudWatch logs and metrics

Automatic log streaming and service metrics

AWS WAF integration

Web application firewall for API protection

Custom domains

With automatic ACM certificate provisioning

Health checks (HTTP and TCP)

Configurable interval, threshold, and timeout

Persistent storage volumes

No EBS/EFS mounting — stateless workloads only

Reserved Instance pricing

Pay-as-you-go only; no reserved capacity pricing model

Multi-port services

Single port per service only

Spot/preemptible compute

No Spot pricing equivalent; use ECS Fargate Spot for that model

GPU instances

CPU-only compute; use ECS/EKS for GPU workloads

Windows containers

Linux containers only

IPv6

IPv4 only for App Runner endpoints as of current docs

Private endpoints (inbound VPC)

Inbound traffic is always via App Runner's public managed endpoint

Integration Patterns

Automated Container CD Pipeline

high freq

AWS App RunnerAmazon ECR

App Runner monitors a private ECR repository and automatically deploys new image versions when pushed. The App Runner access role must have ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, and ecr:GetAuthorizationToken permissions. This eliminates the need for a separate CodePipeline trigger for simple deployments.

Secure Runtime Secret Injection

high freq

AWS App RunnerAWS Secrets Manager

App Runner retrieves secrets from Secrets Manager at container startup and injects them as environment variables. The instance IAM role must have secretsmanager:GetSecretValue permission. This avoids hardcoding credentials in container images or source code — a key security pattern for DOP-C02 and SAP-C02.

Configuration Parameter Injection

high freq

AWS App RunnerAWS Systems Manager Parameter Store

Non-sensitive configuration (feature flags, endpoints, non-secret config) stored in SSM Parameter Store is injected into App Runner containers at startup. Instance role needs ssm:GetParameters permission. Preferred over Secrets Manager for non-sensitive config due to lower cost.

Private Database Connectivity via VPC Connector

high freq

AWS App RunnerAmazon VPCAmazon RDS

App Runner uses a VPC Connector (attached to a VPC, subnets, and security groups) to establish outbound connectivity to RDS instances in a private subnet. Without a VPC connector, App Runner cannot reach private VPC resources. This is the standard pattern for App Runner + database architectures.

API Audit Trail for Compliance

high freq

AWS App RunnerAWS CloudTrail

All App Runner API calls (CreateService, UpdateService, DeleteService, etc.) are logged by CloudTrail. For compliance requirements (SOC2, PCI-DSS), CloudTrail provides the authoritative audit trail of who changed what and when. CloudTrail is for AUDITING API calls; GuardDuty is for THREAT DETECTION — do not confuse them.

Migration Path: Beanstalk to App Runner

high freq

AWS App RunnerAWS Elastic Beanstalk

Organizations migrating from Elastic Beanstalk to App Runner gain scale-to-zero capability and reduced operational overhead. Key difference: Beanstalk manages EC2 instances (cannot scale to zero), while App Runner is fully serverless. This migration pattern appears in SAP-C02 modernization scenarios.

Configuration Compliance Monitoring

medium freq

AWS App RunnerAWS Config

AWS Config tracks configuration changes to App Runner services (instance size, scaling config, VPC connector changes) and can trigger alerts or auto-remediation via Config Rules when services drift from desired state. Used in governance-heavy environments.

Static Asset and Object Storage Integration

medium freq

AWS App RunnerAmazon S3

App Runner applications access S3 buckets (for uploads, downloads, or static content) via the instance IAM role with appropriate S3 permissions. App Runner itself does not natively serve S3 content — CloudFront + S3 handles static assets while App Runner handles dynamic API traffic.

API Protection with Web Application Firewall

medium freq

AWS App RunnerAWS WAF

AWS WAF is associated directly with an App Runner service to protect against OWASP Top 10 threats (SQL injection, XSS, etc.). WAF rules are evaluated before traffic reaches the App Runner instances. This is the recommended pattern for publicly exposed APIs.

Distributed Tracing for Microservices

medium freq

AWS App RunnerAWS X-Ray

X-Ray tracing is enabled in the App Runner service configuration. The X-Ray daemon runs as a managed sidecar — developers only need to instrument their application code with the X-Ray SDK. Traces flow automatically to X-Ray for end-to-end latency analysis across microservices.

Service Limits & Quotas

LimitValueNote

Default maximum concurrent requests per instance

Configurable; default is 100 concurrent requests per instance requests

This is NOT the same as Lambda's per-function concurrency limit. App Runner scales horizontally across instances, not by spawning isolated execution environments.

vCPU options per instance

0.25, 0.5, 1, 2, or 4 vCPU vCPU

Unlike EC2 where you pick from hundreds of instance types, App Runner has a small, fixed set of compute options.

