![](\"https://img.serverlesscloud.cn/qianyi/YHl6UWa9s62sLCrvZhrtRH5BpLicw7aUOfWRhclAKugeQ5WsviadTTYerqrHlLwcEicwb4PycSvj5eVj29G6HNDYA.jpg\")
《腾讯云函数计算冷启动优化实践》文章,主要讲解了云函数冷启动方面的优化实践。Serverless中的函数除了计算任务外,绝大部分还有网络访问需求,本篇文章,将详细介绍SCF网络架构优化。
\n注:文章整理自腾讯云专家工程师周维跃及腾讯云高级工程师李艳博在 Kubecon 2019 上的分享,原分享主题为《加速:无服务器平台中的冷启动优化》,本篇文章将分享云函数访问 VPC 网络方面的优化。
\n
函数的网络访问需求分为两种:
\n另外客户的函数在访问公网时,有时候还会有一个特殊需求,就是固定公网的出口IP。例如函数通过公网访问数据库,需要使用IP白名单限制访问来源,提高安全性。另外一些敏感的公网API也会要求固定出口IP,例如一些金融支付类的第三方API同样需要固定IP来提升安全性。
\n![](\"https://img.serverlesscloud.cn/qianyi/YHl6UWa9s62sLCrvZhrtRH5BpLicw7aUOFcf8AVCXXFd1r1Gs9AgoXkqPY0icjL9koxzxcJ8RFiagsQnQdc29IKvg.jpg\")
下面我们分别看看serverless传统网络架构以及SCF网络架构是如何设计以满足这两种网络访问需求的。
\nServerless传统网络访问VPC的设计
\n首先我们看下在函数访问VPC时,传统Serverless网络架构是如何设计的。在Serverless传统网络架构下,客户访问VPC主要有两种实现方式:
\n弹性网卡是关联客户VPC及subnet的虚拟设备。当容器创建该设备后,容器即可通过该设备与客户的VPC互通。这种方式利用了云上现有的弹性网卡产品能力,实现简单。
\n那么这种实现方式有没有什么问题呢?因为每个运行函数的容器实例都需要创建到客户VPC的弹性网卡,当客户函数的并发提升时,就需要创建新的容器实例及弹性网卡来运行函数。但是创建到客户VPC的弹性网卡涉及到虚拟设备的创建、路由更新等流程,整个弹性网卡创建流程要花费几秒钟的时间。也就是说在该架构下如果函数需要访问VPC,每次函数冷启动时,需要额外消耗几秒的时间用于打通函数到客户VPC的网络。
\n另外一方面创建弹性网卡时需要消耗客户VPC子网内的IP资源,实际运行函数时可能因为分配不到客户VPC 子网内的ip导致函数运行失败。比如客户可能在对应的子网内批量创建了很多CVM或者CDB等资源耗光子网ip。等运行函数或者说函数并发提升时,就会因为分配不到子网IP导致弹性网卡创建失败,进而导致函数运行失败。
\n![](\"https://img.serverlesscloud.cn/qianyi/YHl6UWa9s62sLCrvZhrtRH5BpLicw7aUOsk60vDibrFYo771JfCfHzscibrSohTDVnoyrFG7cRqlX0ficy8RBHW51A.jpg\")
容器内访问客户VPC的数据包转发到node的弹性网卡上,node上连接到同一个子网的容器共享该弹性网卡。比如图中两个pod运行同一个函数,连接到同一个VPC子网,这两个pod就会共享node上这一块弹性网卡。
\n对于在node上创建弹性网卡的方案,函数并发提升时,如果新创建的容器位于同一个node上,则不需要创建到客户VPC的弹性网卡,但是如果新创建的容器落到其他新的node上,那么同样需要在新node上创建到客户VPC的弹性网卡,此时冷启动耗时同样会额外多出几秒钟。
\n可以看到这种方式相比上面第一种方式有了一定的进步,但是同样可能在冷启动时需要创建到客户VPC的弹性网卡。可能会在函数并发提升时因为分配不到IP资源而导致运行失败。
\n![](\"https://img.serverlesscloud.cn/qianyi/YHl6UWa9s62sLCrvZhrtRH5BpLicw7aUOkgZ2STtqdeHVREHIVmfJk9elgk2Vxoq4na2Cvdvz9DEXS3EbF2tPcg.jpg\")
上面介绍了Serverless两种传统网络架构下,函数是如何访问VPC的。可以看到传统架构下有两个问题,第一个是弹性网卡都是在运行函数时创建的,会导致冷启动时间大幅增加。另外一个问题是当没有IP资源不能成功创建到客户VPC的弹性网卡的时候,就会导致函数运行失败。
