All Products
Search

This Product

    Function Compute:Configure network

    Document Center

    Function Compute:Configure network

    Last Updated:May 27, 2026

    By default, functions created in Function Compute can access the public network but not resources within a Virtual Private Cloud (VPC). To enable function access to VPC resources or to restrict function invocation to specific VPCs, you must manually configure its network settings and permissions. This topic describes how to configure network settings for a function in the Function Compute console.

    Usage notes

    When you configure VPC access for a GPU-accelerated function created from an Alibaba Cloud Container Registry (ACR) Enterprise Edition instance image, the selection of the VPC and vSwitch must follow these principles.

    • If the Access Control page of the ACR Enterprise Edition instance shows an Access IP with the Default Resolution tag, the VPC and vSwitch for the function must be set to the VPC and vSwitch that correspond to the default resolution IP address.

    • If the Access Control page of the ACR Enterprise Edition instance shows an Access IP without the Default Resolution tag, the VPC and vSwitch for the function can be set to any pair that is bound to the instance.

    Network access capabilities

    Enabling VPC access can increase the Function Compute cold start latency. We recommend using this configuration only when necessary. As an alternative, consider using RAM authorization to access resources. For more information, see Use a function role to access other cloud services.

    When a function is invoked or when it accesses a network address, traffic is generated. This traffic falls into the following categories.

    • Public network traffic: Traffic generated from accessing Internet addresses, such as the official Alibaba Cloud website, Taobao, or public endpoints of cloud services.

    • VPC traffic: Traffic generated from accessing resources within your VPC, such as RDS endpoints, NAS endpoints, or the private IP addresses of ECS instances.

    A function's network access capabilities depend on its settings. You can configure them as needed.

    • Function egress traffic: This pertains to whether a function can send egress traffic to the public network or to resources in a VPC. The corresponding settings are Allow VPC Access and Allow function to access public network.

      Table 1. Function egress traffic

      Configuration

      Description

      Allow the function to access only the public network

      The function accesses the public network and the internal network of Function Compute. Access through your VPC is disabled.

      Required network configuration:

      • Set Allow VPC Access to No.

      • Set Allow function to access public network to Yes.

      Allow the function to access only a VPC

      The function accesses the public network and internal resources only through your VPC. This is suitable for scenarios that involve PrivateZone, a NAT Gateway, or functions bound to a VPC.

      Required network configuration:

      • Set Allow VPC Access to Yes and configure the VPC information that the function can access.

      • Set Allow function to access public network to No.

      Allow the function to access both the public network and a VPC

      • For non-GPU functions:

        • Access the public network through the function's network.

        • Access the internal network through your VPC. PrivateZone is supported for private domain name resolution.

      • For GPU functions:

        • Access the public network and the internal network in the 100.0.0.0/8 CIDR block through the function's network.

        • Access the internal network outside the 100.0.0.0/8 CIDR block through your VPC. PrivateZone is not supported for private domain name resolution. To enable this feature, you can submit a ticket.

      Required network configuration:

      • Set Allow VPC Access to Yes and configure the VPC information that the function can access.

      • Set Allow function to access public network to Yes.

      Prohibit the function from accessing both the public network and a VPC

      The function can access the internal network of Function Compute. Access to the public network and your VPC is disabled. Required network configuration:

      • Set Allow VPC Access to No.

      • Set Allow function to access public network to No.

    • Function ingress traffic: This pertains to whether a function can receive ingress traffic from the public network or a VPC. The corresponding setting is Allow Only Specified VPCs to Invoke the Function.

      Table 2. Function ingress traffic

      Configuration

      Description

      Allow the function to be invoked from both the public network and VPCs

      By default, a new function can be invoked from the public network and from within VPCs. The default network configuration is as follows:

      • Set Allow Only Specified VPCs to Invoke the Function to No.

      Allow the function to be invoked only from specified VPCs

      This setting allows function invocations only from specified VPCs and denies requests from the public network. Required network configuration:

      • Set Allow Only Specified VPCs to Invoke the Function to Yes and configure the VPCs from which the function can be invoked.