Memory options per instance

0.5 GB, 1 GB, 2 GB, 3 GB, 4 GB, 6 GB, 8 GB, or 12 GB GB

Memory and vCPU combinations are not freely mixed — valid pairings are enforced by the service. Exam questions may test whether you know App Runner has constrained sizing options vs. EC2's flexibility.

Minimum number of instances (scale-to-zero)

0 (scale to zero is supported; you can set minimum instances to 0) instances

Scale-to-zero means a cold start latency on first request after idle. This is a trade-off candidates must recognize in latency-sensitive scenarios.

Maximum number of instances per service

Configurable up to the service quota; default quota applies per account/region instances

The upper bound on instances is a soft quota adjustable via Service Quotas console — know that scaling limits are account-level, not just service-level.

Source types supported

Container image (Amazon ECR public/private) or source code repository (GitHub, Bitbucket via App Runner connections) N/A

Only HTTP/HTTPS-based web services are supported — not arbitrary container workloads.

Supported port

Single port per service; you configure which port your container listens on (default 8080) port

App Runner exposes a single HTTPS endpoint — it does not support multi-port services. If your architecture needs multiple ports, use ECS.

Health check protocol

HTTP or TCP N/A

Health checks are configurable. Failed health checks cause instance replacement — this is part of App Runner's self-healing capability.

VPC connector support

Supported — App Runner services can connect to resources in a VPC (RDS, ElastiCache, etc.) via VPC connectors N/A

VPC connector enables OUTBOUND connectivity from App Runner to your VPC. Inbound traffic always comes through App Runner's managed public HTTPS endpoint — you cannot put App Runner behind your own ALB directly.

Secrets and environment variable injection

Supported via AWS Secrets Manager and AWS Systems Manager Parameter Store N/A

App Runner natively integrates with Secrets Manager and SSM Parameter Store for secure configuration injection at runtime — a critical security pattern tested on DOP-C02 and SAP-C02.

Observability integrations

Amazon CloudWatch (metrics and logs), AWS X-Ray (distributed tracing) N/A

X-Ray integration is built-in for distributed tracing — no sidecar required. CloudWatch receives application logs and App Runner service metrics automatically.

Deployment types

Manual or automatic (triggered by new ECR image push or source code commit) N/A

Automatic deployment on ECR push is a key differentiator from ECS, where you must build your own CI/CD pipeline trigger. This is tested in DevOps modernization scenarios.

TLS/HTTPS

Automatically provisioned and managed by App Runner — no ACM certificate management required N/A

Unlike ALB where you manually attach ACM certificates, App Runner handles TLS lifecycle automatically — this is a key operational simplicity differentiator.

Custom domain support

Supported — you can associate custom domains with automatic certificate management N/A

Custom domains require DNS validation via CNAME records. App Runner manages certificate renewal automatically.

WAF integration

AWS WAF can be associated with App Runner services for web application firewall protection N/A

WAF integration is available for App Runner — exam questions about protecting App Runner APIs from SQL injection or XSS attacks should include WAF as the answer.

IAM roles

Instance role (for your application to access AWS services) and Access role (for App Runner to access ECR) are separate and both configurable N/A

If your app needs to read from S3 or call DynamoDB, that permission goes on the INSTANCE role, not the access role.

Pricing Model

Pay-per-use: charged for compute (vCPU/memory) while instances are active, plus a reduced 'provisioned concurrency' charge for paused (scaled-to-zero) instances and a per-build charge for source-based deployments.

Compute charges: per vCPU-hour and per GB-memory-hour while instances are RUNNING and handling requests
Provisioned instance charges: a lower flat rate applies to instances in 'paused' state (scaled to zero but kept warm) — you pay less but not zero unless you set minimum instances to 0 with no warmup
Automatic build charges apply when using source code deployments (per build minute)
No upfront costs, no Reserved Instance pricing, no Savings Plans — pure pay-as-you-go
Custom domain and WAF association incur standard ACM and WAF charges respectively
Data transfer charges apply for outbound traffic beyond free tier thresholds
CRITICAL: There is NO Reserved Instance or Savings Plan pricing for App Runner — this is a frequent exam misconception trap

Exam Tips

criticalScale-to-zero, cost optimization

App Runner CAN scale to zero (minimum instances = 0); Elastic Beanstalk CANNOT scale to zero because it always maintains at least one EC2 instance. Any exam question asking how to eliminate overnight compute costs for a containerized web service should choose App Runner over Elastic Beanstalk.

