By default, Function Compute has dynamic egress IP addresses that do not belong to a fixed CIDR block. If Function Compute needs to access a database, a WeChat mini program, or another third-party service, you must add its IP address to a whitelist. To do this, you can use the static public IP address feature of Function Compute to assign a static public IP address and add it to the whitelist. This topic describes how to configure a static public IP address for function egress traffic in the Function Compute console.
Precautions
The static IP address feature requires an Internet NAT gateway in a virtual private cloud (VPC). You must create an Internet NAT gateway, attach an Elastic IP Address (EIP) to it, and add an SNAT entry. This configuration allows instances in the VPC to access the public network through the EIP. The source IP address that the public service receives is the EIP of the NAT Gateway.
NAT Gateways and Elastic IP Addresses (EIPs) can be purchased only in specific zones within a region. If the NAT Gateway and EIP are in a different zone from your Function Compute service, you must configure a vSwitch to enable cross-zone public network communication. For more information, see Zones where Function Compute is available.
Elastic IP Addresses are shared across all services within the same region.
To allow a Resource Access Management (RAM) user to use the static IP address feature, log on to the Resource Access Management console and grant the user the
AliyunECSFullAccess,AliyunVPCFullAccess,AliyunEIPFullAccess, andAliyunNATGatewayFullAccesspermissions.
Billing
Configuring a static public IP address may require creating a NAT Gateway and an Elastic IP Address (EIP). These items are billable. For more information, see Internet NAT gateway billing and Elastic IP Address billing.
Configure a static public IP address for the first time
Prerequisites
The function has the required permissions and network configurations to access VPC resources. For more information, see Configure network and role settings.
Allow Access to VPC is set to Yes. For more information, see Configure network settings.
Procedure
Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.
In the top navigation bar, select a region. On the Services page, find the desired service and click Configure in the Actions column.
In the Network Settings section, set the Static Public IP Address parameter to Yes and the Access the Internet parameter to No.
NoteTo ensure that the function can properly access external networks, you can first set Allow Function to Access Public Network to Yes. After the static IP address takes effect, set Allow Function to Access Public Network to No to smoothly migrate traffic.
Click Save. In the Static Public IP Address Configurations dialog box, read the message, select the check box, and then click OK.
After 1 to 2 minutes, the page redirects to the Service Details page, where you can view the saved network configurations. You can also go to the VPC console to view the associated or automatically created Internet NAT gateway resources.
Verify the result
Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.
In the top navigation bar, select a region. On the Services page, click the desired service.
On the Functions page, click the name of the desired function. On the Function Details page that appears, click the Code tab.
In the code editor on the Code tab, enter the function code.
This topic uses Python code as an example.
# -*- coding: utf-8 -*- import logging import requests def handler(event, context): logger = logging.getLogger() try: r = requests.get('https://myip.ipip.net') clientIP = r.content.split()[1] logger.info('Client IP: ' + clientIP) except: r = requests.get('http://ipinfo.io') clientIP = r.json()['ip'] logger.info('Client IP: ' + clientIP) return clientIPAfter you enter the function code, click Deploy and then click Test Function.
After the execution is successful, check the client IP address in the returned result. The address is the static IP address that you configured.
Add a static public IP address
To add other static IP addresses, perform the following steps.
In the Network Settings section, click Create New Elastic IP Address under the Static Public IP Address configuration item.
The page automatically redirects to the VPC console.
In the VPC console, create an Elastic IP Address and attach it to the corresponding NAT Gateway. For more information, see Apply for an EIP.
After the EIP is attached, return to the Service Details page. You can then view the updated service configuration.
Related operations
To disable the static public IP address feature or delete assigned static public IP addresses, first set the Access to Internet parameter to Yes. Then, go to the VPC console and delete the NAT Gateway that is associated with the VPC.
FAQ
How do I configure a whitelist when I access a database from Function Compute?