All Products
Search
Document Center

Function Compute (2.0):Configure networks

Last Updated:Feb 01, 2024

In Function Compute, you can invoke functions over the Internet by default. If you want your functions to access virtual private cloud (VPC) resources or invoke a function over a specified VPC, you must configure networks for the service in which the functions reside. Network settings are specific to services. That is, the network settings for a service take effect for all functions in the service. This topic describes how to configure networks for a service in the Function Compute console.

Usage notes

  • Before you bind VPC resources to a service, make sure that the following policies are attached to a role that is associated with the service: vpc:DescribeVSwitchAttributes and vpc:DescribeVpcAttribute.

  • For a Custom Container function that is created by using a container image of a Container Registry Enterprise Edition instance, you must select a VPC and a vSwitch. You must abide by the following rules when you configure the access to resources in the VPC for the service in which the function resides:

    • If the Default Resolution identifier appears next to the VPC in the Visit IP column on the Access Control page of the Container Registry Enterprise Edition instance, you must configure a VPC and vSwitch that uses the default resolved IP address.db-serviceconf-default

    • If the Default Resolution identifier does not appear, you can configure a random VPC and vSwitch that are bound to the instance.db-serviceconf-nodefault

Network access capabilities

VPCs may affect cold starts of functions in Function Compute. We recommend that you do not configure VPCs for function invocation unless they are necessarily required. You can authorize Resource Access Management (RAM) users to access resources such as Tablestore. For more information, see What is Tablestore?

Traffic is generated when you access a function from a network address or access resources by using a function. The following types of traffic are generated:

  • Internet traffic: the traffic for access to Internet addresses, such as Alibaba Cloud official websites, Taobao websites, and the public endpoints of Alibaba Cloud services.

  • VPC traffic: the traffic that is generated when you access addresses in VPCs, such as ApsaraDB RDS addresses, Apsara File Storage NAS (NAS) addresses, and the VPC endpoints of Elastic Compute Service (ECS) instances.

You can configure a network based on your business requirements to obtain the following network access capabilities of functions:

  • Function outbound traffic: the traffic for functions to access resources over the Internet or in a VPC. The configuration items include Access to VPC and Access to Internet.

    Table 1 - Function outbound traffic

    Network setting

    Description

    Allow functions to access only the Internet.

    Functions can access the Internet and the internal network but cannot access resources in VPCs. Configure the following parameters:

    • Set the Access to VPC parameter to No.

    • Set the Access to Internet parameter to Yes.

    Allow functions to access only a VPC.

    The functions can access the public and internal network resources by using a VPC. This setting is applicable to scenarios such as PrivateZone, NAT Gateway, and VPC binding to functions. Configure the following parameters:

    • Set the Access to VPC parameter to Yes and specify the VPC that can be accessed by the functions.

    • Set the Access to Internet parameter to No.

    Allow functions to access both the Internet and a VPC.

    The functions can access public network resources by using function logic and internal network resources by using a VPC. Configure the following parameters:

    • Set the Access to VPC parameter to Yes and specify the VPC that can be accessed by the functions.

    • Set the Access to Internet parameter to Yes.

    Do not allow functions to access the Internet or VPCs.

    The functions can access only the internal network resources by using function logic. Configure the following parameters:

    • Set the Access to VPC parameter to No.

    • Set the Access to Internet parameter to No.

  • Function inbound traffic: the traffic for requests to invoke functions from the Internet or VPCs. The configuration item is Function Invocation only by Specified VPCs.

    Table 2 - Function inbound traffic

    Network setting

    Description

    Allow you to access functions over the Internet and a VPC at the same time.

    You can invoke functions over the Internet or a VPC after you create the functions. Default parameter setting:

    • Set the Function Invocation only by Specified VPCs parameter to No.

    Allow you to access functions only over a VPC.

    Functions can be invoked over specified VPCs but cannot be invoked over the Internet. Configure the following parameters:

    • Set the Function Invocation only by Specified VPCs parameter to Yes and specify the VPC over which functions can be invoked.

