Configure VPC network access for a function to implement network security isolation - Function Compute

By default, functions that you create in Function Compute can access the Internet but cannot access resources in a virtual private cloud (VPC). If you need a function to access resources in a VPC or want to allow a specific VPC to invoke the function, you must manually configure network settings and permissions for the function. This topic describes how to configure network settings for a function in the Function Compute console.

Usage notes

When you configure VPC access for a GPU function that uses a container image from an ACR Enterprise Edition instance, you must select a VPC and a vSwitch based on the following rules.

If the Access Control page for an ACR Enterprise Edition instance shows that an Access IP is set to Default Resolution, you must set the function's VPC and vSwitch to match those of the default resolution IP address.
If the Access Control page for an ACR Enterprise Edition instance does not show a Default Resolution identifier for an Access IP, you can set the function's VPC and vSwitch to any pair bound to the instance.

db-serviceconf-default

Network access capabilities

Using the VPC feature reduces the cold start efficiency of Function Compute. Do not configure this feature unless it is necessary. We recommend that you use RAM authorization to access resources. For more information, see Use a function role to grant Function Compute permissions to access other Alibaba Cloud services.

Traffic is generated when a function is accessed from a network address or when a function accesses a network address. This traffic is classified into the following types.

Internet traffic: traffic generated when you access Internet addresses, such as the official Alibaba Cloud website, Taobao, and public endpoints of Alibaba Cloud services.
VPC traffic: traffic generated when you access addresses in your VPC, such as ApsaraDB RDS addresses, NAS addresses, and the private IP addresses of ECS instances in the VPC.

A function has different network access capabilities based on its network settings. You can configure them as needed.

Function outbound traffic: Specifies whether a function is allowed to send outbound traffic to the Internet or to resources in a VPC. The available configurations are Allow Access To VPC and Allow Function To Access Internet.

Table 1. Function outbound traffic

Network configuration	Description
Allow the function to access only the Internet	The function accesses the public and internal networks through the function network. Access through your VPC is prohibited. The required network configurations are as follows: Set Allow Access To VPC to Disable. Set Allow Function To Access Internet to Enable.
Allow the function to access only a VPC	The function accesses the public and internal networks only through your VPC. This is applicable to scenarios such as PrivateZone, NAT Gateway, and function-VPC binding. The required network configurations are as follows: Set Allow Access To VPC to Enable, and configure the VPC access permissions for the function. Set Allow Function To Access Internet to Disable.
Allow the function to access both the Internet and a VPC	The function accesses the Internet through the function network and the internal network through your VPC. The required network configurations are as follows: Set Allow Access To VPC to Enable, and then configure the VPC that the function can access. Set the Allow Function To Access Internet option to Enable.
Prohibit the function from accessing both the Internet and a VPC	The function accesses the internal network through the function network. Access to the Internet and access through your VPC are prohibited. The required network configurations are as follows: Set Allow Access To VPC to Disable. Set Allow Function to Access Internet to Disable.

Function inbound traffic: Determines whether a function can be accessed from a public IP address or a VPC address. This setting corresponds to the Allow Function Invocation Only From Specified VPCs configuration.

Table 2. Function inbound traffic

Network configuration

Description

Allow access to the function from both the Internet and a VPC

After a function is created, it can be invoked from the Internet and a VPC by default. The default network configuration is as follows:

Set Allow Function Invocation Only From Specified VPCs to Disable.

Allow access to the function only from a VPC

The function can be invoked from specified VPCs, but cannot be invoked from the Internet. The required network configuration is as follows:

Set Allow Function Invocation Only From Specified VPCs to Enable, and then configure the VPCs that can invoke the function.

