feat(apprunner): support vpc ingress connection

packages/@aws-cdk/aws-apprunner-alpha/README.md

@@ -201,6 +201,43 @@ new apprunner.Service(this, 'Service', {
 });
 ```
 
+## VPC Ingress Connection
+
+To make your App Runner service private and only accessible from within a VPC use the `isPubliclyAccessible` property and associate it to a `VpcIngressConnection` resource.
+
+To set up a `VpcIngressConnection`, specify a VPC, a VPC Interface Endpoint, and the App Runner service.
+Also you must set `isPubliclyAccessible` property in ther `Service` to `false`.
+
+For more information, see [Enabling Private endpoint for incoming traffic](https://docs.aws.amazon.com/apprunner/latest/dg/network-pl.html).
+
+```typescript
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+
+declare const vpc: ec2.Vpc;
+
+const interfaceVpcEndpoint = new ec2.InterfaceVpcEndpoint(this, 'MyVpcEndpoint', {
+  vpc,
+  service: ec2.InterfaceVpcEndpointAwsService.APP_RUNNER_REQUESTS,
+  privateDnsEnabled: false,
+});
+
+const service = new apprunner.Service(this, 'Service', {
+  source: apprunner.Source.fromEcrPublic({
+    imageConfiguration: {
+      port: 8000,
+    },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  }),
+  isPubliclyAccessible: false, // set false
+});
+
+new apprunner.VpcIngressConnection(this, 'VpcIngressConnection', {
+  vpc,
+  interfaceVpcEndpoint,
+  service,
+});
+```
+
 ## Dual Stack
 
 To use dual stack (IPv4 and IPv6) for your incoming public network configuration, set `ipAddressType` to `IpAddressType.DUAL_STACK`.

packages/@aws-cdk/aws-apprunner-alpha/lib/index.ts

@@ -3,3 +3,4 @@ export * from './auto-scaling-configuration';
 export * from './observability-configuration';
 export * from './service';
 export * from './vpc-connector';
+export * from './vpc-ingress-connection';

packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts

@@ -732,6 +732,15 @@ export interface ServiceProps {
    */
   readonly vpcConnector?: IVpcConnector;
 
+  /**
+   * Specifies whether your App Runner service is publicly accessible.
+   *
+   * If you use `VpcIngressConnection`, you must set this property to `false`.
+   *
+   * @default true
+   */
+  readonly isPubliclyAccessible?: boolean;
+
   /**
    * Settings for the health check that AWS App Runner performs to monitor the health of a service.
    *
@@ -1310,6 +1319,7 @@ export class Service extends cdk.Resource implements iam.IGrantable {
           egressType: this.props.vpcConnector ? 'VPC' : 'DEFAULT',
           vpcConnectorArn: this.props.vpcConnector?.vpcConnectorArn,
         },
+        ingressConfiguration: props.isPubliclyAccessible !== undefined ? { isPubliclyAccessible: props.isPubliclyAccessible } : undefined,
         ipAddressType: this.props.ipAddressType,
       },
       healthCheckConfiguration: this.props.healthCheck ?

packages/@aws-cdk/aws-apprunner-alpha/lib/vpc-ingress-connection.ts

@@ -0,0 +1,168 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as cdk from 'aws-cdk-lib/core';
+import { Construct } from 'constructs';
+import { IService } from './service';
+import { CfnVpcIngressConnection } from 'aws-cdk-lib/aws-apprunner';
+
+/**
+ * Properties of the AppRunner VPC Ingress Connection
+ */
+export interface VpcIngressConnectionProps {
+  /**
+   * The name for the VPC Ingress Connection.
+   *
+   * @default - a name generated by CloudFormation
+   */
+  readonly vpcIngressConnectionName?: string;
+
+  /**
+   * The service to connect.
+   */
+  readonly service: IService;
+
+  /**
+   * The VPC for the VPC Ingress Connection.
+   */
+  readonly vpc: ec2.IVpc;
+
+  /**
+   * The VPC Interface Endpoint for the VPC Ingress Connection.
+   */
+  readonly interfaceVpcEndpoint: ec2.IInterfaceVpcEndpoint;
+}
+
+/**
+ * Attributes for the App Runner VPC Ingress Connection
+ */
+export interface VpcIngressConnectionAttributes {
+  /**
+   * The Amazon Resource Name (ARN) of the VPC Ingress Connection.
+   */
+  readonly vpcIngressConnectionArn: string;
+
+  /**
+   * The name of the VPC Ingress Connection.