\nVPC访问优化实践
\n下面看下SCF网络架构是如何支持函数访问VPC的。简单的说就是我们在SCF集群与客户VPC之间添加了一层Proxy代理集群。每个vpc/subnet建立一对主备proxy。主备proxy使用havip进行容灾切换。havip是一个浮动的内网 IP,支持机器通过 ARP 宣告进行绑定,更新 IP 和 MAC 地址的映射关系。
\n在高可用部署场景下,该 IP 可从主服务器切换至备服务器,从而完成业务容灾。在主备proxy之间可以实现秒级切换,且切换前后TCP连接保持不断。
\n当客户的函数需要访问VPC时,首先会通过ipip把流量转发到proxy上,proxy解出ipip的内层报文后,在snat成出口的HAVIP,然后转发到客户的VPC中,客户VPC的回包同样沿着相同的路径反向路由到运行函数的容器中。另外我们会依据客户的访问流量对proxy进行自动扩缩容,当流量提升时自动扩容一对主备proxy,当流量下降时,自动对多对主备proxy进行缩容。
\n在传统架构下,VPC函数冷启动时可能需要创建弹性网卡而增加几秒的冷启动耗时,在SCF新架构下仅需创建函数时,在proxy侧建立客户vpc的弹性网卡,函数调用时运行函数的容器或者node不在需要弹性网卡,仅需配置隧道参数。耗时仅仅几毫秒,因此函数冷启动时,VPC网络的配置时间从秒级下降到毫秒级。同时该方案避免了运行函数时因为客户子网ip资源耗尽而导致的函数运行失败。
\n![](\"https://img.serverlesscloud.cn/qianyi/YHl6UWa9s62sLCrvZhrtRH5BpLicw7aUO8cTE5a2Y0GtuGjbmrOqia8K2NxBVTV21jrz8rictQKKB4E2VdCh9cP7Q.jpg\")
上面是我们SCF对访问VPC的函数网络架构的优化。接下来看下在对比下函数访问公网时,Serverless传统网络架构和SCF网络架构的设计。
\nServerless传统网络访问公网的设计
\n依据函数访问公网是否需要固定IP,公网访问分为两种场景。当函数不需要固定ip访问公网时,公网流量通过集群的公共NAT网关转发出去,这个公共的NAT网关是由SCF部署的,集群内所有函数都是用这个NAT网关。
\n当函数需要以固定IP访问公网的时候,则需要客户在自己的VPC内创建nat网关,公网流量先路由到客户VPC,然后在从客户自己的nat网关转发出去。可以看到当客户不需要固定IP访问公网时候,仅需要一个公共的NAT网关,所有操作可以在serverless后台完成。当客户需要固定IP访问公网时候,则需要客户自己配置nat网关。
\n一方面NAT网关会额外增加客户的成本,另外配置复杂度高。因此针对固定IP访问公网的场景需要进一步优化。
\n![](\"https://img.serverlesscloud.cn/2020414/1586873385554-640.jpeg\")
SCF公网访问的优化实践
\n当函数无需固定IP访问公网时,我们仍然采用Serverless传统网络的共享NAT方案,该方案简单易扩展,利用了云上现有的nat网关产品,已经能较好满足无需固定IP访问公网的需求。对于需要固定IP访问公网的场景,我们则同样采用一对主备proxy。
\n数据包从函数容器到公网需要进行两次SNAT,第一次SNAT是在proxy这里,将数据包的源ip SNAT成HAVIP,另外这个HAVIP绑定了一个EIP,数据包从虚拟机发出后,会再次被SNAT成固定的EIP,从而实现固定ip访问公网的目的。两次SNAT操作都是由腾讯云负责部署。这样客户无需做额外复杂操作即可实现固定IP的目的。
\n![](\"https://img.serverlesscloud.cn/qianyi/YHl6UWa9s62sLCrvZhrtRH5BpLicw7aUOOe5PcW1BicguEYmaDVRGhic3HoSnMgUA2pale8SmeMCBl7dHJVCkGfxw.jpg\")
\n\n传送门:
\n\n
\n- GitHub: github.com/serverless
\n- 官网:serverless.com
\n
欢迎访问:Serverless 中文网,您可以在 最佳实践 里体验更多关于 Serverless 应用的开发!
