This topic describes the mechanism for Function Compute to access databases in a virtual private cloud (VPC).
Function Compute dynamically allocates instances for running functions. Therefore, you cannot add the dynamic IP addresses of these instances to the whitelist of a database. Specifically, you cannot control the access of Function Compute to a database by using a whitelist. In addition, based on the principle of least privilege, we recommend that you do not add the IP address 0.0.0.0/0 to the whitelist of your database in your production environment.
To resolve the preceding issue, you can grant Function Compute the permissions to access resources in a specified VPC. You can deploy your database in a secure VPC and enable the service to which the function belongs to access the VPC.
- The client sends a request to Function Compute.
- Function Compute accesses the database in the specified VPC when the service to which
the specified function belongs is enabled to access resources in the VPC.
A VPC is a private network. Function Compute and the database reside in different VPCs. Therefore, Function Compute must use an elastic network interface (ENI) to access the database across VPCs. You must authorize an ENI to access the specified VPC, and bind the ENI to the instance that executes functions. For more information, see Configure functions to access VPC resources.Note vSwitches in the same VPC can communicate with each other. Assume that the vSwitch in the VPC where the database resides is not in a zone supported by Function Compute. You can create a vSwitch in a zone supported by Function Compute in this VPC and configure the ID of the created vSwitch in the VPC configuration of the service in Function Compute. This way, you can use vSwitches in different zones to achieve interconnection.
- Function Compute returns the obtained data to the client.