name: alibaba-cloud-architecture
description: "Alibaba Cloud architecture patterns and best practices. Use when designing, deploying, or reviewing infrastructure on Alibaba Cloud including ECS, ACK, Function Compute, and OSS."
Alibaba Cloud Architecture
Comprehensive guide for building secure, scalable infrastructure on Alibaba Cloud.
When to Use
- Designing architecture for APAC-focused deployments
- Deploying applications to Alibaba Cloud services
- Setting up networking (VPC, security groups)
- Working with ACK (Container Service for Kubernetes)
- Integrating with Chinese market requirements
Core Services Overview
Compute
| Service | AWS Equivalent | Use Case |
|---|
| ECS | EC2 | Virtual machines |
| ACK | EKS | Managed Kubernetes |
| Function Compute | Lambda | Serverless functions |
| SAE | Fargate | Serverless containers |
| ECI | Fargate | Elastic container instances |
Storage
| Service | AWS Equivalent | Use Case |
|---|
| OSS | S3 | Object storage |
| NAS | EFS | File storage |
| ESSD | EBS | Block storage |
| Tablestore | DynamoDB | NoSQL |
Database
| Service | AWS Equivalent | Use Case |
|---|
| RDS | RDS | Managed SQL |
| PolarDB | Aurora | Cloud-native SQL |
| ApsaraDB for Redis | ElastiCache | Caching |
| AnalyticDB | Redshift | Data warehouse |
Networking
| Service | AWS Equivalent | Use Case |
|---|
| VPC | VPC | Virtual network |
| SLB | ALB/NLB | Load balancing |
| CDN | CloudFront | Content delivery |
| NAT Gateway | NAT Gateway | Outbound NAT |
| PrivateLink | PrivateLink | Private connectivity |
VPC Architecture
Terraform VPC
# Provider Configuration
provider "alicloud" {
region = var.region
access_key = var.access_key
secret_key = var.secret_key
}
# VPC
resource "alicloud_vpc" "main" {
vpc_name = "${var.project}-vpc"
cidr_block = "10.0.0.0/16"
tags = local.common_tags
}
# VSwitches (Subnets)
resource "alicloud_vswitch" "app" {
count = length(var.availability_zones)
vswitch_name = "${var.project}-app-${count.index}"
vpc_id = alicloud_vpc.main.id
cidr_block = cidrsubnet("10.0.0.0/16", 8, count.index)
zone_id = var.availability_zones[count.index]
tags = local.common_tags
}
resource "alicloud_vswitch" "db" {
count = length(var.availability_zones)
vswitch_name = "${var.project}-db-${count.index}"
vpc_id = alicloud_vpc.main.id
cidr_block = cidrsubnet("10.0.0.0/16", 8, count.index + 10)
zone_id = var.availability_zones[count.index]
tags = local.common_tags
}
# NAT Gateway
resource "alicloud_nat_gateway" "main" {
vpc_id = alicloud_vpc.main.id
nat_gateway_name = "${var.project}-nat"
payment_type = "PayAsYouGo"
nat_type = "Enhanced"
vswitch_id = alicloud_vswitch.app[0].id
tags = local.common_tags
}
resource "alicloud_eip_address" "nat" {
address_name = "${var.project}-nat-eip"
bandwidth = 100
internet_charge_type = "PayByTraffic"
}
resource "alicloud_eip_association" "nat" {
allocation_id = alicloud_eip_address.nat.id
instance_id = alicloud_nat_gateway.main.id
}
resource "alicloud_snat_entry" "main" {
count = length(alicloud_vswitch.app)
snat_table_id = alicloud_nat_gateway.main.snat_table_ids
source_vswitch_id = alicloud_vswitch.app[count.index].id
snat_ip = alicloud_eip_address.nat.ip_address
}
Security Groups
resource "alicloud_security_group" "app" {
name = "${var.project}-app-sg"
vpc_id = alicloud_vpc.main.id
description = "Security group for application servers"
tags = local.common_tags
}
resource "alicloud_security_group_rule" "app_http" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "80/80"
priority = 1
security_group_id = alicloud_security_group.app.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "app_https" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "443/443"
priority = 1
security_group_id = alicloud_security_group.app.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group" "db" {
name = "${var.project}-db-sg"
vpc_id = alicloud_vpc.main.id
description = "Security group for databases"
tags = local.common_tags
}
resource "alicloud_security_group_rule" "db_mysql" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "3306/3306"
priority = 1
security_group_id = alicloud_security_group.db.id