","tableOfContents":""},"previousBlog":{"id":"e5cbc7f7-4743-507a-be01-abb06982a340","frontmatter":{"thumbnail":"https://img.serverlesscloud.cn/2020414/1586871710979-%E5%85%AC%E5%85%B1%E7%94%A8.png","authors":["李帅"],"categories":["guides-and-tutorials"],"date":"2019-07-03T00:00:00.000Z","title":"云函数 SCF 场景下的 DevOps 实现 —— Jenkins 篇","description":"本文意图描述在 SCF 场景下,如何基于 Jenkins 搭建自己的 CI/CD 流程","authorslink":["https://zhuanlan.zhihu.com/ServerlessGo"],"translators":null,"translatorslink":null,"tags":["DevOps","Serverless"],"keywords":"Serverless,serverless cloud function,无服务器架构","outdated":null},"wordCount":{"words":107,"sentences":38,"paragraphs":38},"fileAbsolutePath":"/opt/build/repo/content/blog/2019-07-03-scf-devops-jenkins.md","fields":{"slug":"/blog/2019-07-03-scf-devops-jenkins/","keywords":["java","python","serverless","spa","Pipeline","scf","stage","git","echo","Deploy","serverlesscloud"]}},"nextBlog":{"id":"2f3dd454-b47a-5776-a36c-349eb7e7eb27","frontmatter":{"thumbnail":"https://s3-us-west-2.amazonaws.com/assets.blog.serverless.com/framework-updates/framework-v146-thumb.png","authors":["MariuszNowak"],"categories":["news"],"date":"2019-07-01T00:00:00.000Z","title":"无服务器框架 v1.46.0 - 扩展 ALB 可配置性、支持外部 Websocket API 以及通过相对路径引用本地插件等等","description":"查看无服务器框架 v1.46.0 中包含的功能。","authorslink":null,"translators":null,"translatorslink":null,"tags":null,"keywords":null,"outdated":null},"wordCount":{"words":298,"sentences":46,"paragraphs":46},"fileAbsolutePath":"/opt/build/repo/content/blog/2019-07-01-framework-release-v146.md","fields":{"slug":"/blog/2019-07-01-framework-release-v146/","keywords":["go","serverless","spa","无服务器","无服务器开发","serverless","span","github","pull","color","href","插件"]}},"recommendBlogs":{"edges":[{"node":{"id":"4300b21c-7209-5256-86ff-0d38e3daec9b","frontmatter":{"thumbnail":"https://main.qcloudimg.com/raw/14f1c8eed372e76c1b139703b2f6d0fa.jpg","authors":["KieranMcCarthy"],"categories":["user-stories","engineering-culture"],"date":"2018-01-09T00:00:00.000Z","title":"我是如何在四年时间里,从厨师转行为 Serverless 应用开发者","description":"我是厨师出身,现在成为了一名 Serverless 应用开发者。","authorslink":["https://serverless.com/author/kieranmccarthy/"],"translators":["Aceyclee"],"translatorslink":["https://www.zhihu.com/people/Aceyclee"],"tags":["应用开发","Serverless"],"keywords":"Serverless 应用开发,Serverless 管理,厨师转行为 Serverless 应用开发者","outdated":null},"wordCount":{"words":285,"sentences":38,"paragraphs":36},"fileAbsolutePath":"/opt/build/repo/content/blog/2018-01-09-from-chef-to-serverless-developer-in-4-years.md","fields":{"slug":"/blog/2018-01-09-from-chef-to-serverless-developer-in-4-years/","keywords":["无服务器","无服务器开发","云函数","学习","Serverless","构建","Framework","开发者","服务器","应用","学位","简历"]}}},{"node":{"id":"713a0563-4bf9-5721-bacb-3b4ef609fe4a","frontmatter":{"thumbnail":"https://s3-us-west-2.amazonaws.com/assets.blog.serverless.com/camp-fire/camp-fire-housing-thumb.jpg","authors":["EricWyne"],"categories":["guides-and-tutorials","user-stories"],"date":"2018-12-05T00:00:00.000Z","title":"Serverless