By default, you can invoke the functions that you create in Function Compute only over the Internet. If you want a function to access resources in a virtual private cloud (VPC) or allow requests from a specific VPC to invoke a function, you must manually configure the network and permissions for the service to which the function belongs. The network settings take effect at the service level and apply to all functions in the service. This topic describes how to configure the network for a service in the Function Compute console.
Usage notes
- When you bind VPC resources to a service, make sure that the role configured for the service is granted with the
vpc:DescribeVSwitchAttributesandvpc:DescribeVpcAttributepermissions. - For a custom container function that is created by using a container image of a Container Registry Enterprise Edition instance, you must select a VPC and a vSwitch based on the following rules when you configure the ability to access resources in a VPC for the service in which the function resides:
- If the Default Resolution identifier exists in the Visit IP column on the Access Control page of the Container Registry Enterprise Edition instance, you must set the VPC and vSwitch to the VPC and vSwitch that correspond to the default resolved IP address.
- If the Default Resolution identifier does not exist in the Visit IP column on the Access Control page of the Container Registry Enterprise Edition instance, you can use any VPC and vSwitch that are bound to the instance.
- If the Default Resolution identifier exists in the Visit IP column on the Access Control page of the Container Registry Enterprise Edition instance, you must set the VPC and vSwitch to the VPC and vSwitch that correspond to the default resolved IP address.
Network access modes
The VPC feature reduces the efficiency of cold start of Function Compute. We recommend that you do not configure the feature unless necessary. You can authorize RAM users to access resources such as What is Tablestore?.
- Internet traffic: the traffic that is generated when you access Internet addresses, such as Alibaba Cloud official websites, Taobao websites, and the public endpoints of Alibaba Cloud services.
- VPC traffic: the traffic that is generated when you access addresses in VPCs, such as RDS addresses, Apsara File Storage NAS addresses, and the VPC endpoint of Elastic Compute Service (ECS).
You can configure a network based on your business requirements to obtain the following network access capabilities of functions:
- Function outbound traffic: Specify whether to allow functions to access resources over the Internet or in a VPC. The configuration items include Access to VPC and Access to Internet.
Table 1. Function outbound traffic Network setting Description Allow functions to access resources only over the Internet. The functions can access public and internal network resources by using the function logic but not a VPC. Configure the following items: - Set Access to VPC to No.
- Set Access to Internet to Yes.
Allow functions to access resources only in a VPC. The functions can access the public and internal network resources by using a VPC. This setting is applicable to scenarios such as PrivateZone, NAT Gateway, and VPC binding. Configure the following items: - Set Access to VPC to Yes and specify the VPC that can be accessed by the functions.
- Set Access to Internet to No.
Allow functions to access resources over the Internet and in a VPC. The functions can access public network resources by using the function logic and internal network resources by using a VPC. Configure the following items: - Set Access to VPC to Yes and specify the VPC that can be accessed by the functions.
- Set Access to Internet to Yes.
Prohibit functions from accessing resources over the Internet or in a VPC. The functions can access only the internal network resources by using the function logic. Configure the following items: - Set Access to VPC to No.
- Set Access to Internet to No.
- Function inbound traffic settings: specifies whether to allow invocation requests from the Internet or VPCs. The configuration item is Function Invocation only by Specified VPCs.
Table 2. Function inbound traffic Network setting Description Allow you to access functions over the Internet and a specified VPC at the same time. By default, you can invoke the functions over the Internet and a specified VPC. The default network configurations are: - Set Function Invocation only by Specified VPCs to No.
Allow you to access functions only over specified VPCs. Functions can be invoked over the specified VPCs but cannot be invoked over the Internet. Configure the following items: - Set Function Invocation only by Specified VPCs to Yes and specify the VPC over which functions can be invoked.