source_security_group_id = alicloud_security_group.app.id
}
RAM (Resource Access Management)
Service Role
# RAM Role for ECS
resource "alicloud_ram_role" "app" {
name = "${var.project}-app-role"
document = jsonencode({
Version = "1"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = ["ecs.aliyuncs.com"]
}
}]
})
description = "Role for application ECS instances"
}
# RAM Policy
resource "alicloud_ram_policy" "oss_access" {
policy_name = "${var.project}-oss-policy"
policy_document = jsonencode({
Version = "1"
Statement = [
{
Effect = "Allow"
Action = ["oss:GetObject", "oss:PutObject", "oss:DeleteObject"]
Resource = ["acs:oss:*:*:${var.project}-data/*"]
},
{
Effect = "Allow"
Action = ["oss:ListBucket"]
Resource = ["acs:oss:*:*:${var.project}-data"]
}
]
})
}
resource "alicloud_ram_role_policy_attachment" "oss" {
policy_name = alicloud_ram_policy.oss_access.name
policy_type = alicloud_ram_policy.oss_access.type
role_name = alicloud_ram_role.app.name
}
ACK (Container Service for Kubernetes)
Managed Kubernetes Cluster
resource "alicloud_cs_managed_kubernetes" "main" {
name = "${var.project}-ack"
cluster_spec = "ack.pro.small"
version = var.kubernetes_version
worker_vswitch_ids = alicloud_vswitch.app[*].id
pod_vswitch_ids = alicloud_vswitch.app[*].id
service_cidr = "172.16.0.0/16"
new_nat_gateway = false
worker_instance_types = ["ecs.g6.xlarge"]
worker_number = 3
worker_disk_category = "cloud_essd"
worker_disk_size = 100
install_cloud_monitor = true
addons {
name = "terway-eniip"
}
addons {
name = "csi-plugin"
}
addons {
name = "csi-provisioner"
}
tags = local.common_tags
}
# Node Pool
resource "alicloud_cs_kubernetes_node_pool" "app" {
cluster_id = alicloud_cs_managed_kubernetes.main.id
name = "app-pool"
vswitch_ids = alicloud_vswitch.app[*].id
instance_types = ["ecs.g6.2xlarge"]
scaling_config {
min_size = 2
max_size = 10
}
system_disk_category = "cloud_essd"
system_disk_size = 100
labels = {
"pool" = "app"
}
tags = local.common_tags
}
ECS (Elastic Compute Service)
Auto Scaling Group
resource "alicloud_ess_scaling_group" "app" {
scaling_group_name = "${var.project}-app-asg"
min_size = var.environment == "prod" ? 2 : 1
max_size = 10
vswitch_ids = alicloud_vswitch.app[*].id
removal_policies = ["OldestInstance", "NewestInstance"]
tags = local.common_tags
}
resource "alicloud_ess_scaling_configuration" "app" {
scaling_group_id = alicloud_ess_scaling_group.app.id
image_id = data.alicloud_images.ubuntu.images[0].id
instance_type = "ecs.g6.large"
security_group_id = alicloud_security_group.app.id
system_disk_category = "cloud_essd"
system_disk_size = 50
user_data = base64encode(file("${path.module}/scripts/user-data.sh"))
tags = local.common_tags
}
resource "alicloud_ess_scaling_rule" "cpu_scale_out" {
scaling_group_id = alicloud_ess_scaling_group.app.id
scaling_rule_name = "cpu-scale-out"
scaling_rule_type = "TargetTrackingScalingRule"
target_tracking_configuration {
metric_name = "CpuUtilization"
target_value = 70
}
}
SLB (Server Load Balancer)
Application Load Balancer
resource "alicloud_slb_load_balancer" "app" {
load_balancer_name = "${var.project}-slb"
load_balancer_spec = "slb.s2.small"
vswitch_id = alicloud_vswitch.app[0].id
address_type = "intranet"
tags = local.common_tags
}
resource "alicloud_slb_listener" "https" {
load_balancer_id = alicloud_slb_load_balancer.app.id
backend_port = 8080
frontend_port = 443
protocol = "https"
bandwidth = -1
server_certificate_id = alicloud_slb_server_certificate.main.id
health_check = "on"
health_check_uri = "/health"
health_check_connect_port = 8080
healthy_threshold = 3
unhealthy_threshold = 3
health_check_timeout = 5
health_check_interval = 10
sticky_session = "on"
sticky_session_type = "insert"
cookie_timeout = 3600
}
resource "alicloud_slb_server_group" "app" {
load_balancer_id = alicloud_slb_load_balancer.app.id
name = "${var.project}-app-servers"
}
resource "alicloud_slb_backend_server" "app" {
load_balancer_id = alicloud_slb_load_balancer.app.id
dynamic "backend_servers" {
for_each = alicloud_instance.app
content {
server_id = backend_servers.value.id