criticalPricing model, cost optimization misconceptions

App Runner has NO Reserved Instance pricing, NO Savings Plans, and NO Spot pricing. It is pure pay-as-you-go. If an exam question asks about reducing App Runner costs via reserved capacity, that option is a DISTRACTOR — it does not exist.

criticalIAM roles, least privilege

There are TWO separate IAM roles in App Runner: (1) ACCESS ROLE — used by the App Runner SERVICE to pull images from ECR; (2) INSTANCE ROLE — used by your APPLICATION CODE to call AWS APIs (S3, DynamoDB, Secrets Manager, etc.). Exam questions that describe an app failing to read from S3 need the instance role fixed, not the access role.

criticalVPC integration, networking

VPC Connectors provide OUTBOUND connectivity from App Runner to private VPC resources (RDS, ElastiCache, internal services). Inbound traffic to App Runner always comes through App Runner's managed public HTTPS endpoint — you cannot route inbound traffic through your own VPC without using a proxy pattern.

criticalCompliance, audit trail, security

CloudTrail logs App Runner API calls for compliance auditing (who created/modified/deleted services). GuardDuty detects threats and anomalous behavior. These are DIFFERENT services with DIFFERENT purposes — exam questions about compliance audit trails for App Runner changes require CloudTrail, not GuardDuty.

critical

App Runner scales to ZERO (no traffic = no compute cost). Elastic Beanstalk CANNOT. Any scenario about eliminating idle compute costs for containerized HTTP services → choose App Runner.

critical

App Runner has NO Reserved Instance, Savings Plan, or Spot pricing. If an answer choice suggests 'purchase reserved capacity for App Runner,' it is WRONG — that option does not exist.

critical

Two IAM roles: ACCESS ROLE (App Runner service pulls ECR images) vs. INSTANCE ROLE (your app code calls AWS APIs). App can't read S3? Fix the INSTANCE role. Can't pull ECR image? Fix the ACCESS role.

importantAuto scaling, scaling triggers

App Runner auto-scales based on CONCURRENT REQUESTS per instance, not CPU or memory utilization. This is fundamentally different from ECS/EC2 Auto Scaling which uses CloudWatch metrics like CPU%. When an exam scenario describes traffic spikes causing latency, App Runner's scaling trigger is concurrent requests.

importantCI/CD, deployment automation

App Runner supports BOTH source code deployments (from GitHub/Bitbucket — App Runner builds the container) AND pre-built container image deployments (from ECR). Automatic deployment can be triggered by either a new code commit or a new ECR image push. This is a key CI/CD differentiator from ECS.

importantProtocol support, service selection

App Runner is HTTP/HTTPS ONLY. It cannot handle non-HTTP protocols (TCP arbitrary ports, UDP, WebSocket raw connections at the infrastructure level). If a workload needs arbitrary TCP or UDP, use ECS/EKS with NLB instead.

importantData engineering, ML inference, service selection

For the DEA-C01 (Data Engineer) exam context: App Runner can serve ML inference APIs and data processing microservices, but it does NOT support GPU compute or persistent storage. Data pipelines requiring GPU or stateful storage should use SageMaker endpoints or ECS with EFS.

importantCapacity planning, auto scaling

Overprovisioning is an anti-pattern for App Runner. Because it auto-scales horizontally, you should right-size your INSTANCE (vCPU/memory) for a SINGLE request, not for peak load. Peak load is handled by scaling OUT the number of instances. Setting max instances too low is the real scaling bottleneck.

Good to KnowTLS, ACM, security

App Runner automatically provisions and renews TLS certificates via ACM for both the default apprunner.com subdomain AND custom domains. You do NOT need to manually create ACM certificates or attach them to a load balancer — this is a key operational simplicity differentiator from ALB+ECS patterns.

Common Misconceptions & Traps

Common Mistake

App Runner supports Reserved Instance pricing, similar to EC2 or RDS, which can reduce costs for predictable workloads.

Correct

App Runner has NO Reserved Instance pricing, NO Savings Plans, and NO Spot instances. It is exclusively pay-as-you-go based on active compute time (vCPU-hours and GB-memory-hours). There is no way to pre-purchase capacity at a discount.

This is the #1 pricing misconception on certification exams. Candidates familiar with EC2 Reserved Instances assume all AWS compute services offer similar pricing tiers. For predictable, high-utilization workloads, ECS on Fargate with Compute Savings Plans may actually be more cost-effective than App Runner. The exam tests whether you know App Runner's pricing model is fundamentally different.

Common Mistake

ECS on Fargate Spot is always more cost-effective than App Runner for containerized APIs because Spot pricing offers up to 70% savings.

