docs: add vpc connector for rdws (#3253)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

site/content/docs/concepts/services.en.md

@@ -29,7 +29,11 @@ If you want your service to serve internet traffic then you have two options:
   security groups, an ECS service on Fargate to run your service.
 
 #### Request-Driven Web Service
-An AWS App Runner service that autoscales your instances based on incoming traffic and scales down to a baseline instance when there's no traffic. This option is more cost effective for HTTP services with sudden bursts in request volumes or low request volumes.
+An AWS App Runner service that autoscales your instances based on incoming traffic and scales down to a baseline instance when there's no traffic. 
+This option is more cost effective for HTTP services with sudden bursts in request volumes or low request volumes.
+
+Unlike ECS, App Runner services are not connected by default to a VPC. In order to route egress traffic through a VPC, 
+you can configure the [`network`](../manifest/rd-web-service.en.md#network) field in the manifest.
 
 #### Load Balanced Web Service
 An ECS Service running tasks on Fargate with an Application Load Balancer, a Network Load Balancer or both, as ingress. 

site/content/docs/manifest/rd-web-service.en.md

@@ -5,7 +5,6 @@ List of all available properties for a `'Request-Driven Web Service'` manifest.
     ```yaml
     # Your service name will be used in naming your resources like log groups, App Runner services, etc.
     name: frontend
-    # The "architecture" of the service you're running.
     type: Request-Driven Web Service
 
     http:
@@ -21,10 +20,13 @@ List of all available properties for a `'Request-Driven Web Service'` manifest.
     image:
       build: ./frontend/Dockerfile
       port: 80
-
     cpu: 1024
     memory: 2048
 
+    network:
+      vpc:
+        placement: 'private'
+
     variables:
       LOG_LEVEL: info
 
@@ -137,6 +139,24 @@ Amount of memory in MiB reserved for each instance of your service. See the [AWS
 
 <div class="separator"></div>
 
+<a id="network" href="#network" class="field">`network`</a> <span class="type">Map</span>      
+The `network` section contains parameters for connecting the service to AWS resources in the environment's VPC.  
+By connecting the service to a VPC, you can use [service discovery](../developing/service-discovery.en.md) to communicate with other services
+in your environment, or connect to a database in your VPC such as Amazon Aurora with [`storage init`](../commands/storage-init.en.md).
+
+<span class="parent-field">network.</span><a id="network-vpc" href="#network-vpc" class="field">`vpc`</a> <span class="type">Map</span>    
+Subnets in the VPC to route egress traffic from the service.
+
+<span class="parent-field">network.vpc.</span><a id="network-vpc-placement" href="#network-vpc-placement" class="field">`placement`</a> <span class="type">String</span>  
+The only valid option today is `'private'`. If you prefer the service not to be connected to a VPC, you can remove the `network` field.
+
+When the placement is `'private'`, the App Runner service routes egress traffic through the private subnets of the VPC.  
+If you use a Copilot-generated VPC, Copilot will automatically add NAT Gateways to your environment for internet connectivity. (See [pricing](https://aws.amazon.com/vpc/pricing/).)
+Alternatively, when running `copilot env init`, you can import an existing VPC with NAT Gateways, or one with VPC endpoints 
+for isolated workloads. See our [custom environment resources](../developing/custom-environment-resources.en.md) page for more.
+
+<div class="separator"></div>
+
 <a id="command" href="#command" class="field">`command`</a> <span class="type">String</span>  
 Optional. Override the default command in the image.