By default, you can invoke the functions created in a service only over the Internet. You cannot invoke the functions in virtual private clouds (VPCs). To allow the functions to access resources in VPCs or allow requests from specified VPCs to invoke the functions, you must manually configure the network and permissions for the service. The network configurations take effect at the service level and apply to all functions of the service. This topic describes how to configure the network for a service in the Function Compute console.
Network access modes
The VPC feature reduces the cold start efficiency of Function Compute. Proceed with caution when you configure this feature. You can authorize RAM users to access resources such as Tablestore.
You can configure the network based on your business requirements to obtain different network access capabilities for functions:
- Function outbound traffic: specifies whether to allow functions to access the Internet
or resources in a VPC. The configuration items include Access to VPC Resources and Access to Internet.
Table 1. Function outbound traffic Network configuration Description Allow functions to access only the Internet. Functions can access only Internet addresses, such as the Alibaba Cloud website, Taobao, and other cloud service portals. Configure the following items: - Set the Access to VPC Resources parameter to No.
- Set the Access to Internet parameter to Yes.
Allow functions to access only a specified VPC. Functions can access only resources in the specified VPC that you configured, such as ApsaraDB RDS, Apsara File Storage NAS, and Elastic Compute Service (ECS). Configure the following items: - Set the Access to VPC Resources parameter to Yes and specify the VPC that can be accessed by functions.
- Set the Access to Internet parameter to No.
Allow functions to access both the Internet and a specified VPC. Functions can access both the Internet and resources in the specified VPC. Configure the following items: - Set the Access to VPC Resources parameter to Yes and specify the VPC that can be accessed by functions.
- Set the Access to Internet parameter to Yes.
Prohibit functions from accessing the Internet or VPCs. Functions cannot access the Internet or resources in VPCs. Configure the following items: - Set the Access to VPC Resources parameter to No.
- Set the Access to Internet parameter to No.
- Function inbound traffic: specifies whether to allow invocation requests from the
Internet or VPCs. The configuration item is Function Invocation only by Specified VPCs.
Table 2. Function inbound traffic Network configuration Description Allow invocation requests only from the Internet. By default, you can invoke created functions only over the Internet. You cannot invoke the functions in VPCs. Configure the following item: - Set the Function Invocation only by Specified VPCs parameter to No.
Allow invocation requests only from specified VPCs. Functions can be invoked in the specified VPCs but cannot be invoked over the Internet. Configure the following items: - Set the Function Invocation only by Specified VPCs parameter to Yes and specify one or more VPCs in which functions can be invoked.
Note The preceding two configurations are mutually exclusive. You cannot allow invocation requests from the Internet and VPCs at the same time.
Notes on resource deployment in zones
If your resources are not deployed in a zone listed in the following table, create a vSwitch in a VPC that is available for a supported zone. You must also specify the vSwitch ID when you specify the VPC in network configurations for your service in Function Compute. vSwitches in the same VPC can communicate with each other. Therefore, Function Compute can use the vSwitch to access resources that are deployed in the VPC but reside in other zones. For more information, see How can I resolve the "vSwitch is in unsupported zone" error?.
