Alibaba Cloud Architecture | Skills Pool
Alibaba Cloud Architecture Alibaba Cloud architecture patterns and best practices. Use when designing, deploying, or reviewing infrastructure on Alibaba Cloud including ECS, ACK, Function Compute, and OSS.
liauw-media 3 stars Jan 11, 2026 Occupation Categories Architecture Patterns Comprehensive guide for building secure, scalable infrastructure on Alibaba Cloud.
When to Use
Designing architecture for APAC-focused deployments
Deploying applications to Alibaba Cloud services
Setting up networking (VPC, security groups)
Working with ACK (Container Service for Kubernetes)
Integrating with Chinese market requirements
Core Services Overview
Compute
Service AWS Equivalent Use Case ECS EC2 Virtual machines ACK EKS Managed Kubernetes Function Compute Lambda Serverless functions SAE Fargate Serverless containers ECI Fargate Elastic container instances
Quick Install
Alibaba Cloud Architecture npx skills add liauw-media/CodeAssist
stars 3
Updated Jan 11, 2026
Occupation
Storage Service AWS Equivalent Use Case OSS S3 Object storage NAS EFS File storage ESSD EBS Block storage Tablestore DynamoDB NoSQL
Database Service AWS Equivalent Use Case RDS RDS Managed SQL PolarDB Aurora Cloud-native SQL ApsaraDB for Redis ElastiCache Caching AnalyticDB Redshift Data warehouse
Networking Service AWS Equivalent Use Case VPC VPC Virtual network SLB ALB/NLB Load balancing CDN CloudFront Content delivery NAT Gateway NAT Gateway Outbound NAT PrivateLink PrivateLink Private connectivity
VPC Architecture
# Provider Configuration
provider "alicloud" {
region = var.region
access_key = var.access_key
secret_key = var.secret_key
}
# VPC
resource "alicloud_vpc" "main" {
vpc_name = "${var.project}-vpc"
cidr_block = "10.0.0.0/16"
tags = local.common_tags
}
# VSwitches (Subnets)
resource "alicloud_vswitch" "app" {
count = length(var.availability_zones)
vswitch_name = "${var.project}-app-${count.index}"
vpc_id = alicloud_vpc.main.id
cidr_block = cidrsubnet("10.0.0.0/16", 8, count.index)
zone_id = var.availability_zones[count.index]
tags = local.common_tags
}
resource "alicloud_vswitch" "db" {
count = length(var.availability_zones)
vswitch_name = "${var.project}-db-${count.index}"
vpc_id = alicloud_vpc.main.id
cidr_block = cidrsubnet("10.0.0.0/16", 8, count.index + 10)
zone_id = var.availability_zones[count.index]
tags = local.common_tags
}
# NAT Gateway
resource "alicloud_nat_gateway" "main" {
vpc_id = alicloud_vpc.main.id
nat_gateway_name = "${var.project}-nat"
payment_type = "PayAsYouGo"
nat_type = "Enhanced"
vswitch_id = alicloud_vswitch.app[0].id
tags = local.common_tags
}
resource "alicloud_eip_address" "nat" {
address_name = "${var.project}-nat-eip"
bandwidth = 100
internet_charge_type = "PayByTraffic"
}
resource "alicloud_eip_association" "nat" {
allocation_id = alicloud_eip_address.nat.id
instance_id = alicloud_nat_gateway.main.id
}
resource "alicloud_snat_entry" "main" {
count = length(alicloud_vswitch.app)
snat_table_id = alicloud_nat_gateway.main.snat_table_ids
source_vswitch_id = alicloud_vswitch.app[count.index].id
snat_ip = alicloud_eip_address.nat.ip_address
}
Security Groups resource "alicloud_security_group" "app" {
name = "${var.project}-app-sg"
vpc_id = alicloud_vpc.main.id
description = "Security group for application servers"
tags = local.common_tags
}
resource "alicloud_security_group_rule" "app_http" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "80/80"
priority = 1
security_group_id = alicloud_security_group.app.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "app_https" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "443/443"
priority = 1
security_group_id = alicloud_security_group.app.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group" "db" {
name = "${var.project}-db-sg"
vpc_id = alicloud_vpc.main.id
description = "Security group for databases"
tags = local.common_tags
}
resource "alicloud_security_group_rule" "db_mysql" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "3306/3306"
priority = 1
security_group_id = alicloud_security_group.db.id
