After a function is created, it can be invoked through the public and private endpoints by default. For security purposes, if you want to allow functions to be invoked over a specified Virtual Private Cloud (VPC) only, but not the public and private networks, you must bind a specified VPC to the service. This topic describes how to bind a specified VPC to allow functions invoked in this VPC.
- One service can be bound to a maximum of 20 VPCs.
- However, if you allow only the specified VPC to invoke functions, function invokes based on triggers are not affected.
- After a VPC is bound to a service, all versions and aliases of the service apply to the VPC.
- After you allow a specified VPC to invoke functions, function invocation requests
from the public network and other VPCs are denied with
AccessDenied, and error message
Resource access is bound by VPC: VPCID.
Bind a VPC
- Log on to the Function Compute console.
- In the top navigation bar, select a region.
- In the left-side navigation pane, click Service/Function. In the Services pane, click the required service.
- On the Service/Function page, click Service Configurations. On the Service Configurations tab, click Modify Configurations.
- In Network Config area, select Allow Specified VPCs to Invoke Functions, and select VPC.
- Optional:Click Bind to select more VPCs.
- If your service already has a role, select an existing role from the System Policies drop-down list, select AliyunVPCReadOnlyAccess in the system template authorization, and click Authorize.
- Click Submit.All functions of this service can be accessed through the specified VPC only.