Configuring VPC Access
Functions can be configured to access resources in your Virtual Private Clouds (VPCs) or to access the Internet using elastic IP addresses bound through source network address translation (SNAT).
Prerequisites
Specify an agency with VPC administrator permissions for the function. For details, see Creating an Agency.
Configuring VPC Access
To configure VPC access for a function, perform the following steps:
- Log in to the FunctionGraph console, and choose Functions > Function List in the navigation pane.
- Create a function based on Creating and Initializing a Function.
- Click the name of the created function.
- Choose Configuration > Network, enable VPC Access, and configure VPC by referring to Table 1.
Table 1 Configuring VPC access Parameter
Description
VPC
Mandatory.
Select the VPC to be accessed by the function.
For details on how to create a VPC and subnet, see Creating a VPC.
Subnet
Mandatory.
Select the subnet to be accessed by the function.
All functions of a tenant in a project can be bound to a maximum of four subnets. (Each project has a unique 32-digit project ID, which is allocated when your account is created. The project IDs of your account and IAM user are the same.)
Domain Name
Optional.
Enter one or more private domain names of the VPC so that the function can use them to access resources in this VPC.
- For details about how to create a private domain name, see Creating a Private Zone.
- Functions can resolve only domain names of the A record set type. For details about how to add a record set, see Record Set Types and Configuration Rules.
VPC CIDR Block
Optional.
You can enter the VPC CIDR block used in the code to check whether it conflicts with FunctionGraph's VPC CIDR block. The blocks are separated by semicolons (;) and the number of blocks cannot exceed 5.
Security Group
Mandatory.
Select a security group. The inbound and outbound rules of the security group are displayed below.
To configure them, see Adding a Security Group Rule.
- Inbound rule: Set Action to Allow, Protocol & Port to ICMP, and the minimum range for Source to the VPC CIDR block selected for the function.
For example, if the VPC CIDR block of the function is 192.168.x.x/24, add an inbound rule with Allow for Action, ICMP for Protocol & Port, and 192.168.x.x/24 for Source.
Figure 1 Inbound rule
- Outbound rule: Set Action to Allow.
- Click Save.
Example
The following is an example of configuring VPC access to connect to a Distributed Cache Service (DCS) Redis instance.
- On the DCS console, view the VPC and subnet of the DCS Redis instance. If no Redis instances are available, create one.
- On the FunctionGraph console, configure VPC access for the function as follows:
- VPC Access: Enable VPC access.
- VPC: Select the VPC queried in 1.
- Subnet: Select the subnet queried in 1.
- After the configuration is complete, use the following code to access the Redis instance:# -*- coding:utf-8 -*-import redisdef handler (event, context):r = redis.StrictRedis(host='192.168.1.143', port=6379, db=0)r.set('product', 'FunctionGraph')print r.keys('*')print r.get('product')
Accessing the Internet from a VPC
By default, functions deployed in a VPC are isolated from the Internet. If a function needs to access both internal and external networks, add a NAT gateway for the VPC.
Prerequisites
- You have created a VPC and subnet according to Creating a VPC.
- You have obtained an elastic IP address according to Assigning an EIP.
Procedure of Creating a NAT Gateway
- Log in to the NAT Gateway console, and click Create NAT Gateway.
- On the displayed page, enter gateway information, select a VPC and subnet (for example, vpc-01), and confirm and submit the settings to create a NAT gateway. For details, see Creating a NAT Gateway.
- On the NAT gateway details page, click Add SNAT Rule, specify rule information, and click OK.
- Prerequisites
- Configuring VPC Access
- Accessing the Internet from a VPC