|
| 1 | +--- |
| 2 | +title: Serverless Containers and Private Networks integration |
| 3 | +description: This page contains details on how Serverless Containers interacts with Virtual Private Cloud and Private Networks |
| 4 | +dates: |
| 5 | + - posted: 2025-07-29 |
| 6 | + - validation: 2025-07-29 |
| 7 | +--- |
| 8 | + |
| 9 | +## Description |
| 10 | + |
| 11 | +Attach a Serverless Function or Container to a Private Network. |
| 12 | + |
| 13 | +### Availability |
| 14 | + |
| 15 | +- Binding is done per Function or Container, not per namespace: multiple functions/containers in the same namespace can be attached to different PNs |
| 16 | +- Works for both sandboxes (v1, v2) |
| 17 | +- Feature is free of charge |
| 18 | + |
| 19 | +### Features |
| 20 | +Container to PN resources (egress) |
| 21 | +Currently, no ingress (PN resources to container) |
| 22 | +but container still available through public traffic |
| 23 | + |
| 24 | +- All internal traffic (to PN) will be routed through the private interface, but external traffic (Internet) will be through the public (already existing) interface |
| 25 | + |
| 26 | +- All DNS resolution is done through PN (using DNS server `169.254.169.254` (=VPC dns server)). This allows to resolve `*.internal` records |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | + |
| 31 | +## Users limitations |
| 32 | + |
| 33 | +### API |
| 34 | + |
| 35 | +- A Function/Container can **only** be attached to a single PN |
| 36 | +- extra quota for VPC via Containers (Container Unique Private Networks) 5/10 |
| 37 | +- UPDATE QUOTAS DOC |
| 38 | + |
| 39 | + |
| 40 | + |
| 41 | +### Infrastructure |
| 42 | + |
| 43 | +- **VPC routing** (custom routes) doesn't work yet |
| 44 | + |
| 45 | +- Each Function/Container instance will have a unique IP in the PN, assigned by Scaleway. this implies: |
| 46 | + - it won't be possible for a user to **preemptively book an IP** in IPAM, and reference it in the attachment |
| 47 | + - this can result in a **large number of IPs** being used in the PN. It might be confusing for clients as a single resource (a given Function/Container) with multiple instances will have multiple IPs |
| 48 | + |
| 49 | +- **Cold-starts will be slightly longer** due to the additional steps required to attach the node to the PN and book an IP. |
| 50 | + |
| 51 | +Also, as of today, only ingress is implemented (phase 1: call a resource in the PN from a Function/Container). |
| 52 | + |
| 53 | +Egress (phase 2: calling a Function/Container from a resource in the PN) will be done [later](../#phases). |
| 54 | + |
0 commit comments