By default, Function Compute cannot access resources that you have created in a virtual private cloud (VPC). You must manually set the VPC configuration for Function Compute to authorize Function Compute to access resources deployed in the VPC.

Background information

Determine whether the VPC configuration is required

Additional fees are charged for VPC. We recommend that you use Resource Access Management (RAM) rather than the VPC configuration to grant access permissions on a service such as Tablestore. Therefore, before you configure a VPC, you must determine whether the VPC configuration is required.

weather use vpc

The VPC configuration is set on the service level. When you grant access permissions to a service in Function Compute, all functions in the service are authorized to access the specified VPC.

Note If your resources are not deployed in a zone where Function Compute is available, create a vSwitch in your VPC. The vSwitch must be in the same zone as Function Compute. In addition, you must specify the vSwitch ID in the configuration of the specified service in Function Compute. vSwitches in the same VPC can communicate with each other. Therefore, Function Compute can use the vSwitch to access resources that are deployed in the VPC and reside in other zones.

Fields defined in the VPC configuration

The vpcId, vSwitchIds, and securityGroupId fields are defined in the VPC configuration. All the fields must be specified.
  • vpcId: the ID of the VPC to be accessed.
  • vSwitchIds: the vSwitches. You must specify at least one vSwitch ID.

    The vSwitchIds field specifies the subnets that Function Compute can access. We recommend that you specify two or more vSwitches in the vSwitchIds field. This allows your functions to be executed in other subnets when an error occurs in the zone or IP addresses are insufficient. If multiple vSwitch IDs are specified in the vSwitchIds field, Function Compute selects one when it creates an elastic network interface (ENI).

  • securityGroupId: the ID of the security group that is associated with the ENI.
    "vpcConfig": {
          "vpcId": "string",
          "vSwitchIds": [ "string" ],
          "securityGroupId": "string"
      }

    The securityGroupId field specifies the security group with which the ENI and Function Compute are associated. A security group defines the inbound and outbound rules for Function Compute in the specified VPC. In this security group, configure a rule to allow access from the security group with which Function Compute is associated. Otherwise, Function Compute cannot access resources that are deployed in the specified VPC.

Access to the Internet

Function Compute services contain a Boolean field internetAccess that indicates whether a service is allowed to access the Internet. The default value is true, which indicates that the service can access the Internet. You can set the internetAccess field to false, which disallows all functions in the service to access the Internet.

How it works

A VPC is a custom private network created on Alibaba Cloud. VPCs are logically isolated from each other. You can create and manage your Alibaba Cloud service instances in your VPC, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances. This prevents these resources from being accessed over the Internet.

The following part describes how Function Compute accesses resources in a VPC:

A VPC is a private network dedicated for your use. You must authorize your ENI to access the VPC and attach this ENI to the instance used to execute your functions. This allows the functions to access the resources in your VPC. For more information about ENIs, see ENI overview.Access resources in a VPC

When you create an ENI, you must provide configuration information such as the VPC ID, security group ID, and vSwitch ID. Function Compute configures the ENI based on this information. This allows your functions to access resources in the specified VPC by using the ENI.

For more information about how Function Compute accesses resources in a VPC, see Overview.

