By default, you can use public and internal endpoints to invoke a function after you create the function. For security, you can allow functions to be invoked only over a specified virtual private cloud (VPC), but not the public and internal networks. In this case, you must bind the specified VPC to the service where the functions reside. This topic shows you how to bind a specified VPC to allow functions to be invoked only in the VPC.

Prerequisites

Before you create an exchange, make sure that the following operations are complete:

Precautions

  • You can bind a maximum of 20 VPCs to a service.
  • If you allow functions to be invoked only in a specified VPC, functions invoked by triggers are not affected.
  • After a VPC is bound to a service, the VPC is bound to all versions and aliases of the service.
  • After you allow functions to be invoked only in a specified VPC, invocation requests from the Internet and other VPCs are denied. In this case, the HTTP status code is 403, the error code is AccessDenied, and the error message is Resource access is bound by VPC: VPCID.
  • VPCs can be bound to only internal HTTP access points, but not public access points and internal HTTPS access points.

Bind a VPC

  1. On the Services and Functions page, click the service that you require. Then, click the Service Configurations tab. On the Service Configurations tab, click Modify Configuration.
    Modify service configurations
  2. In the Network Config section on the Configure Service page, turn on Allow Specified VPCs to Invoke Functions and select the VPC to be bound.
    Allow Specified VPCs to Invoke Functions
  3. Optional:Click Bind. You can bind multiple VPCs to the service.
  4. In the Role Config section, set the parameters.
    • You have not created a role.
      1. Click Create Role to go to the Role Templates page. create-role
      2. On the Role Templates page, set the parameters and click Confirm Authorization Policy. role-information
    • You have created a role.
      1. In the Role Config section, select the role to be assigned from the Select Role drop-down list. imagefueupeizhi.png
      2. In the Policy Details section, click + Add Policy.
      3. In the Add Policy dialog box, select one or more policies that you want to attach to the role from the Select Policy Template drop-down list.
      4. Click RAM Authorization.
      5. On the Role Templates page, set the Policy Name parameter and click Confirm Authorization Policy. policy-information
  5. Click Submit.
    After the operations are complete, all functions in the service can be invoked only in the specified VPC.