AgentSkillsCN

alibaba-cloud-architecture

阿里云架构模式与最佳实践。在设计、部署或评审阿里云基础设施时,本指南将为您提供有力指导,涵盖 ECS、ACK、函数计算、OSS 等服务。

SKILL.md
--- frontmatter
name: alibaba-cloud-architecture
description: "Alibaba Cloud architecture patterns and best practices. Use when designing, deploying, or reviewing infrastructure on Alibaba Cloud including ECS, ACK, Function Compute, and OSS."

Alibaba Cloud Architecture

Comprehensive guide for building secure, scalable infrastructure on Alibaba Cloud.

When to Use

  • Designing architecture for APAC-focused deployments
  • Deploying applications to Alibaba Cloud services
  • Setting up networking (VPC, security groups)
  • Working with ACK (Container Service for Kubernetes)
  • Integrating with Chinese market requirements

Core Services Overview

Compute

ServiceAWS EquivalentUse Case
ECSEC2Virtual machines
ACKEKSManaged Kubernetes
Function ComputeLambdaServerless functions
SAEFargateServerless containers
ECIFargateElastic container instances

Storage

ServiceAWS EquivalentUse Case
OSSS3Object storage
NASEFSFile storage
ESSDEBSBlock storage
TablestoreDynamoDBNoSQL

Database

ServiceAWS EquivalentUse Case
RDSRDSManaged SQL
PolarDBAuroraCloud-native SQL
ApsaraDB for RedisElastiCacheCaching
AnalyticDBRedshiftData warehouse

Networking

ServiceAWS EquivalentUse Case
VPCVPCVirtual network
SLBALB/NLBLoad balancing
CDNCloudFrontContent delivery
NAT GatewayNAT GatewayOutbound NAT
PrivateLinkPrivateLinkPrivate connectivity

VPC Architecture

Terraform VPC

hcl
# Provider Configuration
provider "alicloud" {
  region     = var.region
  access_key = var.access_key
  secret_key = var.secret_key
}

# VPC
resource "alicloud_vpc" "main" {
  vpc_name   = "${var.project}-vpc"
  cidr_block = "10.0.0.0/16"

  tags = local.common_tags
}

# VSwitches (Subnets)
resource "alicloud_vswitch" "app" {
  count        = length(var.availability_zones)
  vswitch_name = "${var.project}-app-${count.index}"
  vpc_id       = alicloud_vpc.main.id
  cidr_block   = cidrsubnet("10.0.0.0/16", 8, count.index)
  zone_id      = var.availability_zones[count.index]

  tags = local.common_tags
}

resource "alicloud_vswitch" "db" {
  count        = length(var.availability_zones)
  vswitch_name = "${var.project}-db-${count.index}"
  vpc_id       = alicloud_vpc.main.id
  cidr_block   = cidrsubnet("10.0.0.0/16", 8, count.index + 10)
  zone_id      = var.availability_zones[count.index]

  tags = local.common_tags
}

# NAT Gateway
resource "alicloud_nat_gateway" "main" {
  vpc_id           = alicloud_vpc.main.id
  nat_gateway_name = "${var.project}-nat"
  payment_type     = "PayAsYouGo"
  nat_type         = "Enhanced"
  vswitch_id       = alicloud_vswitch.app[0].id

  tags = local.common_tags
}

resource "alicloud_eip_address" "nat" {
  address_name         = "${var.project}-nat-eip"
  bandwidth            = 100
  internet_charge_type = "PayByTraffic"
}

resource "alicloud_eip_association" "nat" {
  allocation_id = alicloud_eip_address.nat.id
  instance_id   = alicloud_nat_gateway.main.id
}

resource "alicloud_snat_entry" "main" {
  count             = length(alicloud_vswitch.app)
  snat_table_id     = alicloud_nat_gateway.main.snat_table_ids
  source_vswitch_id = alicloud_vswitch.app[count.index].id
  snat_ip           = alicloud_eip_address.nat.ip_address
}

Security Groups

hcl
resource "alicloud_security_group" "app" {
  name        = "${var.project}-app-sg"
  vpc_id      = alicloud_vpc.main.id
  description = "Security group for application servers"

  tags = local.common_tags
}

resource "alicloud_security_group_rule" "app_http" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "80/80"
  priority          = 1
  security_group_id = alicloud_security_group.app.id
  cidr_ip           = "0.0.0.0/0"
}

resource "alicloud_security_group_rule" "app_https" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "443/443"
  priority          = 1
  security_group_id = alicloud_security_group.app.id
  cidr_ip           = "0.0.0.0/0"
}

resource "alicloud_security_group" "db" {
  name        = "${var.project}-db-sg"
  vpc_id      = alicloud_vpc.main.id
  description = "Security group for databases"

  tags = local.common_tags
}

resource "alicloud_security_group_rule" "db_mysql" {
  type                     = "ingress"
  ip_protocol              = "tcp"
  nic_type                 = "intranet"
  policy                   = "accept"
  port_range               = "3306/3306"
  priority                 = 1
  security_group_id        = alicloud_security_group.db.id
  source_security_group_id = alicloud_security_group.app.id
}

RAM (Resource Access Management)

Service Role

hcl
# RAM Role for ECS
resource "alicloud_ram_role" "app" {
  name        = "${var.project}-app-role"
  document    = jsonencode({
    Version = "1"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = ["ecs.aliyuncs.com"]
      }
    }]
  })
  description = "Role for application ECS instances"
}

# RAM Policy
resource "alicloud_ram_policy" "oss_access" {
  policy_name     = "${var.project}-oss-policy"
  policy_document = jsonencode({
    Version = "1"
    Statement = [
      {
        Effect   = "Allow"
        Action   = ["oss:GetObject", "oss:PutObject", "oss:DeleteObject"]
        Resource = ["acs:oss:*:*:${var.project}-data/*"]
      },
      {
        Effect   = "Allow"
        Action   = ["oss:ListBucket"]
        Resource = ["acs:oss:*:*:${var.project}-data"]
      }
    ]
  })
}

resource "alicloud_ram_role_policy_attachment" "oss" {
  policy_name = alicloud_ram_policy.oss_access.name
  policy_type = alicloud_ram_policy.oss_access.type
  role_name   = alicloud_ram_role.app.name
}

ACK (Container Service for Kubernetes)

Managed Kubernetes Cluster

hcl
resource "alicloud_cs_managed_kubernetes" "main" {
  name                 = "${var.project}-ack"
  cluster_spec         = "ack.pro.small"
  version              = var.kubernetes_version
  worker_vswitch_ids   = alicloud_vswitch.app[*].id
  pod_vswitch_ids      = alicloud_vswitch.app[*].id
  service_cidr         = "172.16.0.0/16"
  new_nat_gateway      = false

  worker_instance_types = ["ecs.g6.xlarge"]
  worker_number         = 3

  worker_disk_category = "cloud_essd"
  worker_disk_size     = 100

  install_cloud_monitor = true

  addons {
    name = "terway-eniip"
  }

  addons {
    name = "csi-plugin"
  }

  addons {
    name = "csi-provisioner"
  }

  tags = local.common_tags
}

# Node Pool
resource "alicloud_cs_kubernetes_node_pool" "app" {
  cluster_id           = alicloud_cs_managed_kubernetes.main.id
  name                 = "app-pool"
  vswitch_ids          = alicloud_vswitch.app[*].id
  instance_types       = ["ecs.g6.2xlarge"]

  scaling_config {
    min_size = 2
    max_size = 10
  }

  system_disk_category = "cloud_essd"
  system_disk_size     = 100

  labels = {
    "pool" = "app"
  }

  tags = local.common_tags
}

ECS (Elastic Compute Service)

Auto Scaling Group

hcl
resource "alicloud_ess_scaling_group" "app" {
  scaling_group_name = "${var.project}-app-asg"
  min_size           = var.environment == "prod" ? 2 : 1
  max_size           = 10
  vswitch_ids        = alicloud_vswitch.app[*].id

  removal_policies = ["OldestInstance", "NewestInstance"]

  tags = local.common_tags
}

resource "alicloud_ess_scaling_configuration" "app" {
  scaling_group_id  = alicloud_ess_scaling_group.app.id
  image_id          = data.alicloud_images.ubuntu.images[0].id
  instance_type     = "ecs.g6.large"
  security_group_id = alicloud_security_group.app.id

  system_disk_category = "cloud_essd"
  system_disk_size     = 50

  user_data = base64encode(file("${path.module}/scripts/user-data.sh"))

  tags = local.common_tags
}

resource "alicloud_ess_scaling_rule" "cpu_scale_out" {
  scaling_group_id = alicloud_ess_scaling_group.app.id
  scaling_rule_name = "cpu-scale-out"
  scaling_rule_type = "TargetTrackingScalingRule"

  target_tracking_configuration {
    metric_name  = "CpuUtilization"
    target_value = 70
  }
}

SLB (Server Load Balancer)

Application Load Balancer

hcl
resource "alicloud_slb_load_balancer" "app" {
  load_balancer_name = "${var.project}-slb"
  load_balancer_spec = "slb.s2.small"
  vswitch_id         = alicloud_vswitch.app[0].id
  address_type       = "intranet"

  tags = local.common_tags
}

resource "alicloud_slb_listener" "https" {
  load_balancer_id          = alicloud_slb_load_balancer.app.id
  backend_port              = 8080
  frontend_port             = 443
  protocol                  = "https"
  bandwidth                 = -1
  server_certificate_id     = alicloud_slb_server_certificate.main.id
  health_check              = "on"
  health_check_uri          = "/health"
  health_check_connect_port = 8080
  healthy_threshold         = 3
  unhealthy_threshold       = 3
  health_check_timeout      = 5
  health_check_interval     = 10
  sticky_session            = "on"
  sticky_session_type       = "insert"
  cookie_timeout            = 3600
}

resource "alicloud_slb_server_group" "app" {
  load_balancer_id = alicloud_slb_load_balancer.app.id
  name             = "${var.project}-app-servers"
}

resource "alicloud_slb_backend_server" "app" {
  load_balancer_id = alicloud_slb_load_balancer.app.id

  dynamic "backend_servers" {
    for_each = alicloud_instance.app
    content {
      server_id = backend_servers.value.id
      weight    = 100
    }
  }
}

RDS (ApsaraDB for RDS)

PostgreSQL Instance

hcl
resource "alicloud_db_instance" "main" {
  engine               = "PostgreSQL"
  engine_version       = "15.0"
  instance_type        = var.environment == "prod" ? "pg.n2.medium.2c" : "pg.n2.small.1"
  instance_storage     = 100
  instance_charge_type = var.environment == "prod" ? "Prepaid" : "Postpaid"
  instance_name        = "${var.project}-postgres"
  vswitch_id           = alicloud_vswitch.db[0].id
  security_ips         = [alicloud_vswitch.app[0].cidr_block, alicloud_vswitch.app[1].cidr_block]

  db_instance_storage_type = "cloud_essd"

  parameters {
    name  = "log_connections"
    value = "on"
  }

  parameters {
    name  = "log_disconnections"
    value = "on"
  }

  tags = local.common_tags
}

resource "alicloud_db_database" "main" {
  instance_id = alicloud_db_instance.main.id
  name        = var.database_name
  character_set = "UTF8"
}

resource "alicloud_db_account" "app" {
  db_instance_id   = alicloud_db_instance.main.id
  account_name     = "app"
  account_password = random_password.db.result
  account_type     = "Normal"
}

resource "alicloud_db_account_privilege" "app" {
  instance_id  = alicloud_db_instance.main.id
  account_name = alicloud_db_account.app.account_name
  privilege    = "ReadWrite"
  db_names     = [alicloud_db_database.main.name]
}

OSS (Object Storage Service)

Secure Bucket

hcl
resource "alicloud_oss_bucket" "data" {
  bucket = "${var.project}-data"
  acl    = "private"

  versioning {
    status = "Enabled"
  }

  server_side_encryption_rule {
    sse_algorithm = "KMS"
    kms_master_key_id = alicloud_kms_key.oss.id
  }

  lifecycle_rule {
    id      = "archive"
    enabled = true
    prefix  = ""

    transitions {
      days          = 90
      storage_class = "IA"
    }

    transitions {
      days          = 180
      storage_class = "Archive"
    }

    expiration {
      days = 365
    }
  }

  logging {
    target_bucket = alicloud_oss_bucket.logs.id
    target_prefix = "oss-logs/"
  }

  tags = local.common_tags
}

# Block public access
resource "alicloud_oss_bucket_public_access_block" "data" {
  bucket                          = alicloud_oss_bucket.data.bucket
  block_public_access             = true
  ignore_public_acls              = true
  restrict_public_buckets         = true
}

Function Compute

Serverless Function

hcl
resource "alicloud_fc_service" "main" {
  name        = "${var.project}-service"
  description = "Function Compute Service"

  role = alicloud_ram_role.fc.arn

  vpc_config {
    vswitch_ids         = alicloud_vswitch.app[*].id
    security_group_id   = alicloud_security_group.app.id
  }

  log_config {
    project  = alicloud_log_project.main.name
    logstore = alicloud_log_store.fc.name
  }
}

resource "alicloud_fc_function" "api" {
  service     = alicloud_fc_service.main.name
  name        = "api-handler"
  description = "API Handler Function"
  runtime     = "nodejs18"
  handler     = "index.handler"
  memory_size = 512
  timeout     = 30

  filename = data.archive_file.function.output_path
  code_checksum = data.archive_file.function.output_base64sha256

  environment_variables = {
    NODE_ENV     = "production"
    DATABASE_URL = alicloud_db_instance.main.connection_string
  }
}

resource "alicloud_fc_trigger" "http" {
  service    = alicloud_fc_service.main.name
  function   = alicloud_fc_function.api.name
  name       = "http-trigger"
  type       = "http"

  config = jsonencode({
    authType = "anonymous"
    methods  = ["GET", "POST", "PUT", "DELETE"]
  })
}

CLI Reference

bash
# Configure CLI
aliyun configure

# ECS
aliyun ecs DescribeInstances
aliyun ecs StartInstance --InstanceId i-xxx
aliyun ecs StopInstance --InstanceId i-xxx

# ACK
aliyun cs GET /clusters
aliyun cs GET /k8s/clusters/{ClusterId}/user_config

# OSS
aliyun oss ls oss://bucket-name/
aliyun oss cp local.txt oss://bucket-name/
aliyun oss sync ./folder oss://bucket-name/folder

# RDS
aliyun rds DescribeDBInstances
aliyun rds DescribeDatabases --DBInstanceId rm-xxx

# Function Compute
aliyun fc GET /services
aliyun fc POST /services/{serviceName}/functions/{functionName}/invocations

Regional Considerations

China Regions

  • Requires ICP license for public websites
  • Different regulatory requirements
  • Separate Alibaba Cloud account (China vs International)

International Regions

  • Singapore, Hong Kong, Japan, etc.
  • No ICP requirements
  • Same account as global cloud

Security Checklist

  • RAM roles with least privilege
  • Security groups properly configured
  • VPC with private subnets
  • OSS buckets private by default
  • RDS in private subnets
  • KMS for encryption
  • ActionTrail for audit logs
  • Cloud Security Center enabled

Integration

Works with:

  • /terraform - Alibaba Cloud provider
  • /k8s - ACK deployments
  • /devops - CI/CD pipelines
  • /security - Security review