Deploy an application by using an image from an ACR instance in a different account - Serverless App Engine

When SAE and ACR belong to different accounts, first ensure network connectivity between the SAE application and the ACR instance. Next, configure the authorization credentials required to access the ACR instance. Finally, specify the image repository address to deploy the application.

Before you start

Ensure network connectivity between the SAE application and ACR instance

You need to establish cross-VPC network connectivity, or enable public NAT Gateway for the VPC where the application resides. For ACR Enterprise Edition instances, you also need to add the VPC CIDR block of the SAE application, or the NAT Gateway bound Elastic IP Address, to the whitelist of the ACR instance.

How to view the VPC where the SAE applications reside

Before deploying an application, schedule its region and namespace to dertermin VPC.

Log on to the SAE console, select a region at the top, and choose Namespace in the left-side navigation pane.
Click the target namespace in the list, choose Basic Information in the left-side navigation pane, and click the link for Virtual Private Cloud VPC to view information such as the VPC ID.

Configure authorization information to access the ACR instance

You can use either Static Username And Password or Ram Role for authorization.

Static username and password

Create a Secret to store the username and password of the image repository: On the Namespace page, select the target region, click the target namespace, choose Secret in the left-side navigation pane, and click Create.

For Type, select Private Image Repository Logon Key.
In Image Repository Address, enter the public domain name of ACR, for example, ACR Personal Edition: registry.cn-xx.aliyuncs.com; ACR Enterprise Edition: xx-registry.cn-xx.cr.aliyuncs.com. Enter the Username and Password required to log on to the image repository.

How to view the username and password required to log on to the image repository

For ACR Personal Edition, you can log on to the ACR account and go to the ACR Personal Edition Instance - Access Credential page, select the region where the ACR instance is located, view the Username and modify the Password.
For ACR Enterprise Edition, you can log on to the ACR account and refer to Configure access credentials to view the username and password.

RAM role

SAE can pull Alibaba Cloud images across accounts through RAM role assumption, which means user A (the account deploying the SAE application) assumes the role of user B (the account owning the ACR image) to pull user B's private images.

Create a RAM role: Use user B's Alibaba Cloud account to create a RAM role for user A. For specific operations, see Create a RAM role for a trusted Alibaba Cloud account.

Configure access policy: Create a custom policy or modify a custom policy, and add the following policy content to allow operations related to private images.

{
  "Version": "1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "cr:GetAuthorizationToken",
              "cr:ListInstanceEndpoint",
              "cr:PullRepository",
              "cr:GetRepository",
              "cr:ListRepositoryTag"
          ],
          "Resource": "*"
      }
  ]
}

Grant the policy to the RAM role: Grant the policy configured in step 2 to the RAM role created in step 1. For specific operations, see Grant permissions to a RAM role.

Modify the trusted entity of the RAM role: Change the trusted entity of the RAM role created in step 1 to the SAE service account by modifying the following trust policy. For specific operations, see Modify the trust policy of a RAM role.

Before modification

After modification

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::123456789012****:root"
                ]
            }
        }
    ],
    "Version": "1"
}

This RAM role can be assumed by any authorized RAM user or RAM role under the Alibaba Cloud account (AccountID=123456789012****).

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "123456789012****@sae.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

This RAM role can only be assumed by the SAE service account (123456789012****@sae.aliyuncs.com) corresponding to the Alibaba Cloud account (AccountID=123456789012****).

Note

In this example, Service is the service that needs to pull images across accounts.

Copy the ARN: On the Basic Information page of the RAM role, copy the ARN with one click. This is the acrAssumeRoleArn that you need to fill in when deploying the application later.