Zones where Function Compute is available
| Region | Region ID | Zone where Function Compute is available |
|---|---|---|
| China (Hangzhou) | cn-hangzhou | cn-hangzhou-f, cn-hangzhou-g, and cn-hangzhou-h |
| China (Shanghai) | cn-shanghai | cn-shanghai-b, cn-shanghai-e, cn-shanghai-g, and cn-shanghai-f |
| China (Qingdao) | cn-qingdao | cn-qingdao-c |
| China (Beijing) | cn-beijing | cn-beijing-h, cn-beijing-c, cn-beijing-e, and cn-beijing-f |
| China (Zhangjiakou) | cn-zhangjiakou | cn-zhangjiakou-b and cn-zhangjiakou-a |
| China (Hohhot) | cn-huhehaote | cn-huhehaote-a and cn-huhehaote-b |
| China (Shenzhen) | cn-shenzhen | cn-shenzhen-e and cn-shenzhen-d |
| China (Chengdu) | cn-chengdu | cn-chengdu-a and cn-chengdu-b |
| China (Hong Kong) | cn-hongkong | cn-hongkong-c |
| Singapore | ap-southeast-1 | ap-southeast-1a and ap-southeast-1b |
| Australia (Sydney) | ap-southeast-2 | ap-southeast-2a and ap-southeast-2b |
| Malaysia (Kuala Lumpur) | ap-southeast-3 | ap-southeast-3a |
| Indonesia (Jakarta) | ap-southeast-5 | ap-southeast-5a and ap-southeast-5b |
| Japan (Tokyo) | ap-northeast-1 | ap-northeast-1b and ap-northeast-1a |
| UK (London) | eu-west-1 | eu-west-1a |
| Germany (Frankfurt) | eu-central-1 | eu-central-a, eu-central-1a, and eu-central-1b |
| US (Silicon Valley) | us-west-1 | us-west-1a and us-west-1b |
| US (Virginia) | us-east-1 | us-east-1b and us-east-1a |
| India (Mumbai) | ap-south-1 | ap-south-1a and ap-south-1b |
If your resources are not deployed in a zone listed in the preceding table, create a vSwitch in a zone where Function Compute is available in your VPC. Then, specify the vSwitch ID in the VPC settings of the service in Function Compute. vSwitches in the same VPC can communicate with each other. Therefore, Function Compute can use the vSwitch to access resources that reside in another zone in the VPC. For more information, see How can I resolve the "vSwitch is in unsupported zone" error?.
Before you begin
- Create a service
- (Optional) Create network resources
If you have not created resources, select Automatic Configuration when you configure the parameters. Otherwise, you must create resources as described in the following topics:
Configure the network settings and the role
VPCs and permissions are configured at the service level. If you allow a service in Function Compute to access a VPC, all functions in the service are authorized to access the VPC.
- Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.
- In the top navigation bar, select a region. On the Services page, find the desired service and click Configure in the Actions column.
- In the Role Settings section of the Modify Service page, set the Service Role parameter to grant the service the permissions to access resources in a VPC.
We recommend that you grant permissions to the role based on the principle of least privilege. For information about fine-grained permission control, see Policies and sample policies.
- In the Network Config section, modify the network configurations based on your business requirements.
- Access to VPC: specifies whether to allow functions to access resources in a VPC. Valid values:
- Yes: The functions can access resources in a VPC. If you select Yes, you must also configure the Configuration Mode parameter. Valid values:
- Automatic Configuration: Function Compute creates network resources such as a VPC, a vSwitch, and a security group. We recommend that you use this value. After network resources are created, you can modify the network resources based on your business requirements. Note The names of network resources that are automatically created by Function Compute are prefixed with fc.auto.create.
- Custom Configuration: You must select resources from the existing network resources. Make sure that resources are created.
- VPC: Select a VPC ID from the drop-down list.
- vSwitch: Select at least one vSwitch ID from the drop-down list.
This parameter defines the subnets that can be accessed by Function Compute. We recommend that you specify two or more vSwitch IDs. If a zone becomes unavailable or IP addresses are insufficient, your functions can run on another subnet.
- Security Group: Select a security group ID from the drop-down list.
This parameter specifies the security group with which Function Compute is associated. This security group defines the inbound and outbound traffic rules of Function Compute in the specified VPC. In the security group that is associated with the VPC, configure a rule to allow access from the security group with which Function Compute is associated. Otherwise, Function Compute cannot access resources that are deployed in the specified VPC.
- Automatic Configuration: Function Compute creates network resources such as a VPC, a vSwitch, and a security group. We recommend that you use this value. After network resources are created, you can modify the network resources based on your business requirements.