Region | Region ID | Zone where Function Compute is available |
---|---|---|
China (Hangzhou) | cn-hangzhou | cn-hangzhou-f, cn-hangzhou-g, and cn-hangzhou-h |
China (Shanghai) | cn-shanghai | cn-shanghai-b, cn-shanghai-e, cn-shanghai-g, and cn-shanghai-f |
China (Qingdao) | cn-qingdao | cn-qingdao-c |
China (Beijing) | cn-beijing | cn-beijing-h, cn-beijing-c, cn-beijing-e, and cn-beijing-f |
China (Zhangjiakou) | cn-zhangjiakou | cn-zhangjiakou-b and cn-zhangjiakou-a |
China (Hohhot) | cn-huhehaote | cn-huhehaote-a and cn-huhehaote-b |
China (Shenzhen) | cn-shenzhen | cn-shenzhen-e and cn-shenzhen-d |
China (Chengdu) | cn-chengdu | cn-chengdu-a and cn-chengdu-b |
China (Hong Kong) | cn-hongkong | cn-hongkong-c |
Singapore (Singapore) | ap-southeast-1 | ap-southeast-1a and ap-southeast-1b |
Australia (Sydney) | ap-southeast-2 | ap-southeast-2a and ap-southeast-2b |
Malaysia (Kuala Lumpur) | ap-southeast-3 | ap-southeast-3a |
Indonesia (Jakarta) | ap-southeast-5 | ap-southeast-5a and ap-southeast-5b |
Japan (Tokyo) | ap-northeast-1 | ap-northeast-1b and ap-northeast-1a |
UK (London) | eu-west-1 | eu-west-1a |
Germany (Frankfurt) | eu-central-1 | eu-central-a, eu-central-1a, and eu-central-1b |
US (Silicon Valley) | us-west-1 | us-west-1a and us-west-1b |
US (Virginia) | us-east-1 | us-east-1b and us-east-1a |
India (Mumbai) | ap-south-1 | ap-south-1a and ap-south-1b |
Prerequisites
- A service is created.
- Optional. Network resources are created.
If you have not created resources, select Automatic Configuration when you set the parameters. Otherwise, you must create resources as described in the following references:
Configure the network and role
The network and permissions are configured at the service level. For example, if you allow a service in Function Compute to access a VPC, all functions in the service are authorized to access the specified VPC.
FAQ
- Why am I unable to connect Function Compute to a VPC for debugging?
If Function Compute fails to connect to a VPC when your service is configured to allow functions to access the VPC, check the following possible causes:
- An error may have occurred on the subnet with which the vSwitch is associated, or IP addresses are insufficient. We recommend that you specify multiple vSwitch IDs. This allows your functions to correctly run in other zones if an error occurs in the current zone.
- The security group is incorrectly configured. Configure the security group based on
the following requirements:
- In the security group with which the specified VPC is associated, a rule is configured to allow access from the security group with which Function Compute is associated.
- The outbound traffic of the security group must support Internet Control Message Protocol (ICMP). Function Compute checks the VPC network connectivity based on ICMP.
For more information about how to configure a security group, see Add security group rules.
- What do I do if I cannot create network resources due to insufficient resources?
When you create VPC resources, Function Compute provides 256 IP addresses. The upper limit may be exceeded if a large number of instances are created. You must manually modify the CIDR block of the vSwitch and the security group.
Troubleshooting
If you have specified a VPC configuration for a service in Function Compute, Function Compute cannot verify access permissions when the service accesses the specified VPC. Permissions are verified only when a function is executed. Therefore, new errors may occur when you call the InvokeFunction operation to invoke a function. The following table describes specific common errors that occur when a service in Function Compute accesses a VPC. This helps you troubleshoot the errors with efficiency.
Error code | HTTP status code | Cause | Solution |
---|---|---|---|
InvalidArgument | 400 | Function Compute does not support the zone of the specified vSwitch. | Specify another vSwitch ID. For more information, see Notes on resource deployment in zones. |
The resources specified by the vpcId, vSwitchIds, or securityGroupId parameter defined in the VPC configuration cannot be found. | Check whether the VPC configuration is valid. | ||
The specified vSwitch or security group is not in the VPC. | Check whether the VPC configuration is valid. Make sure that the resources specified by the vSwitchId and securityGroupId parameters are deployed in the VPC that is specified by the vpcId parameter. | ||
AccessDenied | 403 | You have not granted operation permissions on elastic network interfaces (ENIs) to the service in Function Compute. | Check the operation permissions of the service. For more information, see Grant Function Compute permissions to access other Alibaba Cloud services. |
ResourceExhausted | 429 | All ENIs in the specified VPC have been used, and Function Compute cannot create more ENIs. | Provide more ENIs for the specified VPC. |
What to do next
For information about how to access a database in a VPC, see Access a database.