source_security_group_id = alicloud_security_group.app.id
}
RAM (Resource Access Management)
Service Role # RAM Role for ECS
resource "alicloud_ram_role" "app" {
name = "${var.project}-app-role"
document = jsonencode({
Version = "1"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = ["ecs.aliyuncs.com"]
}
}]
})
description = "Role for application ECS instances"
}
# RAM Policy
resource "alicloud_ram_policy" "oss_access" {
policy_name = "${var.project}-oss-policy"
policy_document = jsonencode({
Version = "1"
Statement = [
{
Effect = "Allow"
Action = ["oss:GetObject", "oss:PutObject", "oss:DeleteObject"]
Resource = ["acs:oss:*:*:${var.project}-data/*"]
},
{
Effect = "Allow"
Action = ["oss:ListBucket"]
Resource = ["acs:oss:*:*:${var.project}-data"]
}
]
})
}
resource "alicloud_ram_role_policy_attachment" "oss" {
policy_name = alicloud_ram_policy.oss_access.name
policy_type = alicloud_ram_policy.oss_access.type
role_name = alicloud_ram_role.app.name
}
ACK (Container Service for Kubernetes)
Managed Kubernetes Cluster resource "alicloud_cs_managed_kubernetes" "main" {
name = "${var.project}-ack"
cluster_spec = "ack.pro.small"
version = var.kubernetes_version
worker_vswitch_ids = alicloud_vswitch.app[*].id
pod_vswitch_ids = alicloud_vswitch.app[*].id
service_cidr = "172.16.0.0/16"
new_nat_gateway = false
worker_instance_types = ["ecs.g6.xlarge"]
worker_number = 3
worker_disk_category = "cloud_essd"
worker_disk_size = 100
install_cloud_monitor = true
addons {
name = "terway-eniip"
}
addons {
name = "csi-plugin"
}
addons {
name = "csi-provisioner"
}
tags = local.common_tags
}
# Node Pool
resource "alicloud_cs_kubernetes_node_pool" "app" {
cluster_id = alicloud_cs_managed_kubernetes.main.id
name = "app-pool"
vswitch_ids = alicloud_vswitch.app[*].id
instance_types = ["ecs.g6.2xlarge"]
scaling_config {
min_size = 2
max_size = 10
}
system_disk_category = "cloud_essd"
system_disk_size = 100
labels = {
"pool" = "app"
}
tags = local.common_tags
}
ECS (Elastic Compute Service)
Auto Scaling Group resource "alicloud_ess_scaling_group" "app" {
scaling_group_name = "${var.project}-app-asg"
min_size = var.environment == "prod" ? 2 : 1
max_size = 10
vswitch_ids = alicloud_vswitch.app[*].id
removal_policies = ["OldestInstance", "NewestInstance"]
tags = local.common_tags
}
resource "alicloud_ess_scaling_configuration" "app" {
scaling_group_id = alicloud_ess_scaling_group.app.id
image_id = data.alicloud_images.ubuntu.images[0].id
instance_type = "ecs.g6.large"
security_group_id = alicloud_security_group.app.id
system_disk_category = "cloud_essd"
system_disk_size = 50
user_data = base64encode(file("${path.module}/scripts/user-data.sh"))
tags = local.common_tags
}
resource "alicloud_ess_scaling_rule" "cpu_scale_out" {
scaling_group_id = alicloud_ess_scaling_group.app.id
scaling_rule_name = "cpu-scale-out"
scaling_rule_type = "TargetTrackingScalingRule"
target_tracking_configuration {
metric_name = "CpuUtilization"
target_value = 70
}
}
SLB (Server Load Balancer)
Application Load Balancer resource "alicloud_slb_load_balancer" "app" {
load_balancer_name = "${var.project}-slb"
load_balancer_spec = "slb.s2.small"
vswitch_id = alicloud_vswitch.app[0].id
address_type = "intranet"
tags = local.common_tags
}
resource "alicloud_slb_listener" "https" {
load_balancer_id = alicloud_slb_load_balancer.app.id
backend_port = 8080
frontend_port = 443
protocol = "https"
bandwidth = -1
server_certificate_id = alicloud_slb_server_certificate.main.id
health_check = "on"
health_check_uri = "/health"
health_check_connect_port = 8080
healthy_threshold = 3
unhealthy_threshold = 3
health_check_timeout = 5
health_check_interval = 10
sticky_session = "on"
sticky_session_type = "insert"
cookie_timeout = 3600
}
resource "alicloud_slb_server_group" "app" {
load_balancer_id = alicloud_slb_load_balancer.app.id
name = "${var.project}-app-servers"
}
resource "alicloud_slb_backend_server" "app" {
load_balancer_id = alicloud_slb_load_balancer.app.id
dynamic "backend_servers" {
for_each = alicloud_instance.app
content {
server_id = backend_servers.value.id
