After a function is created, it can be invoked through the public and private endpoints by default. For security purposes, if you want to allow functions to be invoked over a specified Virtual Private Cloud (VPC) only, but not the public and private networks, you must bind a specified VPC to the service. This topic describes how to bind a specified VPC to allow functions invoked in this VPC.
- One service can be bound to a maximum of 20 VPCs.
- However, if you allow only the specified VPC to invoke functions, function invokes based on triggers are not affected.
- After a VPC is bound to a service, all versions and aliases of the service apply to the VPC.
- After you allow a specified VPC to invoke functions, function invocation requests
from the public network and other VPCs are denied with
AccessDenied, and error message
Resource access is bound by VPC: VPCID.
Bind a VPC
- Log on to the Function Compute console.
- In the top menu bar, select a region.
- In the left-side navigation pane, click Service-Function.
- Locate the target service, and choose .
- In Network Config area, select allow access to services from only specified VPC, and select VPC ID.
- If your service already has a role, select an existing role from the System Policies drop-down list, select AliyunVPCReadOnlyAccess in the system template authorization, and click Authorize.
- Click Submit.
All functions of this service can be accessed through the specified VPC only.