    Supported availability zones

    Click to view the availability zones supported by Function Compute

    Region

    Region ID

    Supported availability zones

    China (Hangzhou)

    cn-hangzhou

    • cn-hangzhou-h

    • cn-hangzhou-i

    • cn-hangzhou-j

    • cn-hangzhou-k

    • cn-hangzhou-f

    • cn-hangzhou-g

    China (Shanghai)

    cn-shanghai

    • cn-shanghai-m

    • cn-shanghai-l

    • cn-shanghai-n

    • cn-shanghai-b

    • cn-shanghai-e

    • cn-shanghai-g

    • cn-shanghai-f

    China (Qingdao)

    cn-qingdao

    cn-qingdao-c

    China (Beijing)

    cn-beijing

    • cn-beijing-i

    • cn-beijing-h

    • cn-beijing-k

    • cn-beijing-j

    • cn-beijing-l

    • cn-beijing-c

    • cn-beijing-e

    • cn-beijing-g

    • cn-beijing-f

    China (Zhangjiakou)

    cn-zhangjiakou

    • cn-zhangjiakou-b

    • cn-zhangjiakou-c

    • cn-zhangjiakou-a

    China (Hohhot)

    cn-huhehaote

    • cn-huhehaote-a

    • cn-huhehaote-b

    China (Shenzhen)

    cn-shenzhen

    • cn-shenzhen-e

    • cn-shenzhen-d

    • cn-shenzhen-f

    China (Chengdu)

    cn-chengdu

    • cn-chengdu-a

    • cn-chengdu-b

    Hong Kong (China)

    cn-hongkong

    • cn-hongkong-d

    • cn-hongkong-c

    • cn-hongkong-b

    Singapore

    ap-southeast-1

    • ap-southeast-1a

    • ap-southeast-1c

    • ap-southeast-1b

    Malaysia (Kuala Lumpur)

    ap-southeast-3

    ap-southeast-3a

    Indonesia (Jakarta)

    ap-southeast-5

    • ap-southeast-5a

    • ap-southeast-5b

    Japan (Tokyo)

    ap-northeast-1

    • ap-northeast-1c

    • ap-northeast-1b

    • ap-northeast-1a

    UK (London)

    eu-west-1

    eu-west-1a

    Germany (Frankfurt)

    eu-central-1

    • eu-central-a

    • eu-central-1a

    • eu-central-1b

    US (Silicon Valley)

    us-west-1

    • us-west-1a

    • us-west-1b

    US (Virginia)

    us-east-1

    • us-east-1b

    • us-east-1a

    To get the latest list of supported availability zones for each region, you can call the Get Availability Zones API operation in OpenAPI Explorer.

    If your resources are located in an availability zone that is not supported by Function Compute, you can create a vSwitch in your VPC environment within an availability zone that Function Compute supports, and then set this vSwitch ID in the VPC configuration for the Function Compute function. Because vSwitches within the same VPC can communicate with each other over the private network, Function Compute can use the vSwitch to access resources in other availability zones within the same VPC. For more information, see What do I do if I encounter the 'vSwitch is in unsupported zone' error?.

    Prerequisites

    Configure network and roles

    1. Log on to the Function Compute console. In the left-side navigation pane, choose Function Management > Functions.

    2. In the top navigation bar, select a region. On the Functions page, click the target function.

    3. On the function details page, click the Configuration tab, and then click Modify in the Advanced Settings section.

    4. In the Advanced Settings panel, find the Network section, configure the settings as needed, and then click Deploy.

      • Allow VPC Access: Controls whether the function can access resources in a VPC. Valid values:

        • Enable: Allows the function to access resources in a VPC. After you select Enable, you must select a Configuration Method. Valid values:

          • (Recommended) Automatic Configuration: Function Compute automatically creates resources such as a VPC, vSwitch, and security group. The system reuses existing resources in the current region instead of creating new ones.

          • Custom Configuration: You must manually select existing network resources. Ensure that you have created the required resources in advance.

            • VPC: Select the VPC that you want to access from the list.

              Important

              You can create a maximum of 10 vSwitches in the selected VPC.

            • vSwitch: Select at least one vSwitch from the list.

              This field specifies the subnets that Function Compute can access. We recommend that you specify two or more vSwitches. This allows your function to run in other subnets if an availability zone fails or the IP addresses in a subnet are exhausted.

            • Security Group: Select a security group from the list.

