By default, Function Compute cannot access resources that you have created in a virtual private cloud (VPC). You must manually set the VPC configuration for Function Compute to authorize Function Compute to access resources deployed in the VPC.

Prerequisites

Background information

Determine whether to configure VPC resource access

The use of a VPC will incur additional fees. We recommend that you use RAM rather than VPC configuration to grant access permissions to a service, such as Tablestore. Therefore, before you configure a VPC, you must determine whether the VPC configuration is required.weather use vpc

The VPC configuration is set on the service level. When you grant access permissions to a service, all functions of the service are allowed to access the specified VPC.

Note If your resources are not deployed in a zone that hosts Function Compute, create a vSwitch in your VPC network. The vSwitch must be in the same zone as Function Compute. In addition, you must specify the vSwitch ID in the configuration of the specified service in Function Compute. vSwitches within the same VPC can communicate with each other. Therefore, Function Compute can access resources deployed in the VPC network, which are in a different zone by using the vSwitch.

vpcConfig properties

The vpcConfig configuration contains the vpcId, vSwitchIds, and securityGroupId fields. All fields must be specified.
  • vpcId: The ID of the VPC that your service needs to access.
  • vSwitchIds: The list of vSwitches. You must provide at least one vSwitch ID.

    The vSwitchIds field specifies the subnets that Function Compute can access. We recommend that you specify two or more vSwitches in the vSwitchIds field. This allows your functions to be executed in other subnets when an error occurs in the zone or IP addresses are insufficient. If multiple vSwitch IDs are specified in the vSwitchIds field, Function Compute selects one when it creates an Elastic Network Interface (ENI).

  • securityGroupId: The ID of the security group that is associated with the ENI.
    "vpcConfig": {
          "vpcId": "string",
          "vSwitchIds": [ "string" ],
          "securityGroupId": "string"
      }

    The securityGroupId field specifies the security group that the ENI and Function Compute are associated with. A security group defines the inbound and outbound rules for Function Compute in the specified VPC. In this security group, set a rule to allow access from the security group that Function Compute is associated with. Otherwise, Function Compute cannot access resources that are deployed in the specified VPC.

Access to the Internet

Function Compute services contain a Boolean field internetAccess that indicates whether a service is allowed to access the Internet. The default value is true, which indicates that the service can access the Internet. You can set the internetAccess field to false, which disallows any functions of the service to access the Internet.

How it works

A VPC is a custom private network created on Alibaba Cloud. VPCs are logically isolated from each other. You can create and manage your cloud instances, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB for RDS (RDS) instances in your VPC. This prevents these resources from being accessed on the Internet.

Function Compute accesses resources in a VPC network in the following steps:

A VPC is a private network dedicated for your use. You must authorize your ENI to access the VPC and attach this ENI to the instance where your functions are executed. This allows the functions to access the resources in your VPC. For more information about ENIs, see ENI overview.Access resources in a VPC

When you create an ENI, you must provide configuration information such as the VPC ID, security group ID, and vSwitch ID. Function Compute configures the ENI based on this information. This allows your functions to access resources in the specified VPC by using the ENI.

For more information about how to use Function Compute to access resources in a VPC, see Overview.

