By default, Function Compute cannot access resources that you have created in a virtual private cloud (VPC). You must manually set the VPC configuration for Function Compute to authorize Function Compute to access resources deployed in the VPC.
Prerequisites
- Create a service
- Create a function
- You have created a VPC and a vSwitch. For more information, see Step 1: Create a VPC network and a vSwitch.
- Create a security group
Background information
Determine whether to configure VPC resource access
The use of a VPC will incur additional fees. We recommend that you use RAM rather than VPC configuration to grant access permissions to a service, such as Tablestore. Therefore, before you configure a VPC, you must determine whether the VPC configuration is required.
The VPC configuration is set on the service level. When you grant access permissions to a service, all functions of the service are allowed to access the specified VPC.
vpcConfig properties
- vpcId: The ID of the VPC that your service needs to access.
- vSwitchIds: The list of vSwitches. You must provide at least one vSwitch ID.
The vSwitchIds field specifies the subnets that Function Compute can access. We recommend that you specify two or more vSwitches in the vSwitchIds field. This allows your functions to be executed in other subnets when an error occurs in the zone or IP addresses are insufficient. If multiple vSwitch IDs are specified in the vSwitchIds field, Function Compute selects one when it creates an Elastic Network Interface (ENI).
- securityGroupId: The ID of the security group that is associated with the ENI.
"vpcConfig": { "vpcId": "string", "vSwitchIds": [ "string" ], "securityGroupId": "string" }The securityGroupId field specifies the security group that the ENI and Function Compute are associated with. A security group defines the inbound and outbound rules for Function Compute in the specified VPC. In this security group, set a rule to allow access from the security group that Function Compute is associated with. Otherwise, Function Compute cannot access resources that are deployed in the specified VPC.
Access to the Internet
Function Compute services contain a Boolean field internetAccess that indicates whether a service is allowed to access the Internet. The default value is true, which indicates that the service can access the Internet. You can set the internetAccess field to false, which disallows any functions of the service to access the Internet.
How it works
A VPC is a custom private network created on Alibaba Cloud. VPCs are logically isolated from each other. You can create and manage your cloud instances, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB for RDS (RDS) instances in your VPC. This prevents these resources from being accessed on the Internet.
Function Compute accesses resources in a VPC network in the following steps:
When you create an ENI, you must provide configuration information such as the VPC ID, security group ID, and vSwitch ID. Function Compute configures the ENI based on this information. This allows your functions to access resources in the specified VPC by using the ENI.
For more information about how to use Function Compute to access resources in a VPC, see Overview.
Precautions
- If you cannot activate Alibaba Cloud VPC in the China (Hangzhou), China (Shanghai), China (Beijing), and China (Shenzhen) regions, you must activate it as prompted in the console.
- The following table lists the regions where Function Compute can be activated. If
the region of your resource is not in the table, see How can I resolve the "VSwitch is in unsupported zone" error?.
Region Region ID VPC China (Hangzhou) cn-hangzhou cn-hangzhou-f,cn-hangzhou-g,cn-hangzhou-h China (Shanghai) cn-shanghai cn-shanghai-b,cn-shanghai-e,cn-shanghai-g,cn-shanghai-f China (Qingdao) cn-qingdao cn-qingdao-c China (Beijing) cn-beijing cn-beijing-h,cn-beijing-c,cn-beijing-e,cn-beijing-f China (Zhangjiakou) cn-zhangjiakou cn-zhangjiakou-b,cn-zhangjiakou-a China (Hohhot) cn-huhehaote cn-huhehaote-a,cn-huhehaote-b China (Shenzhen) cn-shenzhen cn-shenzhen-e,cn-shenzhen-d China (Chengdu) cn-chengdu cn-chengdu-a, cn-chengdu-b China (Hong Kong) cn-hongkong cn-hongkong-c Singapore (Singapore) ap-southeast-1 ap-southeast-1a,ap-southeast-1b Australia (Sydney) ap-southeast-2 ap-southeast-2a,ap-southeast-2b Malaysia (Kuala Lumpur) ap-southeast-3 ap-southeast-3a Indonesia (Jakarta) ap-southeast-5 ap-southeast-5a,ap-southeast-5b Japan (Tokyo) ap-northeast-1 ap-northeast-1b,ap-northeast-1a UK (London) eu-west-1 eu-west-1a Germany (Frankfurt) eu-central-1 eu-central-a,eu-central-1a,eu-central-1b US (Silicon Valley) us-west-1 us-west-1a,us-west-1b US (Virginia) us-east-1 us-east-1b, us-east-1a India (Mumbai) ap-south-1 ap-south-1a,ap-south-1b
Network access modes
Functions can access resources in four network access modes based on network settings. You can set networks for your functions.
| Allow functions to access the Internet | Allow functions to access VPC resources | Network access mode |
|---|---|---|
| Yes | Yes | Allows functions to access the Internet and a specified VPC. |
| Yes | No | Allows functions to access the Internet only. |
| No | Yes | Allows functions to access a specified VPC only. |
| No | No | Does not allow functions to access the Internet or a specified VPC. |
Configure networks and permissions
The VPC and permissions are configured on the service level. When you grant access permissions to a service, all functions of the service are allowed to access the specified VPC.
- On the Service/Function page, click Service Configurations. On the Service Configurations tab, click Modify Configurations.
- In the Network Config section, modify the network configurations.
Parameter Description Allow Functions to Access the Internet Specifies whether to allow functions to access the Internet. - On: Functions can access the Internet.
- Off: Functions cannot access the Internet.
Allow Functions to Access VPC Resources Specifies whether to allow functions to access VPC resources. - On: Functions can access VPC resources.
After you turn on the switch, you must set the following parameters:
- VPC: Select a VPC.
- Vswitches: Select one or more vSwitches.
- Security Group: Select the security group that your ENI is associated with.
- Off: Functions cannot access VPC resources.
Allow Specified VPCs to Invoke Functions Specifies whether to allow a specified VPC to call functions. For more information, see Allow a specified VPC to invoke functions. - In the Role Config section, configure the parameters and click Authorize.
Function Compute accesses resources deployed in a VPC by using an ENI. Therefore, you must grant ENI permissions such as create, describe, and delete to the service that needs to access the specified VPC. For more information, see t1881210.html#concept_2260124.
Parameter Description Role Operation Select an existing role from the list or click Create Role. System Policies Select AliyunECSNetworkInterfaceManagementAccess. This system policy contains the following permissions:- vpc:DescribeVSwitchAttributes
- ecs:CreateNetworkInterface
- ecs:DeleteNetworkInterface
- ecs:DescribeNetworkInterfaces
- ecs:CreateNetworkInterfacePermission
- ecs:DescribeNetworkInterfacePermissions