504 problem handling method
Last updated: 2020-02-14 13:00:18PDF
What if "504 Gateway Time-out" appears in the log when the API gateway service is called?
When a user invokes the API gateway service, if "504 Gateway Time-out" appears in the log, you can troubleshoot the problem from the following angles:
Check whether the backend service of the direct Access API gateway is normal.
- When the backend service is of HTTP type and is not in any VPC, check directly through the public network Access to see if it has timed out.
- When the user's backend service is a Cloud Load Balancer resource in VPC, use another CVM in the same VPC, Access Cloud Load Balancer's private network IP, to check whether it times out.
- When the user's back-end service is TSF, Access the timeout instance through the service instance of the same namespace under TSF to check whether the timeout occurs.
In the above cases, if the test still times out, there is a problem with the backend service. It is recommended to check whether the backend service is normal.
Check the timeout of API gateways and backend service settings
When configuring the API of the API gateway, you need to add a timeout in the backend configuration. If the backend service does not return a result within the timeout, the gateway will return a 504 error.
Check whether the security group is set correctly
- When the user's backend address is CLB in VPC, check whether the CVM security group bound by Associate's CLB has Open to Internet the IP of the API gateway. If no security group is set, check to see if there are other port network restrictions on the back-end address.
Open to Internet security group method: the backend CVM security group bound by CLB requires Private IP IP range of Open to Internet API gateway. Please refer to the list of Intra-region, Private IP and IP range. Private network, IP range of each region of API gateway and VIP of public network . The port requires the port of the service deployed by Open to Internet on CVM. For more information on how to set security groups, please refer to Security group operation .
- When the user's API is microservice API, and the service is deployed on CVM, Open to Internet client IP, port Open to Internet service port is required on the security group on CVM.
- When the user's API is microservice API, and the service is deployed in the container, since the pod of the container is not necessarily fixed on a CVM, it is recommended that all the machines in the cluster have the same security group as Open to Internet, and the port of Open to Internet client IP, Open to Internet container.
- When the back-end address of a user is a general public network but Access HTTP address, you also need to check whether a firewall, security group, etc., and the public network VIP of Open to Internet gateway is required.
Since the API gateway cannot guarantee that the public network VIP and private network and IP range remain unchanged, it is recommended that users use key pair authentication to ensure the security of the request.