By default, you can invoke the functions created in a service only over the Internet. You cannot invoke the functions in virtual private clouds (VPCs). To allow the functions to access resources in VPCs or allow requests from specified VPCs to invoke the functions, you must manually configure the network and permissions for the service. The network configurations take effect at the service level and apply to all functions of the service. This topic describes how to configure the network for a service in the Function Compute console.

Network access modes

The VPC feature reduces the cold start efficiency of Function Compute. Proceed with caution when you configure this feature. You can authorize RAM users to access resources such as Tablestore.

You can configure the network based on your business requirements to obtain different network access capabilities for functions:

  • Function outbound traffic: specifies whether to allow functions to access the Internet or resources in a VPC. The configuration items include Access to VPC Resources and Access to Internet.
    Table 1. Function outbound traffic
    Network configuration Description
    Allow functions to access only the Internet. Functions can access only Internet addresses, such as the Alibaba Cloud website, Taobao, and other cloud service portals. Configure the following items:
    • Set the Access to VPC Resources parameter to No.
    • Set the Access to Internet parameter to Yes.
    Allow functions to access only a specified VPC. Functions can access only resources in the specified VPC that you configured, such as ApsaraDB RDS, Apsara File Storage NAS, and Elastic Compute Service (ECS). Configure the following items:
    • Set the Access to VPC Resources parameter to Yes and specify the VPC that can be accessed by functions.
    • Set the Access to Internet parameter to No.
    Allow functions to access both the Internet and a specified VPC. Functions can access both the Internet and resources in the specified VPC. Configure the following items:
    • Set the Access to VPC Resources parameter to Yes and specify the VPC that can be accessed by functions.
    • Set the Access to Internet parameter to Yes.
    Prohibit functions from accessing the Internet or VPCs. Functions cannot access the Internet or resources in VPCs. Configure the following items:
    • Set the Access to VPC Resources parameter to No.
    • Set the Access to Internet parameter to No.
  • Function inbound traffic: specifies whether to allow invocation requests from the Internet or VPCs. The configuration item is Function Invocation only by Specified VPCs.
    Table 2. Function inbound traffic
    Network configuration Description
    Allow invocation requests only from the Internet. By default, you can invoke created functions only over the Internet. You cannot invoke the functions in VPCs. Configure the following item:
    • Set the Function Invocation only by Specified VPCs parameter to No.
    Allow invocation requests only from specified VPCs. Functions can be invoked in the specified VPCs but cannot be invoked over the Internet. Configure the following items:
    • Set the Function Invocation only by Specified VPCs parameter to Yes and specify one or more VPCs in which functions can be invoked.
    Note The preceding two configurations are mutually exclusive. You cannot allow invocation requests from the Internet and VPCs at the same time.

Notes on resource deployment in zones

If your resources are not deployed in a zone listed in the following table, create a vSwitch in a VPC that is available for a supported zone. You must also specify the vSwitch ID when you specify the VPC in network configurations for your service in Function Compute. vSwitches in the same VPC can communicate with each other. Therefore, Function Compute can use the vSwitch to access resources that are deployed in the VPC but reside in other zones. For more information, see How can I resolve the "vSwitch is in unsupported zone" error?.

Region Region ID Zone where Function Compute is available
China (Hangzhou) cn-hangzhou cn-hangzhou-f, cn-hangzhou-g, and cn-hangzhou-h
China (Shanghai) cn-shanghai cn-shanghai-b, cn-shanghai-e, cn-shanghai-g, and cn-shanghai-f
China (Qingdao) cn-qingdao cn-qingdao-c
China (Beijing) cn-beijing cn-beijing-h, cn-beijing-c, cn-beijing-e, and cn-beijing-f
China (Zhangjiakou) cn-zhangjiakou cn-zhangjiakou-b and cn-zhangjiakou-a
China (Hohhot) cn-huhehaote cn-huhehaote-a and cn-huhehaote-b
China (Shenzhen) cn-shenzhen cn-shenzhen-e and cn-shenzhen-d
China (Chengdu) cn-chengdu cn-chengdu-a and cn-chengdu-b
China (Hong Kong) cn-hongkong cn-hongkong-c
Singapore (Singapore) ap-southeast-1 ap-southeast-1a and ap-southeast-1b
Australia (Sydney) ap-southeast-2 ap-southeast-2a and ap-southeast-2b
Malaysia (Kuala Lumpur) ap-southeast-3 ap-southeast-3a
Indonesia (Jakarta) ap-southeast-5 ap-southeast-5a and ap-southeast-5b
Japan (Tokyo) ap-northeast-1 ap-northeast-1b and ap-northeast-1a
UK (London) eu-west-1 eu-west-1a
Germany (Frankfurt) eu-central-1 eu-central-a, eu-central-1a, and eu-central-1b
US (Silicon Valley) us-west-1 us-west-1a and us-west-1b
US (Virginia) us-east-1 us-east-1b and us-east-1a
India (Mumbai) ap-south-1 ap-south-1a and ap-south-1b

Prerequisites

Configure the network and role

The network and permissions are configured at the service level. For example, if you allow a service in Function Compute to access a VPC, all functions in the service are authorized to access the specified VPC.