Correct

Fargate Spot CAN be cheaper per compute unit, but it introduces interruption risk — Spot tasks can be reclaimed by AWS with a 2-minute warning. For latency-sensitive APIs that cannot tolerate interruptions, App Runner's consistent pricing and scale-to-zero capability may deliver better total cost of ownership. The right answer depends on workload characteristics, not just the per-hour rate.

Exam scenarios often present Fargate Spot as the obvious cost winner. The trap is ignoring interruption risk and the operational complexity of handling Spot terminations. App Runner's scale-to-zero is the actual cost optimization lever — idle App Runner services cost nothing, while Fargate Spot tasks still cost money when running.

Common Mistake

Elastic Beanstalk can scale to zero instances to eliminate overnight costs, just like App Runner.

Correct

Elastic Beanstalk CANNOT scale to zero. It always maintains at least one EC2 instance running (the web tier), which incurs continuous compute costs. App Runner is unique among AWS application deployment services in supporting true scale-to-zero for HTTP workloads.

This misconception causes candidates to choose Elastic Beanstalk for cost-optimization scenarios when App Runner is the correct answer. The key differentiator: if the exam question mentions 'eliminate costs when no traffic' or 'scale to zero,' App Runner is the answer, not Beanstalk.

Common Mistake

You should provision App Runner instances to handle peak traffic load, just like sizing EC2 instances for maximum expected demand.

Correct

App Runner instances should be sized for a SINGLE concurrent request, not peak load. Peak load is handled automatically by scaling OUT (adding more instances) based on concurrent requests per instance. Overprovisioning instance size wastes money without improving throughput — the correct lever is adjusting the maximum instance count and the concurrent requests per instance threshold.

Candidates with EC2 background think 'bigger instance = more capacity.' In App Runner's horizontal scaling model, a fleet of smaller right-sized instances is more cost-effective and resilient than a few over-provisioned large instances. This is tested in cost optimization and architecture design scenarios.

Common Mistake

GuardDuty provides the audit trail for App Runner API changes needed for compliance requirements.

Correct

AWS CloudTrail provides the API audit trail for App Runner (and all AWS services) — it logs who called which API, when, and from where. GuardDuty is a threat detection service that identifies anomalous behavior and potential security threats. For compliance audit requirements (SOC2, PCI-DSS), you need CloudTrail, not GuardDuty.

GuardDuty vs. CloudTrail confusion appears frequently across multiple exam domains. Remember: CloudTrail = 'who did what' (audit log); GuardDuty = 'something suspicious is happening' (threat detection). A compliance auditor asking 'who deleted the App Runner service?' needs CloudTrail. A security team asking 'is someone trying to exfiltrate data?' needs GuardDuty.

Common Mistake

App Runner's VPC connector allows external users to access App Runner services through a private VPC endpoint.

Correct

VPC connectors provide OUTBOUND connectivity FROM App Runner TO private VPC resources (like RDS, ElastiCache, or internal services). Inbound traffic to App Runner services ALWAYS flows through App Runner's managed public HTTPS endpoint — VPC connectors do not create private inbound access paths.

This architectural misconception leads to incorrect network designs. If you need truly private inbound access to App Runner (no public internet exposure), you would need to architect a proxy layer in your VPC. For most use cases, App Runner's public HTTPS endpoint with WAF is the correct and simpler approach.

Memory Tricks

🧠

SCALE mnemonic for App Runner advantages: S=Scale-to-zero, C=Container or Code source, A=Automatic TLS, L=Load balancing managed, E=Elastic horizontal scaling — all without touching infrastructure.

🧠

TWO ROLES rule: 'A for Access = App Runner pulls from ECR; I for Instance = your app Instance calls AWS APIs.' If the app can't reach S3, fix the Instance role. If App Runner can't pull the image, fix the Access role.

🧠

App Runner vs Beanstalk cost: 'Runner runs away from cost (scales to zero); Beanstalk always has a stalk standing (minimum 1 EC2 always running).'

🧠

CloudTrail vs GuardDuty: 'Trail = tracks footprints (audit log of API calls); Guard = guards the door (detects threats).' Compliance audit = Trail. Security anomaly = Guard.

CertAI Tutor · SAP-C02, DEA-C01, DOP-C02 · 2026-02-21

Ready to test your knowledge?

Practice SAP-C02, DEA-C01, DOP-C02 exam questions with AI-powered explanations — free to start.

AWS App Runner: The Zero-Ops Container Launcher

Overview

Key Features

Integration Patterns

Service Limits & Quotas

Pricing Model

Exam Tips

Common Misconceptions & Traps

Memory Tricks

Ready to test your knowledge?

Related Cheat Sheets