alibaba-cloud-architecture
Alibaba Cloud architecture patterns and best practices. Use when designing, deploying, or reviewing infrastructure on Alibaba Cloud including ECS, ACK, Function Compute, and OSS.
16 stars
Best use case
alibaba-cloud-architecture is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Alibaba Cloud architecture patterns and best practices. Use when designing, deploying, or reviewing infrastructure on Alibaba Cloud including ECS, ACK, Function Compute, and OSS.
Teams using alibaba-cloud-architecture should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/alibaba-cloud-architecture/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/devops/alibaba-cloud-architecture/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/alibaba-cloud-architecture/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How alibaba-cloud-architecture Compares
| Feature / Agent | alibaba-cloud-architecture | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Alibaba Cloud architecture patterns and best practices. Use when designing, deploying, or reviewing infrastructure on Alibaba Cloud including ECS, ACK, Function Compute, and OSS.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Alibaba Cloud Architecture
Comprehensive guide for building secure, scalable infrastructure on Alibaba Cloud.
## When to Use
- Designing architecture for APAC-focused deployments
- Deploying applications to Alibaba Cloud services
- Setting up networking (VPC, security groups)
- Working with ACK (Container Service for Kubernetes)
- Integrating with Chinese market requirements
## Core Services Overview
### Compute
| Service | AWS Equivalent | Use Case |
|---------|---------------|----------|
| ECS | EC2 | Virtual machines |
| ACK | EKS | Managed Kubernetes |
| Function Compute | Lambda | Serverless functions |
| SAE | Fargate | Serverless containers |
| ECI | Fargate | Elastic container instances |
### Storage
| Service | AWS Equivalent | Use Case |
|---------|---------------|----------|
| OSS | S3 | Object storage |
| NAS | EFS | File storage |
| ESSD | EBS | Block storage |
| Tablestore | DynamoDB | NoSQL |
### Database
| Service | AWS Equivalent | Use Case |
|---------|---------------|----------|
| RDS | RDS | Managed SQL |
| PolarDB | Aurora | Cloud-native SQL |
| ApsaraDB for Redis | ElastiCache | Caching |
| AnalyticDB | Redshift | Data warehouse |
### Networking
| Service | AWS Equivalent | Use Case |
|---------|---------------|----------|
| VPC | VPC | Virtual network |
| SLB | ALB/NLB | Load balancing |
| CDN | CloudFront | Content delivery |
| NAT Gateway | NAT Gateway | Outbound NAT |
| PrivateLink | PrivateLink | Private connectivity |
## VPC Architecture
### Terraform VPC
```hcl
# Provider Configuration
provider "alicloud" {
region = var.region
access_key = var.access_key
secret_key = var.secret_key
}
# VPC
resource "alicloud_vpc" "main" {
vpc_name = "${var.project}-vpc"
cidr_block = "10.0.0.0/16"
tags = local.common_tags
}
# VSwitches (Subnets)
resource "alicloud_vswitch" "app" {
count = length(var.availability_zones)
vswitch_name = "${var.project}-app-${count.index}"
vpc_id = alicloud_vpc.main.id
cidr_block = cidrsubnet("10.0.0.0/16", 8, count.index)
zone_id = var.availability_zones[count.index]
tags = local.common_tags
}
resource "alicloud_vswitch" "db" {
count = length(var.availability_zones)
vswitch_name = "${var.project}-db-${count.index}"
vpc_id = alicloud_vpc.main.id
cidr_block = cidrsubnet("10.0.0.0/16", 8, count.index + 10)
zone_id = var.availability_zones[count.index]
tags = local.common_tags
}
# NAT Gateway
resource "alicloud_nat_gateway" "main" {
vpc_id = alicloud_vpc.main.id
nat_gateway_name = "${var.project}-nat"
