app-platform-networking

by @digitalocean-labs in AI & LLM

# Install this skill:

npx skills add digitalocean-labs/do-app-platform-skills --skill "app-platform-networking"

Install specific skill from multi-skill repository

# Description

Configure domains, routing, CORS, VPC, static IPs, and inter-service communication for DigitalOcean App Platform. Use when setting up custom domains, subdomain routing, cross-origin API access, or secure database connectivity.

# SKILL.md

name: app-platform-networking
version: 1.0.0
min_doctl_version: "1.82.0"
description: Configure domains, routing, CORS, VPC, static IPs, and inter-service communication for DigitalOcean App Platform. Use when setting up custom domains, subdomain routing, cross-origin API access, or secure database connectivity.
related_skills: [designer, postgres, managed-db-services]
deprecated: false

App Platform Networking Skill

Configure domains, routing, CORS, VPC, static IPs, and inter-service communication.

Quick Decision

What networking do you need?
├── Custom domain?
│   └── YES → See domains-dns.md
│
├── Multiple services on one domain?
│   ├── Different paths (/api, /app) → Path-based routing
│   └── Different subdomains (api.*, app.*) → Subdomain routing
│
├── Frontend calling API across origins?
│   └── YES → CORS configuration
│
├── Secure database connectivity?
│   └── YES → VPC + trusted sources
│
└── Need static outbound IP?
    └── YES → Dedicated egress

When to Use

Scenario	Need This Skill
Starter domain only	No
Custom domain	Yes
Multiple services, different paths	Yes
Multiple subdomains	Yes
Cross-subdomain API calls (CORS)	Yes
Secure database access via VPC	Yes
Firewall allowlisting (egress IP)	Yes

Quick Reference

Feature	App Spec Field	Example
Custom domain	`domains[].domain`	`example.com`
Wildcard	`domains[].wildcard`	`true`
Path routing	`ingress.rules[].match.path.prefix`	`/api`
Subdomain routing	`ingress.rules[].match.authority.exact`	`api.example.com`
CORS	`ingress.rules[].cors`	See reference
VPC	`vpc.id`	UUID
Dedicated egress	`egress.type`	`DEDICATED_IP`

Path-Based Routing (Quick Start)

ingress:
  rules:
    - component: { name: api }
      match: { path: { prefix: /api } }

    - component: { name: frontend }
      match: { path: { prefix: / } }

Rule order matters: Specific rules first.

Full guide: See ingress-routing.md

Subdomain Routing (Quick Start)

domains:
  - domain: example.com
    type: PRIMARY
    wildcard: true
    zone: example.com

ingress:
  rules:
    - component: { name: api }
      match:
        authority: { exact: api.example.com }
        path: { prefix: / }

    - component: { name: app }
      match:
        authority: { exact: app.example.com }
        path: { prefix: / }

Full guide: See domains-dns.md

CORS (Quick Start)

ingress:
  rules:
    - component: { name: api }
      match: { path: { prefix: /api } }
      cors:
        allow_origins:
          - exact: https://app.example.com
        allow_methods: [GET, POST, PUT, DELETE, OPTIONS]
        allow_headers: [Content-Type, Authorization]
        allow_credentials: true

Note: With allow_credentials: true, use exact origins only (no regex).

Full guide: See cors-configuration.md

VPC + Trusted Sources (Quick Start)

vpc:
  id: your-vpc-uuid

VPC CIDR whitelisting (recommended):

doctl vpcs get $VPC_ID --format IPRange  # e.g., 10.126.0.0/20
doctl databases firewalls append $CLUSTER_ID --rule ip_addr:10.126.0.0/20

Setup	Trusted Source Rule
Public only	`app:$APP_ID`
VPC enabled	`ip_addr:<vpc-cidr>`

Critical: Bindable variables return PUBLIC hostnames even with VPC. Use private URLs:

doctl databases connection --private <cluster-id> --format URI

Full guide: See vpc-trusted-sources.md

Reference Files

domains-dns.md — Domain types, DNS setup, wildcards, TLS, CAA
ingress-routing.md — Path routing, rewrites, redirects, authority matching
cors-configuration.md — CORS fields, patterns, credentials
vpc-trusted-sources.md — VPC setup, trusted sources matrix, private URLs
static-ips-egress.md — Ingress IPs, dedicated egress, HTTP/2, internal ports
complete-patterns.md — 5 complete architecture patterns

Common Issues

Issue	Fix
Domain not resolving	Check DNS records, allow 72h propagation
SSL certificate error	Add CAA records for letsencrypt.org + pki.goog
CORS preflight fails	Add OPTIONS to allow_methods
VPC connection refused	Use VPC CIDR whitelisting, not app-based rules
Wrong component serves	Reorder rules (specific first)

Integration with Other Skills

→ designer: Add domains/ingress to app spec
→ troubleshooting: Debug DNS, CORS, VPC issues
→ postgres: VPC connectivity for managed databases
→ deployment: Deploy networking changes

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

⚡ Amp 🚀 Antigravity 🤖 Claude Code 🦀 Clawdbot 📝 Codex ▶️ Cursor 🤖 Droid 💎 Gemini CLI 🐙 GitHub Copilot 🪿 Goose 📊 Kilo Code 🔧 Kiro CLI 💻 OpenCode 🦘 Roo Code 🌲 Trae 🏄 Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.