              This security group associates an elastic network interface (ENI) with the function, which controls access to resources within the VPC. By default, the outbound rules of the security group allow all traffic. You can also configure outbound rules to define fine-grained access control policies for the function.

              Note

              The outbound rules of the security group must allow the ICMP protocol. Function Compute uses ICMP to check the network connectivity of the VPC.

        • Disable: Prevents the function from accessing resources in a VPC.

      • Static Public IP: Specifies whether to obtain a static public IP address for internet access by using a NAT Gateway and an Elastic IP Address. For more information, see Configure a static public IP address.

      • Allow Default ENI to Access the Internet: Specifies whether to allow the function to access the public network. Valid values:

        • Enable: Allows the function to access the public network.

        • Disable: Prevents the function from accessing the public network.

      • Allow Only Specified VPCs to Invoke the Function: Specifies whether to allow the function to be invoked only from specified VPCs. Valid values:

        • Enable: Allows the function to be invoked only from specified VPCs. Note the following points:

          • A function can be bound to a maximum of 20 VPCs.

          • Function invocations by a trigger are unaffected.

          • The VPC binding applies to all versions and aliases of the function.

          • After you enable this setting, invocation requests from the public network and other VPCs are denied. The system returns a StatusCode of 403, an ErrorCode of AccessDenied, and the error message Resource access is bound by VPC: VPC ID.

          • VPC binding is only supported on private HTTP endpoints. Public endpoints and private HTTPS endpoints are not supported.

        • Disable: Allows the function to be invoked from the public network and all VPCs.

    FAQ

    • Why does Function Compute fail to connect to a VPC for debugging?

      If you have enabled VPC access for your function but the connection fails, the possible causes are as follows:

      • The subnet that hosts the vSwitch is faulty, or the IP addresses in the subnet are exhausted. You can provide two or more vSwitch IDs when you configure the VPC. This configuration improves fault tolerance by allowing your function to run in other availability zones if one fails.

      • The security group is configured incorrectly. Configure the security group as follows:

        • You must set the inbound rules of the security group in the VPC to allow access from the security group of Function Compute.

        • The outbound rules of the security group must allow the ICMP protocol. Function Compute uses ICMP to check the network connectivity of the VPC.

        For detailed steps on how to configure a security group, see Add a security group rule.

    • What do I do if network resources are insufficient?

      When you create VPC network resources, the automatic configuration provides a /24 network prefix, which offers 252 available IP addresses. If you have too many instances, you may exceed this limit. In this case, you must manually adjust the CIDR block of the vSwitch and the corresponding security group.

    Troubleshooting

    Function Compute cannot check VPC access permissions when you configure vpcConfig. These permissions are checked only during function execution. Therefore, new types of errors may occur when you invoke a function by using the InvokeFunction API. The following table describes common errors that occur when you access a VPC to help you quickly troubleshoot issues.

    Error code

    HTTP status code

    Cause

    Solution

    InvalidArgument

    400

    Function Compute does not support the availability zone of the vSwitch specified by vSwitchId.

    Update the vSwitchId. For more information, see Supported availability zones.

    The resources corresponding to vpcId, vSwitchIds, or securityGroupId in vpcConfig are not found.

    Check the settings of the vpcConfig parameter.

    The specified vSwitch or security group is not in the corresponding VPC.

    Check the settings of the vpcConfig parameter to ensure that the resources corresponding to vSwitchId and securityGroupId are in the VPC that corresponds to vpcId.

    AccessDenied

    403

    The permissions to perform operations on the ENI are not granted.

    Check the permissions of the function. For more information, see Use a function role to access other cloud services.

    ResourceExhausted

    429

    The vSwitch's CIDR block has insufficient IP addresses, preventing Function Compute from creating more ENIs.

    Create a vSwitch with a larger CIDR block and update the vSwitchId parameter of vpcConfig.

    Note

    We recommend that you use a /24 or /16 CIDR block.

    Related documents

    • To access a database in a VPC, we recommend that you configure an IP address allowlist for the database. In the allowlist, specify the CIDR block of the vSwitch that you configured on this page. For more information, see Access a database.

    • To control the egress traffic of a function to the public network, you must use a static IP address. For more information, see Configure a static public IP address.