After a function is created, it can be invoked through the public and private endpoints by default. For security purposes, if you want to allow functions to be invoked over a specified Virtual Private Cloud (VPC) only, but not the public and private networks, you must bind a specified VPC to the service. This topic describes how to bind a specified VPC to allow functions invoked in this VPC.


You have completed the following operations:


  • One service can be bound to a maximum of 20 VPCs.
  • However, if you allow only the specified VPC to invoke functions, function invokes based on triggers are not affected.
  • After a VPC is bound to a service, all versions and aliases of the service apply to the VPC.
  • After you allow a specified VPC to invoke functions, function invocation requests from the public network and other VPCs are denied with StatusCode 403, ErrorCodeAccessDenied, and error message Resource access is bound by VPC: VPCID.

Bind a VPC

  1. Log on to the Function Compute console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Service/Function. In the Services pane, click the required service.
  4. On the Service/Function page, click Service Configurations. On the Service Configurations tab, click Modify Configurations.
    Modify configuration
  5. In Network Config area, select Allow Specified VPCs to Invoke Functions, and select VPC.
    Allow Specified VPCs to Invoke Functions
  6. Optional:Click Bind to select more VPCs.
  7. If your service already has a role, select an existing role from the System Policies drop-down list, select AliyunVPCReadOnlyAccess in the system template authorization, and click Authorize.
  8. Click Submit.
    All functions of this service can be accessed through the specified VPC only.