Usage notes

  • If you cannot use Alibaba Cloud VPC in the China (Hangzhou), China (Shanghai), China (Beijing), and China (Shenzhen) regions, you must activate it as prompted in the console.
  • The following table describes the regions where Function Compute is available. If the region where your resources reside is not in the following table, see How can I resolve the "VSwitch is in unsupported zone" error?.
    Region Region ID VPC
    China (Hangzhou) cn-hangzhou cn-hangzhou-f,cn-hangzhou-g,cn-hangzhou-h
    China (Shanghai) cn-shanghai cn-shanghai-b,cn-shanghai-e,cn-shanghai-g,cn-shanghai-f
    China (Qingdao) cn-qingdao cn-qingdao-c
    China (Beijing) cn-beijing cn-beijing-h,cn-beijing-c,cn-beijing-e,cn-beijing-f
    China (Zhangjiakou) cn-zhangjiakou cn-zhangjiakou-b,cn-zhangjiakou-a
    China (Hohhot) cn-huhehaote cn-huhehaote-a,cn-huhehaote-b
    China (Shenzhen) cn-shenzhen cn-shenzhen-e,cn-shenzhen-d
    China (Chengdu) cn-chengdu cn-chengdu-a, cn-chengdu-b
    China (Hong Kong) cn-hongkong cn-hongkong-c
    Singapore (Singapore) ap-southeast-1 ap-southeast-1a,ap-southeast-1b
    Australia (Sydney) ap-southeast-2 ap-southeast-2a,ap-southeast-2b
    Malaysia (Kuala Lumpur) ap-southeast-3 ap-southeast-3a
    Indonesia (Jakarta) ap-southeast-5 ap-southeast-5a,ap-southeast-5b
    Japan (Tokyo) ap-northeast-1 ap-northeast-1b,ap-northeast-1a
    UK (London) eu-west-1 eu-west-1a
    Germany (Frankfurt) eu-central-1 eu-central-a,eu-central-1a,eu-central-1b
    US (Silicon Valley) us-west-1 us-west-1a,us-west-1b
    US (Virginia) us-east-1 us-east-1b, us-east-1a
    India (Mumbai) ap-south-1 ap-south-1a,ap-south-1b

Network access modes

Functions can access resources in four network access modes based on network settings. You can set networks for your functions as needed.

Allow functions to access the Internet Allow functions to access VPC resources Network access mode
Yes Yes Functions can access the Internet and a specified VPC.
Yes Not Functions can access only the Internet.
Not Yes Functions can access only a specified VPC.
Not Not Functions cannot access the Internet or a specified VPC.

Configure networks and permissions

The VPC and permissions are configured on the service level. When you grant access permissions to a service in Function Compute, all functions in the service are authorized to access the specified VPC.

Note If your resources are not deployed in a zone where Function Compute is available, create a vSwitch in your VPC. The vSwitch must be in the same zone as Function Compute. In addition, you must specify the vSwitch ID in the configuration of the specified service in Function Compute. vSwitches in the same VPC can communicate with each other. Therefore, Function Compute can use the vSwitch to access resources that are deployed in the VPC and reside in other zones.
  1. Log on to the Function Compute console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Services and Functions. In the Services pane, click the service that you require.
  4. On the Services and Functions page, click the service that you require. Then, click the Service Configurations tab. On the Service Configurations tab, click Modify Configuration.
    Modify service configurations
  5. In the Network Config section, modify the network configurations as needed.
    config_vpc
    Parameter Description
    Allow Functions to Access the Internet Specifies whether to allow functions to access the Internet.
    • On: Functions can access the Internet.
    • Off: Functions cannot access the Internet.
    Allow Functions to Access VPC Resources Specifies whether to allow functions to access VPC resources.
    • On: Functions can access VPC resources.
      If you turn on the switch, you must set the following parameters:
      • VPC: Select a VPC.
      • Vswitches: Select one or more vSwitches.
      • Security Group: Select the security group with which your ENI is associated.
    • Off: Functions cannot access VPC resources.
    Allow Specified VPCs to Invoke Functions Specifies whether to allow functions to be invoked only in specified VPCs. For more information, see Allow functions to be invoked only in specified VPCs.
  6. In the Role Config section, set the parameters.

    Function Compute accesses resources deployed in a VPC by using an ENI. Therefore, you must grant the service that needs to access the specified VPC permissions to create, describe, and delete ENIs. For more information, see Permission management.

    role-authority
    Parameter Description
    Select Role Select an existing role from the drop-down list or click Create Role.
    Select Policy Template Select AliyunECSNetworkInterfaceManagementAccess from the drop-down list.
    This policy contains the following permissions:
    • vpc:DescribeVSwitchAttributes
    • ecs:CreateNetworkInterface
    • ecs:DeleteNetworkInterface
    • ecs:DescribeNetworkInterfaces
    • ecs:CreateNetworkInterfacePermission
    • ecs:DescribeNetworkInterfacePermissions
  7. Click Submit.