This topic describes the mechanism for Function Compute to access databases in a virtual private cloud (VPC).

Access mechanism

Function Compute dynamically allocates instances for running functions. Therefore, you cannot add the dynamic IP addresses of these instances to a database's whitelist. Specifically, you cannot control the access of Function Compute to a database by using a whitelist. In addition, based on the principle of least privilege, we recommend that you do not add the IP address to the whitelist of your database in your production environment.

To resolve the preceding problem, you can create a VPC and grant Function Compute the permissions to access resources in the specified VPC. You can deploy your database in a secure VPC and enable the service to which the function belongs to access the VPC.

The following figure shows the process for Function Compute to access a database.Working process for access to an ApsaraDB RDS for MySQL database
  1. The client sends a request to Function Compute.
  2. Function Compute accesses the database in the specified VPC when the service to which the target function belongs is enabled to access VPC resources.
    VPC is an isolated cloud network built for private usage. Function Compute and the database reside on different VPCs. Therefore, Function Compute must use an elastic network interface (ENI) to access the database across VPCs. You must authorize an ENI to access the specified VPC, and bind the ENI to the function instance. For more information, see VPC access.
    Note VSwitches in the same VPC can communicate with each other. If the VSwitch of the VPC where the database resides is not in a zone supported by Function Compute, you can create a VSwitch in a zone supported by Function Compute in this VPC and configure the ID of the new VSwitch in the VPC configuration of Function Compute to achieve interconnection by using VSwitches in different zones.
  3. Function Compute returns the obtained data to the client.