Zones supported by Function Compute

Expand to view the zones supported by Function Compute

Region	Region ID	Zones supported by Function Compute
China (Hangzhou)	cn-hangzhou	cn-hangzhou-h cn-hangzhou-i cn-hangzhou-j cn-hangzhou-k cn-hangzhou-f cn-hangzhou-g
China (Shanghai)	cn-shanghai	cn-shanghai-m cn-shanghai-l cn-shanghai-n cn-shanghai-b cn-shanghai-e cn-shanghai-g cn-shanghai-f
China (Qingdao)	cn-qingdao	cn-qingdao-c
China (Beijing)	cn-beijing	cn-beijing-i cn-beijing-h cn-beijing-k cn-beijing-j cn-beijing-l cn-beijing-c cn-beijing-e cn-beijing-g cn-beijing-f
China (Zhangjiakou)	cn-zhangjiakou	cn-zhangjiakou-b cn-zhangjiakou-c cn-zhangjiakou-a
China (Hohhot)	cn-huhehaote	cn-huhehaote-a cn-huhehaote-b
China (Shenzhen)	cn-shenzhen	cn-shenzhen-e cn-shenzhen-d cn-shenzhen-f
China (Chengdu)	cn-chengdu	cn-chengdu-a cn-chengdu-b
China (Hong Kong)	cn-hongkong	cn-hongkong-d cn-hongkong-c cn-hongkong-b
Singapore	ap-southeast-1	ap-southeast-1a ap-southeast-1c ap-southeast-1b
Malaysia (Kuala Lumpur)	ap-southeast-3	ap-southeast-3a
Indonesia (Jakarta)	ap-southeast-5	ap-southeast-5a ap-southeast-5b
Japan (Tokyo)	ap-northeast-1	ap-northeast-1c ap-northeast-1b ap-northeast-1a
UK (London)	eu-west-1	eu-west-1a
Germany (Frankfurt)	eu-central-1	eu-central-a eu-central-1a eu-central-1b
US (Silicon Valley)	us-west-1	us-west-1a us-west-1b
US (Virginia)	us-east-1	us-east-1b us-east-1a

If your resources are in a zone that is unsupported by Function Compute, you can create a vSwitch in a zone supported by Function Compute within your VPC. Then, set this vSwitch ID in the VPC configuration for the Function Compute function. Because vSwitches within the same VPC can communicate over the private network, Function Compute can use this vSwitch to access VPC resources in other zones. For more information, see What do I do if the "vSwitch is in unsupported zone" error occurs?.

Prerequisites

Create a function
(Optional) Create network resources
If you have not created the required resources, you can select Automatic Configuration. Alternatively, you can create the resources in advance as described in the following topics:
- Create a VPC and a vSwitch
- Create a security group

Configure network settings and roles

Log on to the Function Compute console. In the left navigation pane, choose Functions > Function List.
In the top navigation bar, select a region. On the Function List page, click the target function.
On the function details page, on the Configuration tab, click Edit to the right of Advanced Configuration.
In the Advanced Configuration panel, find the Network section, modify the following configuration items as needed, and click Deploy.
- Allow Access to VPC: Specifies whether the function can access resources in a VPC. Valid values:
  - Enable: Allows the function to access resources in a VPC. If you select Enable, you must also select a Configuration Mode. Valid values:
    - (Recommended) Automatic Configuration: Function Compute automatically creates resources, such as a VPC, vSwitches, and a security group. You do not need to create these resources manually. If the resources already exist in the current region, they will not be created again.
    - Custom Configuration: Requires you to manually select existing network resources. Ensure that you have created these resources in advance.
      VPC: You can select the VPC to access from the list.
      Important
      You can create a maximum of 10 vSwitches for the selected VPC.
      vSwitch: Select one or more vSwitches from the list.
      This field defines the subnets that Function Compute can access. We recommend that you specify two or more vSwitches to improve fault tolerance. This allows your function to run on another subnet if a zone becomes unavailable or if the IP addresses in a subnet are exhausted.
      Security Group: You can select a security group from the list.
      This security group associates an elastic network interface (ENI) with the function and controls how the function accesses resources in the VPC through the ENI. By default, the outbound rules of the security group allow all traffic. You can also configure outbound rules to implement fine-grained control over the scope of function access to VPC resources.
      Note
      The outbound rules of the security group must allow the ICMP protocol. Function Compute uses the ICMP protocol to check VPC network connectivity.
  - Disable: The function does not have access to resources in a VPC.
- Static Public IP Address: Specifies whether to assign a static public IP address through a NAT Gateway and an Elastic IP Address (EIP). For more information, see Configure a static public IP address.
- Allow Default NIC To Access Internet: Specifies whether to allow Internet access for the function. Valid values:
  - Enable: Allows the function to access the Internet.
  - Disable: Prevents the function from accessing the Internet.
- Allow Function Invocation Only From Specified VPCs: Specifies whether the function can be invoked only from specified VPCs. Valid values:
  - Enable: Enables the function to be invoked only from specified VPCs. Note the following:
    - You can associate a maximum of 20 VPCs with a function.
    - If you allow a function to be invoked only from specified VPCs, function invocation by triggers is not affected.
    - After one or more VPCs are associated with a function, the VPCs are associated with all versions and aliases of the function.
    - If you allow only requests from specified VPCs to invoke the function, requests from the Internet and other VPCs are rejected. For these requests, a StatusCode of 403, an ErrorCode of AccessDenied, and the error message Resource access is bound by VPC: VPC ID are returned.
    - You can bind VPCs only to private HTTP endpoints. You cannot bind VPCs to public endpoints or private HTTPS endpoints.
  - Disable: Allows the function to be invoked from the Internet and all VPCs.