Twitter 机器人帮助为坎普山火受灾者安置住房","description":"加利福尼亚州的坎普山火致使数千人流离失所,为此,我构建了一个简单的 Serverless Twitter 机器人来帮助将受灾者安置在临时住房!","authorslink":["https://serverless.com/author/ericwyne/"],"translators":["Aceyclee"],"translatorslink":["zhihu.com/people/Aceyclee"],"tags":null,"keywords":null,"outdated":null},"wordCount":{"words":157,"sentences":26,"paragraphs":26},"fileAbsolutePath":"/opt/build/repo/content/blog/2018-12-05-serverless-twitter-camp-fire.md","fields":{"slug":"/blog/2018-12-05-serverless-twitter-camp-fire/","keywords":["serverless","无服务器","云函数","Serverless","org","住房","Twitter","函数","受灾","机器人","山火"]}}},{"node":{"id":"98602143-b837-5f50-a24f-3b1ec76044d7","frontmatter":{"thumbnail":"https://s3-us-west-2.amazonaws.com/assets.blog.serverless.com/sqquid/sqquid-serverless-thumb.jpg","authors":["RonPeled"],"categories":["user-stories"],"date":"2018-12-17T00:00:00.000Z","title":"SQQUID:100% 无服务器初创公司","description":"SQQUID 将 AWS Lambda 和无服务器框架用于其核心产品和营销网站。我们来看看一个完全无服务器的初创公司是怎样的。","authorslink":null,"translators":null,"translatorslink":null,"tags":null,"keywords":null,"outdated":null},"wordCount":{"words":266,"sentences":42,"paragraphs":42},"fileAbsolutePath":"/opt/build/repo/content/blog/2018-12-17-sqquid-one-hundred-percent-serverless.md","fields":{"slug":"/blog/2018-12-17-sqquid-one-hundred-percent-serverless/","keywords":["go","serverless","无服务器","无服务器架构","服务器","架构","Lambda","集成","FaaS","串行","系统"]}}},{"node":{"id":"29dc2e58-d2ba-56f9-aee1-d21b0bc62e0e","frontmatter":{"thumbnail":"https://s3-us-west-2.amazonaws.com/assets.blog.serverless.com/ao-com-story/ao-serverless-thumbnail.png","authors":["NickGottlieb"],"categories":["user-stories"],"date":"2019-04-24T00:00:00.000Z","title":"AO.com:逐渐转向无服务器优先","description":"AO.com 的 SCV 团队率先尝试无服务器服务。折服于无服务器框架的快速周转时间和低维护成本,整个团队逐渐转向无服务器优先。","authorslink":null,"translators":null,"translatorslink":null,"tags":null,"keywords":null,"outdated":null},"wordCount":{"words":236,"sentences":42,"paragraphs":35},"fileAbsolutePath":"/opt/build/repo/content/blog/2019-04-24-ao-serverless-first.md","fields":{"slug":"/blog/2019-04-24-ao-serverless-first/","keywords":["serverless","无服务器","服务器","团队","Lambda","功能","构建"]}}},{"node":{"id":"752d08d1-387a-5bde-acf3-98141baab294","frontmatter":{"thumbnail":"https://img.serverlesscloud.cn/2020414/1586871710979-%E5%85%AC%E5%85%B1%E7%94%A8.png","authors":["Anycodes"],"categories":["user-stories"],"date":"2019-06-20T00:00:00.000Z","title":"如何用 Serverless 为 Python 云函数打包依赖","description":"在使用无服务器云函数SCF时通常会遇到导入第三方库的问题,很多小伙伴比较头疼是:应该如何打包进去?