Notes

  • If you cannot activate Alibaba Cloud VPC in the China (Hangzhou), China (Shanghai), China (Beijing), and China (Shenzhen) regions, you must activate it as prompted in the console.
  • The following table lists the regions where Function Compute can be activated. If the region of your resource is not in the table, see t1881181.html#section_6bd_qsk_npz.
    Region Region ID VPC
    China (Hangzhou) cn-hangzhou cn-hangzhou-g
    China (Shanghai) cn-shanghai cn-shanghai-e,cn-shanghai-f
    China (Qingdao) cn-qingdao cn-qingdao-c
    China (Beijing) cn-beijing cn-beijing-c,cn-beijing-f
    China (Zhangjiakou-Beijing Winter Olympics) cn-zhangjiakou cn-zhangjiakou-b,cn-zhangjiakou-a
    China (Hohhot) cn-huhehaote cn-huhehaote-a,cn-huhehaote-b
    China (Shenzhen) cn-shenzhen cn-shenzhen-d
    China (Hong Kong) cn-hongkong cn-hongkong-c
    Singapore (Singapore) ap-southeast-1 ap-southeast-1a,ap-southeast-1b
    Australia (Sydney) ap-southeast-2 ap-southeast-2a,ap-southeast-2b
    Indonesia (Jakarta) ap-southeast-5 ap-southeast-5a,ap-southeast-5b
    Japan (Tokyo) ap-northeast-1 ap-northeast-1b,ap-northeast-1a
    Germany (Frankfurt) eu-central-a eu-central-a,eu-central-1a,eu-central-1b
    US (Silicon Valley) us-west-1 us-west-1a,us-west-1b
    US (Virginia) us-east-1 us-east-1a
    India (Mumbai) ap-south-1 ap-south-1a,ap-south-1b

Network access modes

Functions can access resources in four network access modes based on network settings. You can set networks for your functions as needed.

Allow functions to access the Internet Allow functions to access VPC Resources Network access mode
Yes Yes Allows functions to access the Internet and a specified VPC.
Yes No Allows functions to access the Internet only.
No Yes Allows functions to access a specified VPC only.
No No Does not allow functions to access the Internet or a specified VPC.

Configure networks and permissions

The VPC and permissions are configured on the service level. When you grant access permissions to a service, all functions of the service are allowed to access the specified VPC.

Note If your resources are not deployed in a zone that hosts Function Compute, create a vSwitch in your VPC network. The vSwitch must be in the same zone as Function Compute. In addition, you must specify the vSwitch ID in the VPC configuration of the specified service in Function Compute. vSwitches within the same VPC can communicate with each other. Therefore, Function Compute can access resources in different zones in the VPC by using vSwitches.
  1. Log on to the Function Compute console.
  2. In the top navigation bar, select your region.
  3. In the left-side navigation pane, click Service/Function.
  4. In the service list, click the name of the target service.
  5. Click the Service Configurations tab and click Update.
    modify
  6. In the Network Config section, modify the network configuration as needed.
    Parameter Description
    Allow Functions to Access the Internet Specifies whether to allow functions to access the Internet.
    • On: Functions can access the Internet.
    • Off: Functions cannot access the Internet.
    Allow Functions to Access VPC Resources Specifies whether to allow functions to access VPC resources.
    • On: Functions can access VPC resources.
      After you turn on the switch, you must set the following parameters:
      • VPC: Select a VPC.
      • Vswitches: Select one or more vSwitches.
      • Security Group: Select the security group that your ENI is associated with.
    • Off: Functions cannot access VPC resources.
    Allow Specified VPCs to Invoke Functions Specifies whether to allow a specified VPC to call functions. For more information, see Allow a specified VPC to invoke functions.
  7. In the Role Config section, set parameters and click Submit.

    Function Compute accesses resources deployed in a VPC by using an ENI. Therefore, you must grant ENI permissions such as create, describe, and delete to the service that needs to access the specified VPC. For more information, see t1881210.html#concept_2260124.

    role-authority
    Parameter Description
    Role Operation Select the role creation method. Valid values:
    • Select an existing role: Select this option if you have created a role.
    • Create new role: Select this option if you have not created a role.
    Existing Role Select an existing role from the drop-down list.

    This parameter must be set when Role Operation is set to Select an existing role.

    System Policies Select AliyunECSNetworkInterfaceManagementAccess.
    This system policy contains the following permissions:
    • vpc:DescribeVSwitchAttributes
    • ecs:CreateNetworkInterface
    • ecs:DeleteNetworkInterface
    • ecs:DescribeNetworkInterfaces
    • ecs:CreateNetworkInterfacePermission
    • ecs:DescribeNetworkInterfacePermissions