FAQ

Why does Function Compute fail to connect to a VPC for debugging?
If Function Compute fails to connect to a VPC after you enable VPC access for the function, the issue may be caused by one of the following reasons:
- The subnet where the vSwitch resides is faulty, or the IP addresses in the subnet are exhausted. To improve fault tolerance, provide two or more vSwitch IDs when you configure the VPC. This allows your function to run in another zone if one zone becomes unavailable.
- The security group is incorrectly configured. Configure the security group based on the following requirements:
  - The inbound rules of the security group in the VPC must allow access from the security group to which Function Compute belongs.
  - The outbound rules of the security group must allow the ICMP protocol. Function Compute uses the ICMP protocol to check VPC network connectivity.
  For more information about how to configure a security group, see Add a security group rule.
What do I do if resources are insufficient when I add network resources?
When you use automatic configuration to create VPC network resources, the network prefix length is 24, which provides 252 available IP addresses. If the number of instances is too large, this limit may be exceeded. In this case, you must manually adjust the IP address range of the vSwitch and the corresponding security group.

Troubleshooting

Function Compute cannot check the permissions to access a VPC when you configure vpcConfig. The permissions are checked only when a function is executed. Therefore, errors may occur when you call the InvokeFunction API operation. The following table describes common errors that may occur when you access a VPC. You can use this information to quickly troubleshoot issues.

Error code	Status code	Cause	Solution
InvalidArgument	400	Function Compute does not support the zone where the specified vSwitchId is located.	Reset the vSwitchId. For more information, see Zones supported by Function Compute.
		The resources corresponding to vpcConfig, vpcId, vSwitchIds, or securityGroupId are not found.	Check the settings of the vpcConfig parameter.
		The specified vSwitch or security group is not in the corresponding VPC.	Check the settings of the vpcConfig parameter to make sure that the resources corresponding to vSwitchId and securityGroupId are in the VPC that corresponds to vpcId.
AccessDenied	403	The permissions to perform operations on ENIs are not granted.	Check the permissions of the function. For more information, see Use a function role to grant Function Compute permissions to access other Alibaba Cloud services.
ResourceExhausted	429	The number of available IP addresses in the CIDR block of the vSwitch is insufficient. Function Compute cannot create more ENIs.	Create a vSwitch with a larger CIDR block and update the vSwitchId parameter of vpcConfig. Note We recommend that you use a `/24` or `/16` CIDR block.

References

To access a database in a VPC, we recommend that you configure an IP address whitelist for the database. In the whitelist, add the CIDR block of the vSwitch that you configured on this page. For more information, see Access a database.
To restrict the outbound Internet traffic of a function, you must use a static IP address. For more information, see Configure a static public IP address.