deployment.xml is placed in the root of the application package
and specifies which environments and regions the application is deployed to during
automated application deployment, as which application instances.
Deployment progresses through the
environments to the
prod environments listed in
<deployment version="1.0"> <prod> <region>aws-us-east-1c</region> <region>aws-us-west-2a</region> </prod> </deployment>
More complex example:
<deployment version="1.0"> <instance id="beta"> <prod> <region>aws-us-east-1c</region> </prod> </instance> <instance id="default"> <block-change revision="false" days="mon,wed-fri" hours="16-23" time-zone="UTC" /> <prod> <region>aws-us-east-1c</region> ... <delay hours="3" minutes="7" seconds="13" /> <parallel> <region>aws-us-west-1c</region> <steps> <region>aws-eu-west-1a</region> <delay hours="3" /> <test>aws-us-west-2a</test> </steps> ... </parallel> </prod> <endpoints> <endpoint container-id="my-container-service"> <region>aws-us-east-1c</region> ... </endpoint> </endpoints> </instance> <endpoints> <endpoint id="my-weighted-endpoint" container-id="my-container-service" region="aws-us-east-1c"> <instance weight="1">beta</instance> ... </endpoint> </endpoints> </deployment>
Some of the elements can be declared either under the
or, if one or more
<instance> tags are listed, under these. These
have a bold or when listing where they may be present.
deployment.xml is not used for
as these are deployed manually.
The root element.
|major-version||No||The major version number this application is valid for.|
<parallel> (which must be a direct descendant of the root).
An instance of the application; several of these may be simultaneously deployed in the same zone.
<instance> is specified, all children of the root are implicitly children of
id="default", as in the simple example at the top.
|id||Yes||The unique name of the instance.|
|tags||No||Space-separated tags which can be referenced to make deployment variants.|
This blocks changes from being deployed to production in the matching time interval.
Changes are nevertheless tested while blocked.
By default, both application revision changes and Vespa platform changes
(upgrades) are blocked. It is possible to block just one kind of change using
Any combination of the attributes below can be specified. Changes on a given
date will be blocked if all conditions are met.
<block-change> tags (i.e. that contains conditions
that never match an actual date) are rejected by the system.
This tag must be placed after any
<prod>. It can be declared multiple times.
|revision||No, default ||Set to |
|version||No, default ||Set to |
|days||No, default ||A spec of the days this block is effective - a comma-separated list of single days or day intervals where the start and end day are separated by a dash and are inclusive. Each day is identified by its english name or three-letter abbreviation.|
|hours||No, default ||A spec of the hours this block is effective - a comma-separated list of single hours or hour intervals where the start and end hour are separated by a dash and are inclusive. Each hour is identified by a number in the range 0 to 23.|
|time-zone||No, default UTC||The name of the time zone used to interpret the hours attribute. Time zones are full names or short forms, when the latter is unambiguous. See ZoneId.of for the full spec of acceptable values.|
|from-date||No||The inclusive starting date of this block (ISO-8601, |
|to-date||No||The inclusive ending date of this block (ISO-8601, |
The below example blocks all changes on weekends, and blocks revisions outside working hours, in the PST time zone:
<block-change days="sat-sun" hours="0-23" time-zone="America/Los_Angeles"/> <block-change revision="false" days="mon-fri,sat,sun" hours="0-8,16-23" time-zone="America/Los_Angeles"/>
The below example blocks:
<block-change days="sun" from-date="2022-03-01" time-zone="America/Los_Angeles"/> <block-change hours="16-23" from-date="2022-02-10" to-date="2022-02-15" time-zone="America/Los_Angeles"/> <block-change to-date="2022-01-05" time-zone="America/Los_Angeles"/>
Determines the strategy for upgrading the application, or one of its instances.
By default, application revision changes and Vespa platform changes are deployed separately.
The exception is when an upgrade fails; then, the latest application revision is deployed
together with the upgrade, as these may be necessary to fix the upgrade failure.
May only be used with
Must be less than or equal to the configured
May only be used when
Meaning depends on where it is located:
||If present, the application is deployed to the
If present in an
||If present, production tests are run against the production region with id contained in this element. A test must be after a corresponding region element. When specified, production tests must be preset in the application test package. See guides for getting to production.|
If present, the application is deployed to the
and tested there, even if no prod zones are deployed to.
If present in an
<instance> element, staging tests are run for that specific instance before any
production deployments of the instance may proceed — otherwise, previous staging tests for any instance are acceptable.
When specified, staging tests must be preset in the application test package.
See guides for getting to production.
<deployment>, or in
If present, the application is deployed to the production regions listed inside this element, under the specified instance,
after deployments and tests in the
The application is deployed to the production region with id contained in this element.
|fraction||No||Only when this region is inside a group: The fractional membership in the group.|
Introduces a delay which must pass after completion of all previous steps, before subsequent steps may proceed.
This may be useful to allow some grace time to discover errors before deploying a change in additional zones,
or to gather higher-level metrics for a production deployment for a while, before evaluating these in a production test.
The maximum total delay for the whole deployment spec is 48 hours.
The delay is specified by any combination of the
Runs the contained steps in parallel: instances if in
or primitive steps (deployments, tests or delays) or a series of these (see steps) otherwise.
<parallel> elements are permitted. The following example will deploy
us-west-1 first, then to
simultaneously, and, finally to
eu-west-1, once both parallel deployments
<region>us-west-1</region> <parallel> <region>us-east-3</region> <region>us-central-1</region> </parallel> <region>eu-west-1</region>
Runs the contained parallel or primitive steps (deployments, tests or delays) serially.
