Help Center/ FunctionGraph/ User Guide/ Configuring Functions/ Configuring Networks
Updated on 2025-08-19 GMT+08:00
View PDF
Share

Configuring Networks

This section describes how to configure functions to access the public network or resources in a VPC.

Scenarios

Table 1 describes the function network capabilities. You can configure them based on service requirements.

Table 1 Network configuration description

Parameter

Description

Public Access

You can configure functions to access the public network in either of the following ways:

  • Using the Default NIC: After a function is created, you can use the default NIC to access the public network without manual configuration.
  • Using a Fixed VPC Public IP Address: Enable VPC Access, configure a public NAT gateway in the VPC, and bind an EIP with exclusive bandwidth to it.

VPC Access

You can configure functions to access a VPC in either of the following ways:

  • Accessing VPC Resources: Functions can access resources in the selected VPC. By default, public access is disabled. To access the public network, enable public access by referring to Configuring Public Access.
  • Invocation Only by Specific VPC: This option allows the function to be invoked only from the specified VPC instead of the public network

Notes and Constraints

  • You can bind a maximum of four subnets to all functions of an account.
  • If VPC access is enabled, the default NIC is disabled and the NIC bound to the VPC will be used instead. Whether public access is supported depends on the VPC.

Configuring Public Access

You can configure public access in either of the following ways:

After a function is created, Public Access is enabled by default, allowing the function to access the public network using the default NIC.

The public access bandwidth is shared among users, which is applicable to test scenarios. In the production environment, you are advised to configure a fixed VPC public IP address. For details, see Configuring a Fixed VPC Public IP Address.

To enable the function to access the public network in the production environment or set fixed public IP address (for whitelist verification), you can configure a public NAT gateway in the VPC and bind an EIP to the gateway. In this case, whether public access is supported depends on the VPC.

Prerequisites

  1. You have created a VPC and a subnet according to Creating a VPC.
  2. You have obtained an EIP according to Assigning an EIP.
  3. You have configured the VPC access for the function. For details , see Configuring VPC Access.

Procedure for creating a public NAT gateway:

  1. In the left navigation pane of the management console, choose Network > NAT Gateway to go to the NAT Gateway console. Then click Buy Public NAT Gateway.
  2. On the displayed page, enter the required information by referring to Buying a Public NAT Gateway, and submit the configuration.
  3. Click the public NAT gateway name. On the details page that is displayed, click Add SNAT Rule, set the rule, and click OK.

Configuring VPC Access

FunctionGraph allows functions to access resources in created VPCs or shared VPC subnets. For details about the shared VPC, see Shared VPC.

On the FunctionGraph console, you can configure VPC access as follows:

  • Accessing VPC resources: Functions can access resources in the selected VPC. By default, public access is disabled. To access the public network, enable this feature and then configure public network access by referring to Configuring a Fixed VPC Public IP Address.
  • Invocation Only by Specific VPC: This option allows the function to be invoked only from the specified VPC instead of the public network. It is suitable for scenarios where you need to strictly control the invocation source.

Prerequisites

You have configured the inbound and outbound rules in the default security group as follows. For details, see Adding a Security Group Rule.
  • Inbound rule: Set Action to Allow, Protocol & Port to ICMP, and the minimum range for Source to the VPC CIDR block selected for the function.
    For example, if the VPC CIDR block of the function is 192.168.x.x/24, add an inbound rule with Allow for Action, ICMP for Protocol & Port, and 192.168.x.x/24 for Source as shown in Figure 1.
    Figure 1 Inbound rule
  • Outbound rule: Set Action to Allow.

Configuring agency permissions

To enable VPC access, configure an agency with VPC permissions. For details, see Configuring Agency Permissions. The following agency permissions are involved:

  • VPC Administrator: To use VPC, configure the VPC Administrator permission or grant the minimum permissions for VPC access by referring to Table 2.
    Table 2 Least permissions required

    Permission

    Action

    Deleting a port

    vpc:ports:delete

    Querying a port

    vpc:ports:get

    Creating a port

    vpc:ports:create

    Querying a VPC

    vpc:vpcs:get

    Querying a subnet

    vpc:subnets:get
  • DNS ReadOnlyAccess: If a private domain name is configured in a VPC, assign the DNS ReadOnlyAccess permission to the function to resolve it.

Enabling VPC access

  1. Log in to the FunctionGraph console. In the navigation pane, choose Functions > Function List.
  2. Click the name of the function to be configured. The function details page is displayed.
  3. Choose Configuration > Network, enable VPC Access and set the parameters according to Table 3, as shown in Figure 2.

    The function uses the NIC bound to the configured VPC for network access and disables the default FunctionGraph NIC.
    Figure 2 Configuring VPC access
    Table 3 Network configuration parameters

    Parameter

    Description

    VPC

    Mandatory.

    Select the VPC to be accessed. For details on how to create a VPC and a subnet, see Creating a VPC.

    Subnet

    Mandatory.

    Select a subnet of the VPC.

    Domain Name

    Optional. This parameter is not supported in the AF-Johannesburg region.

    You can configure one or more private domain names of the VPC so that the function can use them to access resources in this VPC.

    The following operations are related to domain name configuration. Use them as required.

    • For details about how to create a private domain name, see Creating a Private Zone.
    • For details about how to configure a function to implement domain name resolution, see . Functions can resolve only domain names of the A record set type. For details about how to add a record set, see Record Set Types and Configuration Rules.
    • For details about how to access Redis in a VPC, see .

    VPC CIDR block

    Optional.

    You can enter the VPC CIDR block used in the code to check whether it conflicts with FunctionGraph's VPC CIDR block.

    IPv6

    Optional.

    When you create the VPC, ensure that IPv6 is enabled for the default subnet. IPv6 will be automatically enabled here. For details, see Creating a VPC with a Subnet.

    After the IPv6 function is enabled, the system automatically assigns an IPv6 CIDR block to the created subnet. Currently, the IPv6 CIDR block cannot be customized. Once enabled, this function cannot be disabled. For more information, see IPv6 Network.

Shared VPC

Shared VPC is a mechanism based on Resource Access Manager (RAM). The owner of a VPC can share subnets in the VPC with other accounts to implement cross-tenant network resource sharing. For details, see Shared VPC in the Virtual Private Cloud User Guide.

You can configure a shared subnet in a function to access its resources. First you need to ensure that the subnet owner has configured subnet sharing for the function. For details, see Sharing a Subnet with Other Accounts. Then configure the shared subnet by referring to Configuring VPC Access. If the subnet owner cancels the sharing, the subnet cannot be accessed in the function.

Parent Topic: Configuring Functions