After a function is created, it can be invoked through the public and private endpoints by default. For security purposes, if you want to allow functions to be invoked over a specified Virtual Private Cloud (VPC) only, but not the public and private networks, you must bind a specified VPC to the service. This topic describes how to bind a specified VPC to allow functions invoked in this VPC.


You have completed the following operations:


  • One service can be bound to a maximum of 20 VPCs.
  • However, if you allow only the specified VPC to invoke functions, function invokes based on triggers are not affected.
  • After a VPC is bound to a service, all versions and aliases of the service apply to the VPC.
  • After you allow a specified VPC to invoke functions, function invocation requests from the public network and other VPCs are denied with StatusCode 403, ErrorCodeAccessDenied, and error message Resource access is bound by VPC: VPCID.

Bind a VPC

  1. Log on to the Function Compute console.
  2. In the top menu bar, select a region.
  3. In the left-side navigation pane, click Service-Function.
  4. Locate the target service, and choose Service Configurations > Update.
  5. In Network Config area, select allow access to services from only specified VPC, and select VPC ID.
  6. If your service already has a role, select an existing role from the System Policies drop-down list, select AliyunVPCReadOnlyAccess in the system template authorization, and click Authorize.
  7. Click Submit.
    All functions of this service can be accessed through the specified VPC only.