AgentSkillsCN

app-platform-networking

为 DigitalOcean App Platform 配置域名、路由、CORS、VPC、静态 IP,以及服务间通信。适用于设置自定义域名、子域名路由、跨域 API 访问,或保障数据库连接安全时使用。

SKILL.md
--- frontmatter
name: app-platform-networking
version: 1.0.0
min_doctl_version: "1.82.0"
description: Configure domains, routing, CORS, VPC, static IPs, and inter-service communication for DigitalOcean App Platform. Use when setting up custom domains, subdomain routing, cross-origin API access, or secure database connectivity.
related_skills: [designer, postgres, managed-db-services]
deprecated: false

App Platform Networking Skill

Configure domains, routing, CORS, VPC, static IPs, and inter-service communication.

Quick Decision

code
What networking do you need?
├── Custom domain?
│   └── YES → See domains-dns.md
│
├── Multiple services on one domain?
│   ├── Different paths (/api, /app) → Path-based routing
│   └── Different subdomains (api.*, app.*) → Subdomain routing
│
├── Frontend calling API across origins?
│   └── YES → CORS configuration
│
├── Secure database connectivity?
│   └── YES → VPC + trusted sources
│
└── Need static outbound IP?
    └── YES → Dedicated egress

When to Use

ScenarioNeed This Skill
Starter domain onlyNo
Custom domainYes
Multiple services, different pathsYes
Multiple subdomainsYes
Cross-subdomain API calls (CORS)Yes
Secure database access via VPCYes
Firewall allowlisting (egress IP)Yes

Quick Reference

FeatureApp Spec FieldExample
Custom domaindomains[].domainexample.com
Wildcarddomains[].wildcardtrue
Path routingingress.rules[].match.path.prefix/api
Subdomain routingingress.rules[].match.authority.exactapi.example.com
CORSingress.rules[].corsSee reference
VPCvpc.idUUID
Dedicated egressegress.typeDEDICATED_IP

Path-Based Routing (Quick Start)

yaml
ingress:
  rules:
    - component: { name: api }
      match: { path: { prefix: /api } }

    - component: { name: frontend }
      match: { path: { prefix: / } }

Rule order matters: Specific rules first.

Full guide: See ingress-routing.md


Subdomain Routing (Quick Start)

yaml
domains:
  - domain: example.com
    type: PRIMARY
    wildcard: true
    zone: example.com

ingress:
  rules:
    - component: { name: api }
      match:
        authority: { exact: api.example.com }
        path: { prefix: / }

    - component: { name: app }
      match:
        authority: { exact: app.example.com }
        path: { prefix: / }

Full guide: See domains-dns.md


CORS (Quick Start)

yaml
ingress:
  rules:
    - component: { name: api }
      match: { path: { prefix: /api } }
      cors:
        allow_origins:
          - exact: https://app.example.com
        allow_methods: [GET, POST, PUT, DELETE, OPTIONS]
        allow_headers: [Content-Type, Authorization]
        allow_credentials: true

Note: With allow_credentials: true, use exact origins only (no regex).

Full guide: See cors-configuration.md


VPC + Trusted Sources (Quick Start)

yaml
vpc:
  id: your-vpc-uuid

VPC CIDR whitelisting (recommended):

bash
doctl vpcs get $VPC_ID --format IPRange  # e.g., 10.126.0.0/20
doctl databases firewalls append $CLUSTER_ID --rule ip_addr:10.126.0.0/20
SetupTrusted Source Rule
Public onlyapp:$APP_ID
VPC enabledip_addr:<vpc-cidr>

Critical: Bindable variables return PUBLIC hostnames even with VPC. Use private URLs:

bash
doctl databases connection --private <cluster-id> --format URI

Full guide: See vpc-trusted-sources.md


Reference Files


Common Issues

IssueFix
Domain not resolvingCheck DNS records, allow 72h propagation
SSL certificate errorAdd CAA records for letsencrypt.org + pki.goog
CORS preflight failsAdd OPTIONS to allow_methods
VPC connection refusedUse VPC CIDR whitelisting, not app-based rules
Wrong component servesReorder rules (specific first)

Integration with Other Skills

  • → designer: Add domains/ingress to app spec
  • → troubleshooting: Debug DNS, CORS, VPC issues
  • → postgres: VPC connectivity for managed databases
  • → deployment: Deploy networking changes