In some Function Compute usage scenarios, you may need to use third-party services in functions to obtain data or trigger other workflows. You may need to use a whitelist to control access to third-party services. To perform this task, you must add the IP address of the instance that executes the function to the whitelist.
However, an instance assigned by Function Compute to process your request has a random Internet IP address, which cannot be obtained before the function is executed. As a result, you cannot add the IP address to the whitelist to grant access permissions to the third-party services. This tutorial introduces how to use a proxy to resolve this issue.
In this tutorial, service A is built by using Function Compute. When service A runs, it needs to access the resources that are provided by service B, such as MySQL. Service B uses a whitelist to authenticate visitors to protect the resources. Since the instance is randomly selected, you cannot add the IP address of the instance to the whitelist.
To resolve this issue, build a NGINX proxy and add the IP address of the proxy to the whitelist to forward requests from service A to service B and return the protected resources. To prevent attackers from attacking or scanning the proxy to obtain the data stored in service B, you can configure the identity authentication, such as tokens, for the proxy or service B.
The following shows an example procedure of this solution:
Notes: If you use Relational Database Service (RDS) to store the resources, you can see the VPC access sample for RDS to access the resources from VPCs for more secure access control.