By default, Function Compute cannot access resources that you have created in a virtual private cloud (VPC). You must manually set the VPC configuration for Function Compute to authorize Function Compute to access the resources deployed in the VPC.
Prerequisites
Background information
Determine whether the VPC configuration is required
Additional fees are required for VPC. We recommend that you use Resource Access Management (RAM) rather than the VPC configuration to grant access permissions on a service such as Tablestore. Therefore, before you configure a VPC, you must determine whether the VPC configuration is required.
The VPC configuration is set on the service level. When you grant access permissions to a service in Function Compute, all functions in the service are authorized to access the specified VPC.
Fields defined in the VPC configuration
- vpcId: the ID of the VPC to be accessed.
- vSwitchIds: the vSwitches. You must specify at least one vSwitch ID.
The vSwitchIds field specifies the subnets that Function Compute can access. We recommend that you specify two or more vSwitches in the vSwitchIds field. This allows your functions to be executed in other subnets when an error occurs or IP addresses are insufficient in a zone. If multiple vSwitch IDs are specified in the vSwitchIds field, Function Compute randomly selects one when it creates an elastic network interface (ENI).
- securityGroupId: the ID of the security group that is associated with the ENI.
"vpcConfig": { "vpcId": "string", "vSwitchIds": [ "string" ], "securityGroupId": "string" }The securityGroupId field specifies the security group with which the ENI and Function Compute are associated. A security group defines the inbound and outbound rules for Function Compute in the specified VPC. In this security group, configure a rule to allow access from the security group with which Function Compute is associated. Otherwise, Function Compute cannot access resources that are deployed in the specified VPC.
Access to the Internet
Services in Function Compute contain a Boolean field internetAccess that indicates whether a service is allowed to access the Internet. By default, this
field is set to true, which indicates that the service is allowed to access the Internet. You can set
the internetAccess field to false, which disallows all functions in the service to access the Internet.
How it works
A VPC is a custom private network created on Alibaba Cloud. VPCs are logically isolated from each other. You can create and manage your Alibaba Cloud service instances in your VPC, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances. This prevents these resources from being accessed over the Internet.
The following part describes how Function Compute accesses resources in a VPC:
When you create an ENI, you must provide configuration information such as the VPC ID, security group ID, and vSwitch ID. Function Compute configures the ENI based on this information. This allows your functions to access resources in the specified VPC by using the ENI.
For more information about how Function Compute accesses resources in a VPC, see Overview.
Usage notes
- If you cannot use Alibaba Cloud VPC in the China (Hangzhou), China (Shanghai), China (Beijing), and China (Shenzhen) regions, you must activate it as prompted in the console.
- The following table describes the regions where Function Compute is available. If
the region where your resources reside is not in the following table, see How can I resolve the "vSwitch is in unsupported zone" error?.
Region Region ID VPC China (Hangzhou) cn-hangzhou cn-hangzhou-f,cn-hangzhou-g,cn-hangzhou-h China (Shanghai) cn-shanghai cn-shanghai-b,cn-shanghai-e,cn-shanghai-g,cn-shanghai-f China (Qingdao) cn-qingdao cn-qingdao-c China (Beijing) cn-beijing cn-beijing-h,cn-beijing-c,cn-beijing-e,cn-beijing-f China (Zhangjiakou) cn-zhangjiakou cn-zhangjiakou-b,cn-zhangjiakou-a China (Hohhot) cn-huhehaote cn-huhehaote-a,cn-huhehaote-b China (Shenzhen) cn-shenzhen cn-shenzhen-e,cn-shenzhen-d China (Chengdu) cn-chengdu cn-chengdu-a, cn-chengdu-b China (Hong Kong) cn-hongkong cn-hongkong-c Singapore (Singapore) ap-southeast-1 ap-southeast-1a,ap-southeast-1b Australia (Sydney) ap-southeast-2 ap-southeast-2a,ap-southeast-2b Malaysia (Kuala Lumpur) ap-southeast-3 ap-southeast-3a Indonesia (Jakarta) ap-southeast-5 ap-southeast-5a,ap-southeast-5b Japan (Tokyo) ap-northeast-1 ap-northeast-1b,ap-northeast-1a UK (London) eu-west-1 eu-west-1a Germany (Frankfurt) eu-central-1 eu-central-a,eu-central-1a,eu-central-1b US (Silicon Valley) us-west-1 us-west-1a,us-west-1b US (Virginia) us-east-1 us-east-1b, us-east-1a India (Mumbai) ap-south-1 ap-south-1a,ap-south-1b
Network access modes
Functions can access resources in four network access modes based on network settings. You can set networks for your functions as needed.
| Allow functions to access the Internet | Allow functions to access VPC resources | Network access mode |
|---|---|---|
| Yes | Yes | Functions can access the Internet, private networks, and a specified VPC.
|
| Yes | No | Functions can access the Internet but cannot access VPCs.
|
| No | Yes | Functions can access the Internet, private networks, and VPC resources by using VPCs. This is applicable to VPC binding for Alibaba Cloud DNS PrivateZone, NAT Gateway, and Function Compute. |
| No | No | Functions cannot access the Internet or a specified VPC.
|
- Internet traffic: the traffic for the access to Internet addresses, such as Alibaba Cloud official websites, the website of Taobao, and the public endpoints of Alibaba Cloud services.
- Private network traffic: the traffic for the access to the internal endpoints of Alibaba Cloud services, such as the internal endpoint of Object Storage Service (OSS) and the default Domain Name System (DNS) address of ECS.
- VPC traffic: the traffic for the access to addresses in VPCs, such as RDS addresses, Apsara File Storage NAS addresses, and the VPC endpoint of ECS.
Configure networks and permissions
The VPC and permissions are configured on the service level. When you grant access permissions to a service in Function Compute, all functions in the service are authorized to access the specified VPC.
- On the Services and Functions page, click the service that you require. Then, click the Service Configurations tab. On the Service Configurations tab, click Modify Configuration.
- In the Network Config section, modify the network configurations as needed.
Parameter Description Allow Functions to Access the Internet Specifies whether to allow functions to access the Internet. - On: Functions can access the Internet.
- Off: Functions cannot access the Internet.
Allow Functions to Access VPC Resources Specifies whether to allow functions to access VPC resources. - On: Functions can access VPC resources.
If you turn on the switch, you must set the following parameters:
- VPC: Select a VPC.
- Vswitches: Select one or more vSwitches.
- Security Group: Select the security group with which your ENI is associated.
- Off: Functions cannot access VPC resources.
Allow Specified VPCs to Invoke Functions Specifies whether to allow functions to be invoked only in specified VPCs. For more information, see Allow functions to be invoked only in specified VPCs. - In the Role Config section, set the parameters.
Function Compute accesses resources deployed in a VPC by using an ENI. Therefore, you must grant the service that needs to access the specified VPC permissions to create, describe, and delete ENIs. For more information, see Grant Function Compute permissions to access other Alibaba Cloud services.
Parameter Description Select Role Select an existing role from the drop-down list or click Create Role. Select Policy Template Select AliyunECSNetworkInterfaceManagementAccess from the drop-down list. This policy contains the following permissions:- vpc:DescribeVSwitchAttributes
- ecs:CreateNetworkInterface
- ecs:DeleteNetworkInterface
- ecs:DescribeNetworkInterfaces
- ecs:CreateNetworkInterfacePermission
- ecs:DescribeNetworkInterfacePermissions