Procedure

Log on to the SAE console, choose Applications > Applications in the left-side navigation pane, select a deployment region at the top, and then click Create Application.
If Applications > Applications is not in the navigation bar, choose Applications > Microservice Applications.
Select an application version.
Important
Lightweight Edition and Professional Edition are currently in the invitation-only testing phase. For users who are not participating in invitation-only testing, the created application is Standard Edition, and you do not need to select an application version.
- Lightweight Edition: Provides the minimum set of functions required for application operation, does not support Application Monitoring and Microservice Governance functions.
- Standard Edition: Comes with Basic Application Monitoring functions, Advanced Application Monitoring and Microservice Governance functions require additional activation and purchase.
- Professional Edition: Comes with Advanced Application Monitoring and Microservice Governance functions, no additional activation or purchase required.
On the Create Application page, customize the Application Name, and configure the following parameters.
1. Select the Namespace to which the application belongs. Namespace is equivalent to K8s Namespace and can be used for resource isolation in different environments. After an application is created, you cannot change its namespace.
  - System Created: Use the default namespace, vSwitch, and security group created by the system in the current region.
  - Existing Namespace: Select the namespace, vSwitch, and security group that you created in advance.
2. Set Application Deployment Method to Select Image To Deploy, and click Set Image on the right. On the Private Images From Other Alibaba Cloud Accounts tab, configure the following information.
  - Select your ACR image service version, then choose one of the following authorization methods. For ACR Enterprise Edition, you also need to enter the Enterprise Edition Instance ID.
    Static Username And Password: You need to select the previously created Secret That Stores The Image Repository Username And Password.
    Ram Role: You need to enter the previously copied acrAssumeRoleArn.
  - Enter the Complete Image Repository Address, which is in the format <Image repository address>:<Image Tag>, for example: ACR Personal Edition: registry.cn-xx.aliyuncs.com/xx/xx:1.0; ACR Enterprise Edition: xx-registry.cn-xx.cr.aliyuncs.com/xx/xx:1.0.Note: You need to decide whether to use the public or private image repository address based on your actual network configuration.
  - For ACR Enterprise Edition, you can enable the image acceleration feature to improve application startup speed.
3. In the Capacity Settings section, configure Single Instance Type, and Instances.
(Optional) Click Next: Advanced Settings to configure the required features.
- Startup Command
  The application's startup command depends on the CMD or ENTRYPOINT set in the image. No additional configuration is required in SAE. You can customize startup commands to overwrite the pre-set startup command in the image.
- Runtime environment and lifecycle management
  By setting environment variables, setting Hosts binding, and injecting configuration information, you can change variables or configuration files in the runtime environment after application deployment without rebuilding the image.
  By setting health checks, you can monitor whether application instances are running normally and ready to handle business requests. Instances that are not running normally will be automatically restarted, and business requests will only be allocated after the instances are ready.
  Through application lifecycle management, you can customize commands to be executed after application startup and before shutdown, and implement graceful shutdown.
- Network access and service invocation
  Implement service invocation between applications through service registration and discovery. Note that if you use the MSE service registration and discovery center, additional fees apply.
  Access applications from the outside by binding NLB, binding CLB, or configuring gateway routing for applications. Note that NLB, CLB, and gateway routing require additional fees.
  Enable applications to actively access external resources or services by configuring NAT Gateway or binding EIP to application instances. Note that NAT Gateway and EIP require additional fees.
- Data persistence
  Store application data in NAS, OSS, or database to prevent data loss due to application changes or shutdowns. Note that NAS, OSS, and databases require additional fees.
- Logs and monitoring
  After deploying an application, you can view real-time logs and view resource usage and payload without additional configuration. In addition, you can output logs to SLS or Kafka for unified management and analysis. Note that SLS and Kafka require additional fees.
  ARMS Monitoring helps you get the application running status, quickly pinpoint error interfaces and slow interfaces, gain insight into performance bottlenecks, and reproduce call parameters, thereby greatly improving the efficiency of online problem diagnosis.
  For Standard Edition applications, you can view ARMS Basic Edition monitoring data after deployment without additional configuration.You can also activate and purchase ARMS Pro monitoring.
  For Professional Edition applications, enable Application Monitoring in Advanced Settings and complete application deployment, then you can View ARMS Pro Monitoring Data. No additional fees are required.
- Other features
  Microservice Governance enables Lossless Online And Offline, Traffic Protection, End-to-end Grayscale, and Same-zone Routing Priority for Java applications.
  For Standard Edition applications, go to the application details page after completing application deployment to activate and purchase MSE Microservice Governance features.
  For Professional Edition applications, enable Microservice Governance in Advanced Settings, then you can configure Lossless Online And Offline. For more features, go to the application details page after completing application deployment to configure. No additional fees are required.
  Solve the problem of resource waste caused by the CPU required during the startup loading phase being higher than usual by enabling the CPU Burst feature (only applicable to Standard Edition and Professional Edition).
  Implement decoupling and standardization of non-business functions from the main container by adding Sidecar containers.
Click Create Application.
- Creating an application takes about 1-2 minutes. You can determine whether the application is deployed successfully by viewing the change records. If the deployment fails, no application instance will be generated. Troubleshoot faults based on the error information in Change History.
- You can view the created applications in Applications > Applications. If you need to change the application configuration after deployment, click the target application to enter its details page, and then click Deploy Application. Note that the application will automatically restart to make the new configuration take effect. Perform operations during off-peak hours to minimize impacts on your business.
- You can log on to application instances through Webshell to interact with application instances through console commands.
- After creating an application, you can manually adjust the number of instances and instance specifications, or automatically adjust the number of instances by configuring Auto Scaling policies. You can also reduce costs by enabling idle mode.