google-cloud-platformgoogle-cloud-compute-engine

health check not accessible GCP


I have a managed instance group in google cloud with one instance. I use a container image for my app. I have HTTP(S) traffic disallowed. A load balancer is pointing to it. I have setup a health check, when I SSH into the instance and do curl localhost:80/health I get a response, so the container boots up correctly. However the load balancer shows the instance to be unhealthy. I have also setup an ingress firewall rule for the appropriate ip ranges (130.211.0.0/22, 35.191.0.0/16) and port (tcp:80). I create the instance from a template that is created with this command: gcloud compute instance-templates create-with-container magnificent-monolith-try4 --project=my-proj --machine-type=e2-micro --network-interface=network=default,network-tier=PREMIUM --region=europe-west1 --maintenance-policy=MIGRATE --service-account=XXXXX-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --tags=lb-health-check,allow-health-check --container-image=europe-west1-docker.pkg.dev/my-proj/docker-repository/magnificent-monolith:010c59f2ad7a3a6ff86339cc320785bd9cc41615 --container-restart-policy=always --container-env=end=dev --no-shielded-secure-boot --boot-disk-auto-delete --boot-disk-size=10 --create-disk=auto-delete=yes,mode=rw,name=try-disk,image=projects/cos-cloud/global/images/cos-stable-109-17800-147-60 --shielded-vtpm --shielded-integrity-monitoring

For whatever reason when I create an instance-template manually it seems to work. The only difference is under "image" for the manually created template it shows cos-stable-109-17800-147-60and for the cli create template it shows cos-stable-113-18244-1-37, but I dont understand how that can make a difference for the health check accessibility..

Edit: My actual goal is to deploy a new docker-image when my app updates. Is the recommended way to achieve this to:

  1. create a new instance template with the new docker-image
  2. use rolling update in the instance groups to the new template

So my question in that case would be: how does a minimal command look to create an appropriate instance template?


Solution

  • To answer your actual question: your instance template create script seems reasonable and relatively minimal. You can also use the gcloud compute instance-groups managed set-instance-template command to perform the rollout from the command line once the instance template is created.

    As for your question about the container version, there is an issue with the specific version you listed cos-stable-113-18244-1-37. You can search for that specific version online to find various threads complaining about it. I would recommend manually setting the image to a cos-stable-109 version, since if you do not set a version Google may push you another broken container version.