weight = 100
}
}
}
RDS (ApsaraDB for RDS)
PostgreSQL Instance
resource "alicloud_db_instance" "main" {
engine = "PostgreSQL"
engine_version = "15.0"
instance_type = var.environment == "prod" ? "pg.n2.medium.2c" : "pg.n2.small.1"
instance_storage = 100
instance_charge_type = var.environment == "prod" ? "Prepaid" : "Postpaid"
instance_name = "${var.project}-postgres"
vswitch_id = alicloud_vswitch.db[0].id
security_ips = [alicloud_vswitch.app[0].cidr_block, alicloud_vswitch.app[1].cidr_block]
db_instance_storage_type = "cloud_essd"
parameters {
name = "log_connections"
value = "on"
}
parameters {
name = "log_disconnections"
value = "on"
}
tags = local.common_tags
}
resource "alicloud_db_database" "main" {
instance_id = alicloud_db_instance.main.id
name = var.database_name
character_set = "UTF8"
}
resource "alicloud_db_account" "app" {
db_instance_id = alicloud_db_instance.main.id
account_name = "app"
account_password = random_password.db.result
account_type = "Normal"
}
resource "alicloud_db_account_privilege" "app" {
instance_id = alicloud_db_instance.main.id
account_name = alicloud_db_account.app.account_name
privilege = "ReadWrite"
db_names = [alicloud_db_database.main.name]
}
OSS (Object Storage Service)
Secure Bucket
resource "alicloud_oss_bucket" "data" {
bucket = "${var.project}-data"
acl = "private"
versioning {
status = "Enabled"
}
server_side_encryption_rule {
sse_algorithm = "KMS"
kms_master_key_id = alicloud_kms_key.oss.id
}
lifecycle_rule {
id = "archive"
enabled = true
prefix = ""
transitions {
days = 90
storage_class = "IA"
}
transitions {
days = 180
storage_class = "Archive"
}
expiration {
days = 365
}
}
logging {
target_bucket = alicloud_oss_bucket.logs.id
target_prefix = "oss-logs/"
}
tags = local.common_tags
}
# Block public access
resource "alicloud_oss_bucket_public_access_block" "data" {
bucket = alicloud_oss_bucket.data.bucket
block_public_access = true
ignore_public_acls = true
restrict_public_buckets = true
}
Function Compute
Serverless Function
resource "alicloud_fc_service" "main" {
name = "${var.project}-service"
description = "Function Compute Service"
role = alicloud_ram_role.fc.arn
vpc_config {
vswitch_ids = alicloud_vswitch.app[*].id
security_group_id = alicloud_security_group.app.id
}
log_config {
project = alicloud_log_project.main.name
logstore = alicloud_log_store.fc.name
}
}
resource "alicloud_fc_function" "api" {
service = alicloud_fc_service.main.name
name = "api-handler"
description = "API Handler Function"
runtime = "nodejs18"
handler = "index.handler"
memory_size = 512
timeout = 30
filename = data.archive_file.function.output_path
code_checksum = data.archive_file.function.output_base64sha256
environment_variables = {
NODE_ENV = "production"
DATABASE_URL = alicloud_db_instance.main.connection_string
}
}
resource "alicloud_fc_trigger" "http" {
service = alicloud_fc_service.main.name
function = alicloud_fc_function.api.name
name = "http-trigger"
type = "http"
config = jsonencode({
authType = "anonymous"
methods = ["GET", "POST", "PUT", "DELETE"]
})
}
CLI Reference
# Configure CLI
aliyun configure
# ECS
aliyun ecs DescribeInstances
aliyun ecs StartInstance --InstanceId i-xxx
aliyun ecs StopInstance --InstanceId i-xxx
# ACK
aliyun cs GET /clusters
aliyun cs GET /k8s/clusters/{ClusterId}/user_config
# OSS
aliyun oss ls oss://bucket-name/
aliyun oss cp local.txt oss://bucket-name/
aliyun oss sync ./folder oss://bucket-name/folder
# RDS
aliyun rds DescribeDBInstances
aliyun rds DescribeDatabases --DBInstanceId rm-xxx
# Function Compute
aliyun fc GET /services
aliyun fc POST /services/{serviceName}/functions/{functionName}/invocations
Regional Considerations
China Regions
- Requires ICP license for public websites
- Different regulatory requirements
- Separate Alibaba Cloud account (China vs International)
International Regions
- Singapore, Hong Kong, Japan, etc.
- No ICP requirements
- Same account as global cloud
Security Checklist
Integration
Works with:
/terraform - Alibaba Cloud provider/k8s - ACK deployments/devops - CI/CD pipelines/security - Security review