weight = 100
}
}
}
RDS (ApsaraDB for RDS)
PostgreSQL Instance resource "alicloud_db_instance" "main" {
engine = "PostgreSQL"
engine_version = "15.0"
instance_type = var.environment == "prod" ? "pg.n2.medium.2c" : "pg.n2.small.1"
instance_storage = 100
instance_charge_type = var.environment == "prod" ? "Prepaid" : "Postpaid"
instance_name = "${var.project}-postgres"
vswitch_id = alicloud_vswitch.db[0].id
security_ips = [alicloud_vswitch.app[0].cidr_block, alicloud_vswitch.app[1].cidr_block]
db_instance_storage_type = "cloud_essd"
parameters {
name = "log_connections"
value = "on"
}
parameters {
name = "log_disconnections"
value = "on"
}
tags = local.common_tags
}
resource "alicloud_db_database" "main" {
instance_id = alicloud_db_instance.main.id
name = var.database_name
character_set = "UTF8"
}
resource "alicloud_db_account" "app" {
db_instance_id = alicloud_db_instance.main.id
account_name = "app"
account_password = random_password.db.result
account_type = "Normal"
}
resource "alicloud_db_account_privilege" "app" {
instance_id = alicloud_db_instance.main.id
account_name = alicloud_db_account.app.account_name
privilege = "ReadWrite"
db_names = [alicloud_db_database.main.name]
}
OSS (Object Storage Service)
Secure Bucket resource "alicloud_oss_bucket" "data" {
bucket = "${var.project}-data"
acl = "private"
versioning {
status = "Enabled"
}
server_side_encryption_rule {
sse_algorithm = "KMS"
kms_master_key_id = alicloud_kms_key.oss.id
}
lifecycle_rule {
id = "archive"
enabled = true
prefix = ""
transitions {
days = 90
storage_class = "IA"
}
transitions {
days = 180
storage_class = "Archive"
}
expiration {
days = 365
}
}
logging {
target_bucket = alicloud_oss_bucket.logs.id
target_prefix = "oss-logs/"
}
tags = local.common_tags
}
# Block public access
resource "alicloud_oss_bucket_public_access_block" "data" {
bucket = alicloud_oss_bucket.data.bucket
block_public_access = true
ignore_public_acls = true
restrict_public_buckets = true
}
Function Compute
Serverless Function resource "alicloud_fc_service" "main" {
name = "${var.project}-service"
description = "Function Compute Service"
role = alicloud_ram_role.fc.arn
vpc_config {
vswitch_ids = alicloud_vswitch.app[*].id
security_group_id = alicloud_security_group.app.id
}
log_config {
project = alicloud_log_project.main.name
logstore = alicloud_log_store.fc.name
}
}
resource "alicloud_fc_function" "api" {
service = alicloud_fc_service.main.name
name = "api-handler"
description = "API Handler Function"
runtime = "nodejs18"
handler = "index.handler"
memory_size = 512
timeout = 30
filename = data.archive_file.function.output_path
code_checksum = data.archive_file.function.output_base64sha256
environment_variables = {
NODE_ENV = "production"
DATABASE_URL = alicloud_db_instance.main.connection_string
}
}
resource "alicloud_fc_trigger" "http" {
service = alicloud_fc_service.main.name
function = alicloud_fc_function.api.name
name = "http-trigger"
type = "http"
config = jsonencode({
authType = "anonymous"
methods = ["GET", "POST", "PUT", "DELETE"]
})
}
CLI Reference # Configure CLI
aliyun configure
# ECS
aliyun ecs DescribeInstances
aliyun ecs StartInstance --InstanceId i-xxx
aliyun ecs StopInstance --InstanceId i-xxx
# ACK
aliyun cs GET /clusters
aliyun cs GET /k8s/clusters/{ClusterId}/user_config
# OSS
aliyun oss ls oss://bucket-name/
aliyun oss cp local.txt oss://bucket-name/
aliyun oss sync ./folder oss://bucket-name/folder
# RDS
aliyun rds DescribeDBInstances
aliyun rds DescribeDatabases --DBInstanceId rm-xxx
# Function Compute
aliyun fc GET /services
aliyun fc POST /services/{serviceName}/functions/{functionName}/invocations
Regional Considerations
China Regions
Requires ICP license for public websites
Different regulatory requirements
Separate Alibaba Cloud account (China vs International)
International Regions
Singapore, Hong Kong, Japan, etc.
No ICP requirements
Same account as global cloud
Security Checklist
Integration
/terraform - Alibaba Cloud provider/k8s - ACK deployments/devops - CI/CD pipelines/security - Security review 02
Core Services Overview