无法使用共享 VPC 将应用程序部署到 App Engine 柔性环境

Unable to Deploy Application to App Engine Flexible Environment with a Shared VPC

我无法使用配置的共享虚拟私有云 (XPN) 将 Docker 化的应用程序部署到 Google 云平台 (GCP) 项目中的 App Engine 灵活环境 (AEF)。

换句话说,我的应用程序具有以下 app.yaml:

automatic_scaling:
  max_num_instances: 1
  min_num_instances: 1
env: flex
network:
  instance_tag: incorrect-target-tag
  name: projects/$GCP_PROJECT_ID/global/networks/$XPN_NETWORK_NAME
service: $AEF_APPLICATION_NAME

并在 Google Container Registry (GCR) 中确认 Docker 映像名称和标签:

gcloud container images list-tags \
us.gcr.io/$GCP_PROJECT_NAME/$AEF_APPLICATION_NAME \
--flatten=tags \
--format='value(format("us.gcr.io/$GCP_PROJECT_NAME/$AEF_APPLICATION_NAME:{0}", tags))' \
--project=$GCP_PROJECT_NAME

#=>

. . .
us.gcr.io/$GCP_PROJECT_NAME/$AEF_APPLICATION_NAME:$DOCKER_IMAGE_TAG
. . .

无法部署到 AEF:

yes | gcloud app deploy \
--appyaml=./app.yaml \
--image-url=us.gcr.io/$GCP_PROJECT_NAME/$AEF_APPLICATION_NAME:$DOCKER_IMAGE_TAG

#=>

Services to deploy:

descriptor:                  [/. . ./app.yaml]
source:                      [/. . ./$AEF_APPLICATION_NAME]
target project:              [$GCP_PROJECT_NAME]
target service:              [$AEF_APPLICATION_NAME]
target version:              [$AEF_APPLICATION_VERSION]
target url:                  [. . .]
target service account:      [App Engine default service account]

Do you want to continue (Y/n)?
Beginning deployment of service [$AEF_APPLICATION_NAME]...
WARNING: Deployment of service [$AEF_APPLICATION_NAME] will ignore the skip_files field in the configuration file, because the image has already been built.
Updating service [$AEF_APPLICATION_NAME] (this may take several minutes)...
.............................................................failed.

ERROR: (gcloud.app.deploy) Error Response: [13] Flex operation projects/$GCP_PROJECT_NAME/regions/$AEF_APPLICATION_REGION/operations/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx error [INTERNAL]: An internal error occurred while processing task /app-engine-flex/insert_flex_deployment/flex_create_resources>1970-01-01T00:00:00.001Z000001.jc.2: <eye3 title='FAILED_PRECONDITION'/> generic::FAILED_PRECONDITION: Validation error: The App Engine flexible Environment Service Agent is unable to find a suitable Flex Firewall Rule in network '$XPN_NETWORK_NAME' in project '$GCP_PROJECT_ID'. Have the Shared VPC Admin create a Flex Firewall Rule as described in https://cloud.google.com/appengine/docs/flexible/python/using-shared-vpc

使用以下支持通过 XPN 进行 AEF 通信的虚拟私有云 (VPC) 防火墙规则:

cloud compute firewall-rules list \
--filter="allowed[].ports=(8443) AND allowed[].ports=(10402)" \
--project=$GCP_PROJECT_NAME

#=>

NAME          NETWORK            DIRECTION  PRIORITY  ALLOW               DENY  DISABLED
aef-instance  $XPN_NETWORK_NAME  INGRESS    1000      tcp:8443,tcp:10402        False

To show all fields of the firewall, please show in JSON format: --format=json
To show all fields in table format, please see the examples in --help.
gcloud compute firewall-rules describe \
aef-instance \
--format=yaml \
--project=$GCP_PROJECT_NAME

#=>

allowed:
- IPProtocol: tcp
  ports:
  - '8443'
  - '10402'
creationTimestamp: '1970-01-01T00:00:00.000-01:00'
description: allows traffic between aef and xpn
direction: INGRESS
disabled: false
id: 'xxxxxxxxxxxxxxxxxxx'
kind: compute#firewall
logConfig:
  enable: false
name: aef-instance
network: https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME/global/networks/$XPN_NETWORK_NAME
priority: 1000
selfLink: https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME/global/firewalls/aef-instance
sourceRanges:
- 35.191.0.0/16
- 130.211.0.0/22
targetTags:
- incorrect-target-tag

注意:此规则是必需的,用于将任何 AEF 应用程序与 XPN 一起使用,描述为 here

按照链接 AEF 和 XPN 的指南 here,VPC 防火墙规则 aef-instance 的目标标记 必须 aef-instance。使用正确的目标标记更新 VPC 防火墙规则 aef-instance

gcloud compute firewall-rules update \
aef-instance \
--project=$GCP_PROJECT_NAME \
--target-tags=aef-instance

#=>

Updated [https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME/global/firewalls/aef-instance].

并且您将能够重新部署到 AEF 而不会出现验证错误。

注意:在app.yaml中更改目标标签不是必需的:AEF应用程序将能够只要存在符合 this 标准 完全 的防火墙规则,就可以通过配置的 XPN 进行通信,而不管 app.yaml.

中指定的标签如何