The following example will in parallel:
us-west-1, then delay 1 hour, and run tests for
Thus, the parallel block is complete when both deployments are complete, tests are successful for the second deployment, and at least two hours have passed since the block began executing.
<parallel> <region>us-east-3</region> <steps> <region>us-west-1</region> <delay hours="1" / > <test>us-west-1</test> </steps> <delay hours="2" / > </parallel>
<deployment>, without any
declared or in
<instance>: This declares
an global endpoint. Contains one or
Specifies a global endpoint for this application.
Each endpoint will point to the regions that are declared in the endpoint.
If no regions are specified,
the endpoint defaults to the regions declared in the
The following example creates a default endpoint to all regions,
and a us endpoint pointing only to US regions.
<endpoints> <endpoint container-id="my-container-service"/> <endpoint id="us" container-id="my-container-service"> <region>aws-us-east-1c</region> <region>aws-us-west-2a</region> </endpoint> </endpoints>
|id||No||The identifier for the endpoint. This will be part of the endpoint name that is generated. If not specified, the endpoint will be the default global endpoint for the application.|
|container-id||Yes||The id of the container cluster to which requests to the global endpoint is forwarded.|
Used to disable public zone endpoints. Non-public endpoints can not be used in
global endpoints, which require that all constituent endpoints are public.
The example disables the public zone endpoint for the
container cluster in all regions, except where it is explicitly enabled, in
Changing endpoint visibility will make the service unavailable for a short period of time.
<endpoints> <endpoint type='zone' container-id='my-container' enabled='false' /> <endpoint type='zone' container-id='my-container' enabled='true'> <region>region-1</region> </endpoint> </endpoints>
Private endpoints are specified with
|container-id||Yes||The id of the container cluster to disable public endpoints for.|
Whether a public endpoint for this container cluster should be enabled; default
Specifies a private endpoint service for this application.
Each service will be launched in the regions that are declared in the endpoint.
If no regions are specified, the service is launched in all regions declared in the
<prod> element, that support any of the declared access types.
The following example creates a private endpoint in two specific regions.
<endpoints> <endpoint type='private' container-id='my-container'> <region>aws-us-east-1c</region> <allow with='aws-private-link' arn='arn:aws:iam::123123123123:root' /> </endpoint> <endpoint type='private' container-id='my-container'> <region>gcp-us-central1-f</region> <allow with='gcp-service-connect' project='user-project' /> </endpoint> </endpoints>
Private endpoints are specified with
|container-id||Yes||The id of the container cluster to which requests to the private endpoint service is forwarded.|
Allows a prinicipal identified by the URN to set up a connection to the declared private endpoint service.
This element must be repeated for each additional URN.
An endpoint service will only consider allowed URNs of a compatible type, and will only be created if
at least one compatible access type-and-URN is given:
aws-private-link, and an ARN.
gcp-service-connect, and a project ID
<endpoint type='private' container-id="my-container"> <allow with='aws-private-link' arn='arn:aws:iam::123123123123:root' /> <allow with='aws-private-link' arn='arn:aws:iam::321321321321:role/my-role' /> <allow with='aws-private-link' arn='arn:aws:iam::321321321321:user/my-user' /> <allow with='gcp-service-connect' project='my-project' /> </endpoint>
The private endpoint access type; must be
Must be specified with
Must be specified with
Defines the BCP structure of this instance: Which zones should take over for which others
during the outage of a zone and how fast they must have the capacity ready.
Autoscaling uses this information to decide the ideal cpu load of a zone.
If this element is not defined, it is assumed that all regions covers
for an equal share of the traffic of all other regions and must have that capacity ready at all times.
If a bcp element is specified at the root, and explicit instances are used, that bcp element becomes the default for all instances that does not contain a bcp element themselves. If a BCP element contains no group elements it will implicitly define a single group of all the regions of the instance in which it is used.
The max time after a region becomes unreachable until the other regions in its BCP group must be able to handle the traffic of it, given as a number of minutes followed by 'm', 'h' or 'd' (for minutes, hours or days). The default deadline is 0: Regions must at all times have capacity to handle BCP traffic immediately.
By providing a deadline, autoscaling can avoid the cost of provisioning additional resources for BCP capacity if it predicts that it can grow to handle the traffic faster than the deadline in a given cluster.
This is the default deadline to be used for all groups that don't specify one themselves.
<bcp> <group deadline="15m"> <endpoint id="foo" container-id="bar"/> <region>us-east1</region> <region>us-east2</region> <region fraction="0.5">us-central1</region> </group> <group> <region>us-west1</region> <region>us-west2</region> <region fraction="0.5">us-central1</region> </group> </bcp>
<bcp>. Defines a bcp group:
A set of regions whose members cover for each other during a regional outage.
Each region in a group will (as allowed, when autoscaling ranges are configured) provision resources sufficient to handle that any other single region in the group goes down. The traffic of the region is assumed to be rerouted in equal amount to the remaining regions in the group. That is, if a group has one member, no resources will be provisioned to handle an outage in that member. If a group has two members, each will aim to provision sufficient resources to handle the actual traffic of the other. If a group has three members, each will provision to handle half of the traffic observed in the region among the two others which receives the most traffic.
A region may have fractional membership in multiple groups, meaning it will handle just that fraction of the traffic of the remaining members, and vice versa. A regions total membership among groups must always sum to exactly 1.
A group may also define global endpoints for the region members in the group. This is exactly the same as defining the endpoint separately and repeating the regions of the group under the endpoint. Endpoints under a group cannot contain explicit region sub-elements.
The deadline of this BCP group. See deadline on the BCP element.