Zones

Zones available for Function Compute

Region

Region ID

Zones

China (Hangzhou)

cn-hangzhou

  • cn-hangzhou-h

  • cn-hangzhou-i

  • cn-hangzhou-j

  • cn-hangzhou-k

  • cn-hangzhou-f

  • cn-hangzhou-g

China (Shanghai)

cn-shanghai

  • cn-shanghai-m

  • cn-shanghai-l

  • cn-shanghai-n

  • cn-shanghai-b

  • cn-shanghai-e

  • cn-shanghai-g

  • cn-shanghai-f

China (Qingdao)

cn-qingdao

cn-qingdao-c

China (Beijing)

cn-beijing

  • cn-beijing-i

  • cn-beijing-h

  • cn-beijing-k

  • cn-beijing-j

  • cn-beijing-l

  • cn-beijing-c

  • cn-beijing-e

  • cn-beijing-g

  • cn-beijing-f

China (Zhangjiakou)

cn-zhangjiakou

  • cn-zhangjiakou-b

  • cn-zhangjiakou-c

  • cn-zhangjiakou-a

China (Hohhot)

cn-huhehaote

  • cn-huhehaote-a

  • cn-huhehaote-b

China (Shenzhen)

cn-shenzhen

  • cn-shenzhen-e

  • cn-shenzhen-d

  • cn-shenzhen-f

China (Chengdu)

cn-chengdu

  • cn-chengdu-a

  • cn-chengdu-b

China (Hong Kong)

cn-hongkong

  • cn-hongkong-d

  • cn-hongkong-c

  • cn-hongkong-b

Singapore

ap-southeast-1

  • ap-southeast-1a

  • ap-southeast-1c

  • ap-southeast-1b

Australia (Sydney)

ap-southeast-2

  • ap-southeast-2a

  • ap-southeast-2b

Malaysia (Kuala Lumpur)

ap-southeast-3

ap-southeast-3a

Indonesia (Jakarta)

ap-southeast-5

  • ap-southeast-5a

  • ap-southeast-5b

Japan (Tokyo)

ap-northeast-1

  • ap-northeast-1c

  • ap-northeast-1b

  • ap-northeast-1a

UK (London)

eu-west-1

eu-west-1a

Germany (Frankfurt)

eu-central-1

  • eu-central-a

  • eu-central-1a

  • eu-central-1b

US (Silicon Valley)

us-west-1

  • us-west-1a

  • us-west-1b

US (Virginia)

us-east-1

  • us-east-1b

  • us-east-1a

India (Mumbai)

ap-south-1

  • ap-south-1a

  • ap-south-1b

For more information about the latest zones in each region, you can call the GetAccountSettings operation in OpenAPI Explorer.

If your resources are deployed in an unavailable zone, create a vSwitch in an available zone in your VPC and specify the vSwitch ID in the VPC configuration of a Function Compute service. vSwitches in the same VPC can communicate with each other over private networks. Therefore, Function Compute can use the vSwitch to access VPC resources that are deployed in other zones. For more information, see How can I resolve the "vSwitch is in unsupported zone" error?

Prerequisites

  • A service is created. For more information, see Create a service.

  • (Optional) Network resources are created. If you do not create resources, select Automatic Configuration when you configure the service. Otherwise, you must create resources as described in the following topics:

Network settings and roles

Function Compute provides service-level configurations specific to VPCs and permissions. If you configure VPC access for a service, all functions in the service can access VPCs.

  1. Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.

  2. In the top navigation bar, select a region. On the Services page, find the desired service and click Configure in the Actions column.

  3. In the Role Configuration section of the Modify Service page, select a role from the Service Role drop-down list to grant Function Compute the permissions to access VPC. Make sure that the policies in the Usage note section are attached to the role.

    We recommend that you grant permissions to the role based on the principle of least privilege. For more information about fine-grained permission control, see Policies and sample policies.

  4. In the Network Settings section, modify the following parameters.

    • Access to VPC: specifies whether to allow functions to access resources in a VPC. Valid values:

      • Yes: Functions can access resources in a VPC. If you select Yes, you must also configure the Configuration Mode parameter. Valid values:

        • (Recommended) Automatic Configuration: Function Compute automatically creates resources such as a VPC, vSwitch, and security group. You can create multiple vSwitches in the VPC. After the network settings are complete, you can modify the settings based on your requirements.

          Note

          The names of network resources that are automatically created by Function Compute start with fc.auto.create.

        • Custom Configuration: You must manually select existing resources, including a VPC, vSwitch, and security group. Make sure that the resources are created in advance. vpc_config_new_console

          • VPC: Select a VPC ID from the drop-down list.

          • vSwitch: Select at least one vSwitch ID from the drop-down list.

            This parameter defines the subnets that Function Compute can access. We recommend that you specify two or more vSwitch IDs. If a zone fails or IP addresses are insufficient, your functions can run on another subnet.