+   */
+  readonly vpcIngressConnectionName: string;
+
+  /**
+   * The domain name associated with the VPC Ingress Connection resource.
+   */
+  readonly domainName: string;
+
+  /**
+   * The current status of the VPC Ingress Connection.
+   */
+  readonly status: string;
+}
+
+/**
+ * Represents the App Runner VPC Ingress Connection.
+ */
+export interface IVpcIngressConnection extends cdk.IResource {
+  /**
+   * The Amazon Resource Name (ARN) of the VPC Ingress Connection.
+   * @attribute
+   */
+  readonly vpcIngressConnectionArn: string;
+
+  /**
+    * The name of the VPC Ingress Connection.
+    * @attribute
+    */
+  readonly vpcIngressConnectionName: string;
+}
+
+/**
+ * The App Runner VPC Ingress Connection
+ *
+ * @resource AWS::AppRunner::VpcIngressConnection
+ */
+export class VpcIngressConnection extends cdk.Resource implements IVpcIngressConnection {
+  /**
+   * Import from VPC Ingress Connection from attributes.
+   */
+  public static fromVpcIngressConnectionAttributes(scope: Construct, id: string, attrs: VpcIngressConnectionAttributes): IVpcIngressConnection {
+    const vpcIngressConnectionArn = attrs.vpcIngressConnectionArn;
+    const domainName = attrs.domainName;
+    const status = attrs.status;
+    const vpcIngressConnectionName = attrs.vpcIngressConnectionName;
+
+    class Import extends cdk.Resource implements IVpcIngressConnection {
+      public readonly vpcIngressConnectionArn = vpcIngressConnectionArn;
+      public readonly domainName = domainName;
+      public readonly status = status;
+      public readonly vpcIngressConnectionName = vpcIngressConnectionName;
+    }
+
+    return new Import(scope, id);
+  }
+
+  /**
+   * Imports an App Runner VPC Ingress Connection from its ARN
+   */
+  public static fromArn(scope: Construct, id: string, vpcIngressConnectionArn: string): IVpcIngressConnection {
+    const resourceParts = cdk.Fn.split('/', vpcIngressConnectionArn);
+
+    const vpcIngressConnectionName = cdk.Fn.select(0, resourceParts);
+
+    class Import extends cdk.Resource implements IVpcIngressConnection {
+      public readonly vpcIngressConnectionName = vpcIngressConnectionName;
+      public readonly vpcIngressConnectionArn = vpcIngressConnectionArn;
+    }
+
+    return new Import(scope, id);
+  }
+
+  /**
+   * The ARN of the VPC Ingress Connection.
+   * @attribute
+   */
+  readonly vpcIngressConnectionArn: string;
+
+  /**
+   * The domain name associated with the VPC Ingress Connection resource.
+   * @attribute
+   */
+  readonly domainName: string;
+
+  /**
+   * The current status of the VPC Ingress Connection.
+   * @attribute
+   */
+  readonly status: string;
+
+  /**
+   * The name of the VPC Ingress Connection.
+   * @attribute
+   */
+  readonly vpcIngressConnectionName: string;
+
+  public constructor(scope: Construct, id: string, props: VpcIngressConnectionProps) {
+    super(scope, id, {
+      physicalName: props.vpcIngressConnectionName,
+    });
+
+    if (
+      props.vpcIngressConnectionName !== undefined &&
+      !cdk.Token.isUnresolved(props.vpcIngressConnectionName) &&
+      !/^[A-Za-z0-9][A-Za-z0-9\-_]{3,39}$/.test(props.vpcIngressConnectionName)
+    ) {
+      throw new Error(`vpcIngressConnectionName must match the \`^[A-Za-z0-9][A-Za-z0-9\-_]{3,39}\` pattern, got ${props.vpcIngressConnectionName}`);
+    }
+
+    const resource = new CfnVpcIngressConnection(this, 'Resource', {
+      ingressVpcConfiguration: {
+        vpcEndpointId: props.interfaceVpcEndpoint.vpcEndpointId,
+        vpcId: props.vpc.vpcId,
+      },
+      serviceArn: props.service.serviceArn,
+      vpcIngressConnectionName: this.physicalName,
+    });
+
+    this.vpcIngressConnectionArn = resource.attrVpcIngressConnectionArn;
+    this.vpcIngressConnectionName = resource.ref;
+    this.domainName = resource.attrDomainName;
+    this.status = resource.attrStatus;
+  }
+}