  1. Log on to the Function Compute console.
  2. In the top navigation bar, select the region where the service resides.
  3. In the Role Settings section of the Modify Service page, set the Service Role parameter to grant permissions to the service.

    We recommend that you use the AliyunFCDefaultRole role, which is provided by Function Compute based on the principle of least privilege. For information about fine-grained permission control, see Policies and sample custom policies.

    service_role_vpc_config_new_console
  4. In the Network Settings section, modify the following network configurations as needed:
    • Access to VPC Resources: specifies whether to allow functions to access resources in a specified VPC. Valid values:
      • Yes: Functions can access resources in a specified VPC. If you select Yes, you must also set the Configuration Mode parameter. Valid values:
        • Automatic Configuration: recommended. Function Compute creates network resources such as a VPC, a vSwitch, and a security group. After the network resources are created, you can modify the network resources based on your requirements. auto_vpc_config
          Note The names of network resources that are created by Function Compute start with fc.auto.create.
        • Custom Configuration: You must select resources from the existing network resources. Make sure that resources are created. vpc_config_new_console

          If you select Custom Configuration, set the following parameters:

          • VPC: Select a VPC ID from the drop-down list.
          • vSwitch: Select at least one vSwitch ID from the drop-down list.

            This parameter defines the subnets that Function Compute can access. We recommend that you specify two or more vSwitch IDs. If a zone fails or IP addresses are insufficient, your functions can run on another subnet.

          • Security Group: Select a security group ID from the drop-down list.

            This parameter specifies the security group with which Function Compute is associated. This security group defines the inbound and outbound rules of Function Compute in the specified VPC. In the security group that is associated with the VPC, configure a rule to allow access from the security group with which Function Compute is associated. Otherwise, Function Compute cannot access resources that are deployed in the specified VPC.

      • No: Functions cannot access resources in VPCs.
    • Access to Internet: specifies whether to allow functions to access the Internet. Valid values:
      • Yes: Functions can access the Internet.
      • No: Functions cannot access the Internet.
    • Function Invocation only by Specified VPCs: specifies whether to allow invocation requests only from specified VPCs. Valid values:
      • Yes: Functions can be invoked only in specified VPCs. When you invoke functions, take note of the following items:
        • You can associate a maximum of 20 VPCs with a service.
        • If you allow functions to be invoked only in specified VPCs, functions invoked by triggers are not affected.
        • After one or more VPCs are associated with a service, the VPCs are associated with all versions and aliases of the service.
        • After you allow functions to be invoked only in specified VPCs, invocation requests from the Internet and other VPCs are denied. In this case, the HTTP status code is 403, the error code is AccessDenied, and the error message is Resource access is bound by VPC: VPCID.
        • VPCs can be associated only with internal HTTP access points, but not with public access points and internal HTTPS access points.
      • No: Functions can be invoked only over the Internet. You cannot invoke functions in VPCs.
  5. Click Save.
    The Service Details page appears, on which you can view the saved configurations of the service.

FAQ

  • Why am I unable to connect Function Compute to a VPC for debugging?

    If Function Compute fails to connect to a VPC when your service is configured to allow functions to access the VPC, check the following possible causes:

    • An error may have occurred on the subnet with which the vSwitch is associated, or IP addresses are insufficient. We recommend that you specify multiple vSwitch IDs. This allows your functions to correctly run in other zones if an error occurs in the current zone.
    • The security group is incorrectly configured. Configure the security group based on the following requirements:
      • In the security group with which the specified VPC is associated, a rule is configured to allow access from the security group with which Function Compute is associated.
      • The outbound traffic of the security group must support Internet Control Message Protocol (ICMP). Function Compute checks the VPC network connectivity based on ICMP.

      For more information about how to configure a security group, see Add security group rules.

  • What do I do if I cannot create network resources due to insufficient resources?

    When you create VPC resources, Function Compute provides 256 IP addresses. The upper limit may be exceeded if a large number of instances are created. You must manually modify the CIDR block of the vSwitch and the security group.

Troubleshooting

If you have specified a VPC configuration for a service in Function Compute, Function Compute cannot verify access permissions when the service accesses the specified VPC. Permissions are verified only when a function is executed. Therefore, new errors may occur when you call the InvokeFunction operation to invoke a function. The following table describes specific common errors that occur when a service in Function Compute accesses a VPC. This helps you troubleshoot the errors with efficiency.

Error code HTTP status code Cause Solution
InvalidArgument 400 Function Compute does not support the zone of the specified vSwitch. Specify another vSwitch ID. For more information, see Notes on resource deployment in zones.
The resources specified by the vpcId, vSwitchIds, or securityGroupId parameter defined in the VPC configuration cannot be found. Check whether the VPC configuration is valid.
The specified vSwitch or security group is not in the VPC. Check whether the VPC configuration is valid. Make sure that the resources specified by the vSwitchId and securityGroupId parameters are deployed in the VPC that is specified by the vpcId parameter.
AccessDenied 403 You have not granted operation permissions on elastic network interfaces (ENIs) to the service in Function Compute. Check the operation permissions of the service. For more information, see Grant Function Compute permissions to access other Alibaba Cloud services.
ResourceExhausted 429 All ENIs in the specified VPC have been used, and Function Compute cannot create more ENIs. Provide more ENIs for the specified VPC.

What to do next

For information about how to access a database in a VPC, see Access a database.