- No: The functions cannot access resources in a VPC.
- Yes: The functions can access resources in a VPC. If you select Yes, you must also configure the Configuration Mode parameter. Valid values:
- Static Public IP Address: specifies whether to obtain a static public IP address by using NAT Gateway and Elastic IP Address (EIP). For more information, see Configure static public IP addresses.
- Access to Internet: specifies whether to allow functions to access the Internet. Valid values:
- Yes: The functions can access the Internet.
- No: The functions cannot access the Internet.
- Function Invocation only by Specified VPCs: specifies whether to allow invocation requests only from specified VPCs. Valid values:
- Yes: The functions can be invoked only in specified VPCs. Take note of the following items:
- You can associate a maximum of 20 VPCs with a service.
- If you allow functions to be invoked only in specified VPCs, functions invoked by triggers are not affected.
- After one or more VPCs are associated with a service, the VPCs are associated with all versions and aliases of the service.
- After you allow functions to be invoked only over specified VPCs, invocation requests from the Internet and other VPCs are denied. In this case, the HTTP status code is 403, the error code is
AccessDenied, and the error message isResource access is bound by VPC: VPC ID. - VPCs can be associated only with private HTTP endpoints.
- No: The functions can be invoked only over the Internet.
- Yes: The functions can be invoked only in specified VPCs. Take note of the following items:
- Access to VPC: specifies whether to allow functions to access resources in a VPC. Valid values:
- Click save.
FAQ
- Why am I unable to connect Function Compute to a VPC for debugging?
If Function Compute fails to connect to a VPC after your service is configured to allow functions to access the VPC, check the following possible causes:
- An error may have occurred on the subnet with which the vSwitch is associated, or IP addresses are insufficient. We recommend that you specify at least two vSwitch IDs. This allows your functions to run in another zone if an error occurs in the current zone.
- The security group is invalid. Configure the security group based on the following rules:
- In the security group with which the specified VPC is associated, a rule is configured to allow access from the security group with which Function Compute is associated.
- The outbound traffic of the security group must support Internet Control Message Protocol (ICMP). Function Compute checks the VPC network connectivity based on ICMP.
For information about how to configure a security group, see Add a security group rule.
- What do I do if the resources are insufficient when I create network resources?
When you create VPC resources, the prefix length of the CIDR block is 24 and the number of available IP addresses is 252. If the number of instances is too large, the limit may be exceeded. In this case, you must manually modify the CIDR block of the vSwitch and the security group.
Troubleshooting
Function Compute cannot verify the permissions to access a VPC when vpcConfig is being configured. Permissions are verified only when a function is executed. Therefore, new errors may occur when you call the InvokeFunction operation to invoke a function. The following table describes common errors that occur when a service in Function Compute accesses a VPC. This helps you troubleshoot the errors with efficiency.
| Error | HTTP status code | Cause | Solution |
|---|---|---|---|
| InvalidArgument | 400 | Function Compute does not support the zone where the vSwitch specified by vSwitchId resides. | Specify a valid vSwitch ID in vSwitchId. For more information, see Zones where Function Compute is available. |
| The resource specified by the vpcId, vSwitchIds, or securityGroupId parameter defined in vpcConfig cannot be found. | Check whether the settings of vpcConfig are valid. | ||
| The specified vSwitch or security group is not in the VPC. | Check whether the settings of vpcConfig are valid. Make sure that the resources specified by vSwitchId and securityGroupId are deployed in the VPC that is specified by vpcId. | ||
| AccessDenied | 403 | You have not granted operation permissions on elastic network interfaces (ENIs) to the service in Function Compute. | Check the operation permissions of the service. For more information, see Grant Function Compute permissions to access other Alibaba Cloud services. |
| ResourceExhausted | 429 | The available IP addresses in the CIDR block of the vSwitch are insufficient and Function Compute failed to create more ENIs. | Create a vSwitch with a larger CIDR block and update the vSwitchId parameter in vpcConfig. Note We recommend that you use the /24 or /16 CIDR block. |
What to do next
For information about how to access a database in a VPC, see Access a database.