这里,推荐几个不错的方法。","authorslink":["https://zhuanlan.zhihu.com/ServerlessGo"],"translators":null,"translatorslink":null,"tags":["云函数","Serverless"],"keywords":"Serverless,Serverless应用,无服务器云函数","outdated":null},"wordCount":{"words":81,"sentences":43,"paragraphs":43},"fileAbsolutePath":"/opt/build/repo/content/blog/2019-06-20-for-python-cloud-functions.md","fields":{"slug":"/blog/2019-06-20-for-python-cloud-functions/","keywords":["java","serverless","无服务器","无服务器云函数","云函数","serverlesscloud","安装","serverless","pillowtest"]}}},{"node":{"id":"2dc78814-9d77-555b-a1bb-ad202c8ec2d1","frontmatter":{"thumbnail":"https://s3-us-west-2.amazonaws.com/assets.blog.serverless.com/cloudforecast/thumbnail.png","authors":["FrancoisLagier"],"categories":["user-stories"],"date":"2019-08-07T00:00:00.000Z","title":"Serverless:初创企业的理想选择?(CloudForecast 案例分析)","description":"CloudForecast 是 2018 年成立的一家独立初创企业,本文将介绍他们决定选择 Serverless 的原因。","authorslink":["https://serverless.com/author/francoislagier/"],"translators":["Aceyclee"],"translatorslink":["zhihu.com/people/Aceyclee"],"tags":null,"keywords":null,"outdated":null},"wordCount":{"words":211,"sentences":29,"paragraphs":29},"fileAbsolutePath":"/opt/build/repo/content/blog/2019-08-07-serverless-for-startups.md","fields":{"slug":"/blog/2019-08-07-serverless-for-startups/","keywords":["serverless","云函数","serverless","函数","Serverless","utm","Framework","blog","CloudForecast","cloudforecast"]}}},{"node":{"id":"97450b07-658b-5207-8216-1c7b9b51b115","frontmatter":{"thumbnail":"https://img.serverlesscloud.cn/2020114/1578988490344-v2-8b2cd2c5275aa2c5a3c5083a148a7a9f_1200x500.jpg","authors":["Anycodes"],"categories":["user-stories"],"date":"2019-09-01T00:00:00.000Z","title":"如何通过 Serverless 与自然语言处理,让搜索引擎「看」到你的博客","description":"Serverless 与自然语言处理结合的一个小应用","authorslink":["https://www.zhihu.com/people/liuyu-43-97"],"translators":null,"translatorslink":null,"tags":["个人博客","serverless"],"keywords":"Serverless 自然语言处理","outdated":null},"wordCount":{"words":106,"sentences":34,"paragraphs":34},"fileAbsolutePath":"/opt/build/repo/content/blog/2019-09-01-search-engine-blog.md","fields":{"slug":"/blog/2019-09-01-search-engine-blog/","keywords":["serverless","云函数","keywords","serverlesscloud","summary"]}}},{"node":{"id":"ae4fd2f8-515c-5aec-b584-38427ef33f7e","frontmatter":{"thumbnail":"https://img.serverlesscloud.cn/2020114/1578989800047-part-00492-780.jpg","authors":["Anycodes"],"categories":["guides-and-tutorials","user-stories"],"date":"2019-09-16T00:00:00.000Z","title":"突破传统 OJ 瓶颈,「判题姬」接入云函数","description":"通过 Serverless 实现在线编程","authorslink":["https://www.zhihu.com/people/liuyu-43-97"],"translators":null,"translatorslink":null,"tags":["在线编程","云函数"],"keywords":"Serverless 在线编程,Serverless OJ","outdated":null},"wordCount":{"words":169,"sentences":30,"paragraphs":30},"fileAbsolutePath":"/opt/build/repo/content/blog/2019-09-16-online-Judge.md","fields":{"slug":"/blog/2019-09-16-online-Judge/","keywords":["python","serverless","云函数","代码","函数","serverless"]}}}],"totalCount":64}},"pageContext":{"isCreatedByStatefulCreatePages":false,"blogId":"84311318-4be1-590f-a752-c8eac2dab459","previousBlogId":"e5cbc7f7-4743-507a-be01-abb06982a340","nextBlogId":"2f3dd454-b47a-5776-a36c-349eb7e7eb27","categories":["user-stories"]}}}