Virtual Private Cloud (VPC) is an isolated cloud network built for private usage. It allows you to logically isolate your cloud resources in a virtual network environment. All FC functions are running in the FC owned VPC network environment. By default, FC function cannot access your private VPC resources due to the nature of VPC network isolation.
Function Compute now seamless integrates with VPC. You can grant Function Compute permissions to manipulate elastic network interfaces (ENIs) and provide VPC-specific configuration information that includes VPC ID, vswitch IDs and security group ID. Function Compute will peer the function execution environment with the specific VPC by using the ENIs. Once VPC configuration is enabled, your function will run as if it is running inside the specific VPC.
You need to grant Function Compute ENI permissions in order to enable the VPC access. Function Compute obtains the permissions from the service role that you provide. You can grant Function Compute permissions by either creating a new service role with AliyunECSNetworkInterfaceManagememtAccess policy or attach this policy to your existing service role.
You need to grant Funtion Compute VPC specific information, includes VPC ID, at least one VSwitch IDs and security group ID, in order to complete the set up. Function Compute will create ENI randomly in the provided VSwitches and uses that to access your specific VPC. We recommend that you provided at least one VSwitch from each availability zone so that your functions can still run in case that the availability zone is down or your VSwithc is running out of IP addresses.
Once VPC access is enabled, your function will run as if it is running inside your specific VPC where internet access may not be available. If your function needs both VPC access and internet access, your can set up a NAT to provide internet access for your specific VPC, or a more easy way is to enable internet access for your functions. Function Compute will setup a NAT and peers it with your function running environment. If you enable both VPC access and internet access for your functions, your functions can access your specific VPC through your ENIs and access internet through a FC NAT.
Security group exit direction needs to allow ICMP protocol. Function Compute checks VPC network connectivity through ICMP protocol.