Serverless App Engine (SAE) allows you to deploy applications by using images. However, if you use a Container Registry Enterprise Edition instance to deploy applications by using images, you must take note of the limits. This topic describes the process and usage notes for deploying SAE applications by using Container Registry Enterprise Edition.
Background information
Container Registry Enterprise Edition can help enterprises host and distribute Open Container Initiative (OCI)-compliant artifacts such as container images, Helm charts, and Operators in a secure and efficient manner. Container Registry Enterprise Edition enhances the efficiency of large-scale distribution in production environments, global multi-region distribution, and cloud-native DevSecOps workflows. Before you use Container Registry Enterprise Edition to host and distribute your cloud-native assets, you must create a Container Registry Enterprise Edition instance. For more information, see What is Container Registry?
SAE allows you to deploy applications by using images, including images from your Alibaba Cloud account, private images from other Alibaba Cloud accounts, demo images, and public images. For more information, see Images.
Workflow
The first time you use Container Registry Enterprise Edition to deploy an SAE application, you must first create an Enterprise Edition instance in the Container Registry console. For more information, see Create a Container Registry Enterprise Edition instance. After you create the instance, you must bind the Virtual Private Cloud (VPC) and vSwitch of the SAE application to it.
To address the limits on using Container Registry Enterprise Edition, we recommend that you perform the following steps to create or deploy an SAE application to prevent multiple redirects to each console. For more information, see Usage notes.
Usage notes
When you create or deploy an SAE application by using Container Registry Enterprise Edition in the SAE console, the configuration may fail due to the following issues. You can refer to the note in the Configure Image section of the Deployment Configurations page to configure Container Registry Enterprise Edition for the application.
The Resource Access Management (RAM) user lacks access permissions on Container Registry Enterprise Edition.
To resolve this issue, grant the required permissions to the RAM user. For more information, see RAM authentication rules.
VPC matching issues
No VPC is bound to the SAE application or the application uses a system-configured VPC.
Only custom VPCs are supported. You must allow access to the Container Registry Enterprise Edition instance over VPCs. For more information, see Configure a VPC ACL. After you configure a VPC in the Container Registry console, bind the VPC when you create or deploy an SAE application.
Create an application: In the Basic Information step, set the VPC parameter to Custom Configuration.
Deploy an application: On the Basic Information tab of the Namespace Details page, change the VPC. For more information, see Change the VPC of a namespace.
A VPC is bound to the SAE application.
The VPC differs from the one bound to the Container Registry Enterprise Edition instance.
You can change the VPC bound to the SAE application or the Container Registry Enterprise Edition instance to ensure that they use the same VPC. For more information, see Configure a VPC for a Container Registry Enterprise Edition instance and Configure a VPC for an SAE application.
The VPC is also bound to the Container Registry Enterprise Edition instance. However, the vSwitch of the SAE application does not reside in the zone recommended by SAE.
NoteA vSwitch corresponds to a recommended zone. Before you create or deploy an application, we recommend that you call the DescribeRegions operation to query the recommended zones for the vSwitch in a region. For more information, see Change a vSwitch.
The SAE application and Container Registry Enterprise Edition instance use different VPCs.
For example, you use a cloud service, such as Cloud Enterprise Network (CEN), to connect VPC A of SAE to VPC B of the Container Registry Enterprise Edition instance in the same region or across regions. VPC A and VPC B belong to the same Alibaba Cloud account. In this case, you can use one of the following methods to deploy the SAE application:
Call the DeployApplication operation to set the AcrInstanceId parameter to deploy the SAE application across VPCs. For more information, see DeployApplication.
Test VPC access to the image repository
You can select an application in the same VPC, log on to the instance by using a web shell, and run the ping or curl https command to check whether the VPC can access the image repository. For more information, see Display the webshell window in full screen.
Deploy an SAE application across Alibaba Cloud accounts
For information, see Pull Alibaba Cloud images across accounts.
Deploy an SAE application
After you complete the preceding preparations, you can select a programming language and host the application in SAE. For more information, see the following topics: