Alibaba Cloud Architecture

Comprehensive guide for building secure, scalable infrastructure on Alibaba Cloud.

When to Use

• Designing architecture for APAC-focused deployments
• Deploying applications to Alibaba Cloud services
• Setting up networking (VPC, security groups)
• Working with ACK (Container Service for Kubernetes)
• Integrating with Chinese market requirements

Core Services Overview

Compute

Storage

Database

Networking

VPC Architecture

Terraform VPC

# Provider Configuration
provider "alicloud" {
  region     = var.region
  access_key = var.access_key
  secret_key = var.secret_key
}

# VPC
resource "alicloud_vpc" "main" {
  vpc_name   = "${var.project}-vpc"
  cidr_block = "10.0.0.0/16"

  tags = local.common_tags
}

# VSwitches (Subnets)
resource "alicloud_vswitch" "app" {
  count        = length(var.availability_zones)
  vswitch_name = "${var.project}-app-${count.index}"
  vpc_id       = alicloud_vpc.main.id
  cidr_block   = cidrsubnet("10.0.0.0/16", 8, count.index)
  zone_id      = var.availability_zones[count.index]

  tags = local.common_tags
}

resource "alicloud_vswitch" "db" {
  count        = length(var.availability_zones)
  vswitch_name = "${var.project}-db-${count.index}"
  vpc_id       = alicloud_vpc.main.id
  cidr_block   = cidrsubnet("10.0.0.0/16", 8, count.index + 10)
  zone_id      = var.availability_zones[count.index]

  tags = local.common_tags
}

# NAT Gateway
resource "alicloud_nat_gateway" "main" {
  vpc_id           = alicloud_vpc.main.id
  nat_gateway_name = "${var.project}-nat"
  payment_type     = "PayAsYouGo"
  nat_type         = "Enhanced"
  vswitch_id       = alicloud_vswitch.app[0].id

  tags = local.common_tags
}

resource "alicloud_eip_address" "nat" {
  address_name         = "${var.project}-nat-eip"
  bandwidth            = 100
  internet_charge_type = "PayByTraffic"
}

resource "alicloud_eip_association" "nat" {
  allocation_id = alicloud_eip_address.nat.id
  instance_id   = alicloud_nat_gateway.main.id
}

resource "alicloud_snat_entry" "main" {
  count             = length(alicloud_vswitch.app)
  snat_table_id     = alicloud_nat_gateway.main.snat_table_ids
  source_vswitch_id = alicloud_vswitch.app[count.index].id
  snat_ip           = alicloud_eip_address.nat.ip_address
}

Security Groups

resource "alicloud_security_group" "app" {
  name        = "${var.project}-app-sg"
  vpc_id      = alicloud_vpc.main.id
  description = "Security group for application servers"

  tags = local.common_tags
}

resource "alicloud_security_group_rule" "app_http" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "80/80"
  priority          = 1
  security_group_id = alicloud_security_group.app.id
  cidr_ip           = "0.0.0.0/0"
}

resource "alicloud_security_group_rule" "app_https" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "443/443"
  priority          = 1
  security_group_id = alicloud_security_group.app.id
  cidr_ip           = "0.0.0.0/0"
}

resource "alicloud_security_group" "db" {
  name        = "${var.project}-db-sg"
  vpc_id      = alicloud_vpc.main.id
  description = "Security group for databases"

  tags = local.common_tags
}

resource "alicloud_security_group_rule" "db_mysql" {
  type                     = "ingress"
  ip_protocol              = "tcp"
  nic_type                 = "intranet"
  policy                   = "accept"
  port_range               = "3306/3306"
  priority                 = 1
  security_group_id        = alicloud_security_group.db.id
  source_security_group_id = alicloud_security_group.app.id
}

RAM (Resource Access Management)

Service Role

# RAM Role for ECS
resource "alicloud_ram_role" "app" {
  name        = "${var.project}-app-role"
  document    = jsonencode({
    Version = "1"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = ["ecs.aliyuncs.com"]
      }
    }]
  })
  description = "Role for application ECS instances"
}

# RAM Policy
resource "alicloud_ram_policy" "oss_access" {
  policy_name     = "${var.project}-oss-policy"
  policy_document = jsonencode({
    Version = "1"
    Statement = [
      {
        Effect   = "Allow"
        Action   = ["oss:GetObject", "oss:PutObject", "oss:DeleteObject"]
        Resource = ["acs:oss:*:*:${var.project}-data/*"]
      },
      {
        Effect   = "Allow"
        Action   = ["oss:ListBucket"]
        Resource = ["acs:oss:*:*:${var.project}-data"]
      }
    ]
  })
}

resource "alicloud_ram_role_policy_attachment" "oss" {
  policy_name = alicloud_ram_policy.oss_access.name
  policy_type = alicloud_ram_policy.oss_access.type
  role_name   = alicloud_ram_role.app.name
}

ACK (Container Service for Kubernetes)

Managed Kubernetes Cluster

resource "alicloud_cs_managed_kubernetes" "main" {
  name                 = "${var.project}-ack"
  cluster_spec         = "ack.pro.small"
  version              = var.kubernetes_version
  worker_vswitch_ids   = alicloud_vswitch.app[*].id
  pod_vswitch_ids      = alicloud_vswitch.app[*].id
  service_cidr         = "172.16.0.0/16"
  new_nat_gateway      = false

  worker_instance_types = ["ecs.g6.xlarge"]
  worker_number         = 3

  worker_disk_category = "cloud_essd"
  worker_disk_size     = 100

  install_cloud_monitor = true

  addons {
    name = "terway-eniip"
  }

  addons {
    name = "csi-plugin"
  }

  addons {
    name = "csi-provisioner"
  }

  tags = local.common_tags
}

# Node Pool
resource "alicloud_cs_kubernetes_node_pool" "app" {
  cluster_id           = alicloud_cs_managed_kubernetes.main.id
  name                 = "app-pool"
  vswitch_ids          = alicloud_vswitch.app[*].id
  instance_types       = ["ecs.g6.2xlarge"]

  scaling_config {
    min_size = 2
    max_size = 10
  }

  system_disk_category = "cloud_essd"
  system_disk_size     = 100

  labels = {
    "pool" = "app"
  }

  tags = local.common_tags
}

ECS (Elastic Compute Service)

Auto Scaling Group

resource "alicloud_ess_scaling_group" "app" {
  scaling_group_name = "${var.project}-app-asg"
  min_size           = var.environment == "prod" ? 2 : 1
  max_size           = 10
  vswitch_ids        = alicloud_vswitch.app[*].id

  removal_policies = ["OldestInstance", "NewestInstance"]

  tags = local.common_tags
}

resource "alicloud_ess_scaling_configuration" "app" {
  scaling_group_id  = alicloud_ess_scaling_group.app.id
  image_id          = data.alicloud_images.ubuntu.images[0].id
  instance_type     = "ecs.g6.large"
  security_group_id = alicloud_security_group.app.id

  system_disk_category = "cloud_essd"
  system_disk_size     = 50

  user_data = base64encode(file("${path.module}/scripts/user-data.sh"))

  tags = local.common_tags
}

resource "alicloud_ess_scaling_rule" "cpu_scale_out" {
  scaling_group_id = alicloud_ess_scaling_group.app.id
  scaling_rule_name = "cpu-scale-out"
  scaling_rule_type = "TargetTrackingScalingRule"

  target_tracking_configuration {
    metric_name  = "CpuUtilization"
    target_value = 70
  }
}

SLB (Server Load Balancer)

Application Load Balancer

resource "alicloud_slb_load_balancer" "app" {
  load_balancer_name = "${var.project}-slb"
  load_balancer_spec = "slb.s2.small"
  vswitch_id         = alicloud_vswitch.app[0].id
  address_type       = "intranet"

  tags = local.common_tags
}

resource "alicloud_slb_listener" "https" {
  load_balancer_id          = alicloud_slb_load_balancer.app.id
  backend_port              = 8080
  frontend_port             = 443
  protocol                  = "https"
  bandwidth                 = -1
  server_certificate_id     = alicloud_slb_server_certificate.main.id
  health_check              = "on"
  health_check_uri          = "/health"
  health_check_connect_port = 8080
  healthy_threshold         = 3
  unhealthy_threshold       = 3
  health_check_timeout      = 5
  health_check_interval     = 10
  sticky_session            = "on"
  sticky_session_type       = "insert"
  cookie_timeout            = 3600
}

resource "alicloud_slb_server_group" "app" {
  load_balancer_id = alicloud_slb_load_balancer.app.id
  name             = "${var.project}-app-servers"
}

resource "alicloud_slb_backend_server" "app" {
  load_balancer_id = alicloud_slb_load_balancer.app.id

  dynamic "backend_servers" {
    for_each = alicloud_instance.app
    content {
      server_id = backend_servers.value.id
      weight    = 100
    }
  }
}

RDS (ApsaraDB for RDS)

PostgreSQL Instance

resource "alicloud_db_instance" "main" {
  engine               = "PostgreSQL"
  engine_version       = "15.0"
  instance_type        = var.environment == "prod" ? "pg.n2.medium.2c" : "pg.n2.small.1"
  instance_storage     = 100
  instance_charge_type = var.environment == "prod" ? "Prepaid" : "Postpaid"
  instance_name        = "${var.project}-postgres"
  vswitch_id           = alicloud_vswitch.db[0].id
  security_ips         = [alicloud_vswitch.app[0].cidr_block, alicloud_vswitch.app[1].cidr_block]

  db_instance_storage_type = "cloud_essd"

  parameters {
    name  = "log_connections"
    value = "on"
  }

  parameters {
    name  = "log_disconnections"
    value = "on"
  }

  tags = local.common_tags
}

resource "alicloud_db_database" "main" {
  instance_id = alicloud_db_instance.main.id
  name        = var.database_name
  character_set = "UTF8"
}

resource "alicloud_db_account" "app" {
  db_instance_id   = alicloud_db_instance.main.id
  account_name     = "app"
  account_password = random_password.db.result
  account_type     = "Normal"
}

resource "alicloud_db_account_privilege" "app" {
  instance_id  = alicloud_db_instance.main.id
  account_name = alicloud_db_account.app.account_name
  privilege    = "ReadWrite"
  db_names     = [alicloud_db_database.main.name]
}

OSS (Object Storage Service)

Secure Bucket

resource "alicloud_oss_bucket" "data" {
  bucket = "${var.project}-data"
  acl    = "private"

  versioning {
    status = "Enabled"
  }

  server_side_encryption_rule {
    sse_algorithm = "KMS"
    kms_master_key_id = alicloud_kms_key.oss.id
  }

  lifecycle_rule {
    id      = "archive"
    enabled = true
    prefix  = ""

    transitions {
      days          = 90
      storage_class = "IA"
    }

    transitions {
      days          = 180
      storage_class = "Archive"
    }

    expiration {
      days = 365
    }
  }

  logging {
    target_bucket = alicloud_oss_bucket.logs.id
    target_prefix = "oss-logs/"
  }

  tags = local.common_tags
}

# Block public access
resource "alicloud_oss_bucket_public_access_block" "data" {
  bucket                          = alicloud_oss_bucket.data.bucket
  block_public_access             = true
  ignore_public_acls              = true
  restrict_public_buckets         = true
}

Function Compute

Serverless Function

resource "alicloud_fc_service" "main" {
  name        = "${var.project}-service"
  description = "Function Compute Service"

  role = alicloud_ram_role.fc.arn

  vpc_config {
    vswitch_ids         = alicloud_vswitch.app[*].id
    security_group_id   = alicloud_security_group.app.id
  }

  log_config {
    project  = alicloud_log_project.main.name
    logstore = alicloud_log_store.fc.name
  }
}

resource "alicloud_fc_function" "api" {
  service     = alicloud_fc_service.main.name
  name        = "api-handler"
  description = "API Handler Function"
  runtime     = "nodejs18"
  handler     = "index.handler"
  memory_size = 512
  timeout     = 30

  filename = data.archive_file.function.output_path
  code_checksum = data.archive_file.function.output_base64sha256

  environment_variables = {
    NODE_ENV     = "production"
    DATABASE_URL = alicloud_db_instance.main.connection_string
  }
}

resource "alicloud_fc_trigger" "http" {
  service    = alicloud_fc_service.main.name
  function   = alicloud_fc_function.api.name
  name       = "http-trigger"
  type       = "http"

  config = jsonencode({
    authType = "anonymous"
    methods  = ["GET", "POST", "PUT", "DELETE"]
  })
}

CLI Reference

# Configure CLI
aliyun configure

# ECS
aliyun ecs DescribeInstances
aliyun ecs StartInstance --InstanceId i-xxx
aliyun ecs StopInstance --InstanceId i-xxx

# ACK
aliyun cs GET /clusters
aliyun cs GET /k8s/clusters/{ClusterId}/user_config

# OSS
aliyun oss ls oss://bucket-name/
aliyun oss cp local.txt oss://bucket-name/
aliyun oss sync ./folder oss://bucket-name/folder

# RDS
aliyun rds DescribeDBInstances
aliyun rds DescribeDatabases --DBInstanceId rm-xxx

# Function Compute
aliyun fc GET /services
aliyun fc POST /services/{serviceName}/functions/{functionName}/invocations

Regional Considerations

China Regions

• Requires ICP license for public websites
• Different regulatory requirements
• Separate Alibaba Cloud account (China vs International)

International Regions

• Singapore, Hong Kong, Japan, etc.
• No ICP requirements
• Same account as global cloud

Security Checklist

• RAM roles with least privilege
• Security groups properly configured
• VPC with private subnets
• OSS buckets private by default
• RDS in private subnets
• KMS for encryption
• ActionTrail for audit logs
• Cloud Security Center enabled

Integration

Works with:

• /terraform

  - Alibaba Cloud provider

• /k8s

  - ACK deployments

• /devops

  - CI/CD pipelines

• /security

  - Security review