Why am I unable to connect Function Compute to a VPC for debugging?
If you have set a virtual private cloud (VPC) configuration for a service in Function Compute but the service fails to connect to the specified VPC, the failure may occur due to the following causes:
- An error may have occurred with the subnet with which the vSwitch associates, or IP addresses are insufficient. We recommend that you specify multiple vSwitch IDs. This allows your functions to correctly run in other zones if an error occurs with the current one.
- The security group is incorrectly configured. The following requirements must be met
when you configure the security group. For more information about how to configure
a security group, see Add security group rules.
- In the security group with which the specified VPC is associated, a rule is configured to allow access from the security group with which Function Compute is associated.
- The outbound traffic of the security group must support Internet Control Message Protocol (ICMP). Function Compute checks the VPC network connectivity based on ICMP.
Why does a network connection error occur when I invoke a function to access cloud resources?
To allow Function Compute to access resources that are deployed in a VPC, the execution environment has been migrated from the classic network to the VPC. Therefore, a network connection error may occur when you invoke a function to access cloud services, such as Elastic Compute Service (ECS). You can troubleshoot the error based on the following solutions in different scenarios:
- A network connection error occurs when you invoke a function to access the internal
endpoint of a cloud service. You must use the VPC endpoint of the cloud service to
access the cloud service. If the destination cloud service does not provide a VPC
endpoint, set the InternetAccess field for the service where the function is created
to true and then access the destination cloud service by using a public endpoint that
is provided by the destination cloud service.
Notice You are charged for the network traffic that is generated when you access the destination cloud service by using a public endpoint.
- A network connection error occurs when you invoke a function to access self-managed
ECS resources, such as web services and file systems, that are deployed in the classic
network, or ApsaraDB RDS databases that are connected to the classic network.
- If you need to use ECS resources or ApsaraDB RDS databases that are connected to the classic network, access them by using a public IP address or a public network. You are charged for the network traffic that is generated by using these access methods.
- If you are able to migrate resources to a VPC, you can access the resources in the VPC by using Function Compute. For more information, see Configure functions to access VPC resources.
- A network connection error occurs when you invoke a function to access an ApsaraDB
After you create an RDS instance, you must configure a whitelist to access the instance. For more information, see Switch an ApsaraDB RDS for MySQL instance to the enhanced whitelist mode.Note No security risk is incurred when you allow all IP addresses to access the RDS instance in the VPC.
If you have set a VPC configuration for a service in Function Compute, Function Compute cannot verify access permissions when the service accesses the specified VPC. Permissions are verified only when a function is executed. Therefore, new errors may occur when you call the InvokeFunction operation to invoke a function. The following table describes specific common errors that occur when a service in Function Compute accesses a VPC so that you can troubleshoot the errors with efficiency.
|Error code||HTTP status code||Cause||Solution|
|InvalidArgument||400||Function Compute does not support the zone of the specified vSwitch.||Specify another vSwitch ID.|
|The resources specified by the
||Check whether the VPC configuration is correctly set.|
|The vSwitch and security group are not associated with the specified VPC.||Check whether the VPC configuration is correctly set. Make sure that the resources
specified by the
|AccessDenied||403||You have not granted operation permissions on elastic network interfaces (ENIs) to the service in Function Compute.||Check the operation permissions of the service. For more information, see Configure functions to access VPC resources.|
|ResourceExhausted||429||All ENIs in the specified VPC have been used and Function Compute cannot create ENIs.||Provide more ENIs for the specified VPC.|