          • Security Group: Select a security group ID from the drop-down list.

            This parameter specifies the security group with which Function Compute is associated. This security group defines the inbound and outbound rules of Function Compute in the VPC. In the security group that is associated with the VPC, configure a rule to allow access from the security group with which Function Compute is associated. Otherwise, Function Compute cannot access resources that are deployed in the VPC.

      • No: Functions cannot access resources in VPCs.

    • Static Public IP Address: specifies whether to obtain a static public IP address by using NAT Gateway and Elastic IP Address (EIP). For more information, see Configure static public IP addresses.

    • Access to Internet: specifies whether to allow functions to access the Internet. Valid values:

      • Yes: Functions can access the Internet.

      • No: Functions cannot access the Internet.

    • Function Invocation only by Specified VPCs: specifies whether to allow invocation requests only over specified VPCs. Valid values:

      • Yes: Functions can be invoked only over specified VPCs. Take note of the following items:

        • You can associate a maximum of 20 VPCs with a service.

        • If you allow functions to be invoked only over specified VPCs, you can still invoke functions by using triggers.

        • After you associate one or more VPCs with a service, the VPC settings take effect for all versions and aliases of the service.

        • If you allow functions to be invoked only over specified VPCs, requests from the Internet and other VPCs are rejected. For requests from the Internet and other VPCs, the status code (StatusCode) 403, error code (ErrorCode) AccessDenied, and error message Resource access is bound by VPC: VPC ID are returned.

        • VPCs can be associated only with internal HTTP access points, but not with public access points and internal HTTPS access points.

      • No: The functions can be invoked only over the Internet. You cannot invoke functions over VPCs.

  5. Click Save.

Common issues

  • Why am I unable to connect Function Compute to a VPC for debugging?

    If Function Compute fails to connect to a VPC after your service is configured to allow functions to access the VPC, check the following possible causes:

    • An error may have occurred on the subnet with which the vSwitch is associated, or IP addresses are insufficient. We recommend that you specify at least two vSwitch IDs. This allows your functions to run in another zone if an error occurs in the current zone.

    • The security group is invalid. You must configure the security group based on the following rules:

      • In the security group with which the specified VPC is associated, a rule is configured to allow access from the security group with which Function Compute is associated.

      • The outbound traffic of the security group must support Internet Control Message Protocol (ICMP). Function Compute checks the VPC network connectivity based on ICMP.

      For more information about how to configure a security group, see Add a security group rule.

  • What do I do if resources are insufficient when I create network resources?

    When you create VPC resources, the prefix length of the CIDR block is 24 and the number of available IP addresses is 252. If you create a large number of instances in a service, resources become insufficient. In this case, you must modify the CIDR block of the vSwitch and the security group.

Troubleshooting

Function Compute does not verify the permissions to access a VPC if you configure vpcConfig. Instead, permissions are verified when a function is executed. Therefore, new errors may occur when you invoke the function by using the InvokeFunction operation if vpcConfig is configured. The following table describes errors that frequently occur when a service in Function Compute accesses a VPC. This helps you troubleshoot the errors.

Error code

Status code

Cause

Solution

InvalidArgument

400

Function Compute does not support the zone in which the specified vSwitch is deployed.

Specify another vSwitch ID. For more information, see Zones.

The resources specified by the vpcId, vSwitchIds, or securityGroupId parameter defined in vpcConfig cannot be found.

Check whether the settings in vpcConfig are valid.

The specified vSwitch or security group is not in the VPC.

Check whether the VPC settings are valid. Make sure that the resources specified by the vSwitchId and securityGroupId parameters are deployed in the VPC that is specified by the vpcId parameter.

AccessDenied

403

You have not granted operation permissions on elastic network interfaces (ENIs) to the service in Function Compute.

Check the permissions on ENI. For more information, see Grant Function Compute permissions to access other Alibaba Cloud services.

ResourceExhausted

429

The available IP addresses in the CIDR block of the vSwitch are insufficient. Function Compute cannot create more ENIs.

Create a vSwitch with a larger CIDR block and update the vSwitchId parameter in vpcConfig.

Note

We recommend that you use the /24 or /16 CIDR block.

References

  • If you want functions in a service to access a database that resides in the VPC of the service, we recommend that you add the CIDR block of the vSwitch that you configured for the service to the whitelist. For more information, see Access a database.

  • If you want to restrict function access to the Internet, use static IP addresses. For more information, see Configure static public IP addresses.