FunctionGraph Functions Are Allowed to Access Resources in a Specified VPC Only

Rule Details

Application Scenarios

You can control network access of a function as follows:

• Public Access (not recommended): By default, functions can access services on public networks. The default NIC is used to access the public network, and the access bandwidth is shared among users.
• VPC Access: This option disables the default NIC and uses the NIC bound to the VPC instead. Whether public access is supported depends on the VPC.
• Invocation Only by Specific VPC: This option allows the function to be invoked only from the specified VPC instead of the public network.

If VPC Access is enabled, the function no longer has the default public network access permission. If the function needs to access the public network, you can configure a public NAT gateway in the VPC and bind an EIP to the NAT gateway. For details, see Configuring the Network.

If VPC Access is disabled, the function runs on the public network, which may increase security risks and network latency.

Solution

Enable VPC Access and configure the VPC and subnet. For details, see Network Restrictions.

Rule Logic

• If the function network configuration is not VPC Access, this function is non-compliant.
• If the function is allowed for VPC Access but does not use the specified VPC, this function is non-compliant.
• If the function is allowed for VPC Access and uses the specified VPC, this function is compliant.