payment_type = "PayAsYouGo"
nat_type = "Enhanced"
vswitch_id = alicloud_vswitch.app[0].id
tags = local.common_tags
}
resource "alicloud_eip_address" "nat" {
address_name = "${var.project}-nat-eip"
bandwidth = 100
internet_charge_type = "PayByTraffic"
}
resource "alicloud_eip_association" "nat" {
allocation_id = alicloud_eip_address.nat.id
instance_id = alicloud_nat_gateway.main.id
}
resource "alicloud_snat_entry" "main" {
count = length(alicloud_vswitch.app)
snat_table_id = alicloud_nat_gateway.main.snat_table_ids
source_vswitch_id = alicloud_vswitch.app[count.index].id
snat_ip = alicloud_eip_address.nat.ip_address
}
```
### Security Groups
```hcl
resource "alicloud_security_group" "app" {
name = "${var.project}-app-sg"
vpc_id = alicloud_vpc.main.id
description = "Security group for application servers"
tags = local.common_tags
}
resource "alicloud_security_group_rule" "app_http" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "80/80"
priority = 1
security_group_id = alicloud_security_group.app.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "app_https" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "443/443"
priority = 1
security_group_id = alicloud_security_group.app.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group" "db" {
name = "${var.project}-db-sg"
vpc_id = alicloud_vpc.main.id
description = "Security group for databases"
tags = local.common_tags
}
resource "alicloud_security_group_rule" "db_mysql" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "3306/3306"
priority = 1
security_group_id = alicloud_security_group.db.id
source_security_group_id = alicloud_security_group.app.id
}
```
## RAM (Resource Access Management)
### Service Role
```hcl
# RAM Role for ECS
resource "alicloud_ram_role" "app" {
name = "${var.project}-app-role"
document = jsonencode({
Version = "1"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = ["ecs.aliyuncs.com"]
}
}]
})
description = "Role for application ECS instances"
}
# RAM Policy
resource "alicloud_ram_policy" "oss_access" {
policy_name = "${var.project}-oss-policy"
policy_document = jsonencode({
Version = "1"
Statement = [
{
Effect = "Allow"
Action = ["oss:GetObject", "oss:PutObject", "oss:DeleteObject"]
Resource = ["acs:oss:*:*:${var.project}-data/*"]
},
{
Effect = "Allow"
Action = ["oss:ListBucket"]
Resource = ["acs:oss:*:*:${var.project}-data"]
}
]
})
}
resource "alicloud_ram_role_policy_attachment" "oss" {
policy_name = alicloud_ram_policy.oss_access.name
policy_type = alicloud_ram_policy.oss_access.type
role_name = alicloud_ram_role.app.name
}
```
## ACK (Container Service for Kubernetes)
### Managed Kubernetes Cluster
```hcl
resource "alicloud_cs_managed_kubernetes" "main" {
name = "${var.project}-ack"
cluster_spec = "ack.pro.small"
version = var.kubernetes_version
worker_vswitch_ids = alicloud_vswitch.app[*].id
pod_vswitch_ids = alicloud_vswitch.app[*].id
service_cidr = "172.16.0.0/16"
new_nat_gateway = false
worker_instance_types = ["ecs.g6.xlarge"]
worker_number = 3
worker_disk_category = "cloud_essd"
worker_disk_size = 100
install_cloud_monitor = true
addons {
name = "terway-eniip"
}
addons {
name = "csi-plugin"
}
addons {
name = "csi-provisioner"
}
tags = local.common_tags
}
# Node Pool
resource "alicloud_cs_kubernetes_node_pool" "app" {
cluster_id = alicloud_cs_managed_kubernetes.main.id
name = "app-pool"
vswitch_ids = alicloud_vswitch.app[*].id
instance_types = ["ecs.g6.2xlarge"]
scaling_config {
min_size = 2
max_size = 10
}
system_disk_category = "cloud_essd"
system_disk_size = 100
labels = {
"pool" = "app"
}
tags = local.common_tags
}
```
## ECS (Elastic Compute Service)
### Auto Scaling Group
```hcl
resource "alicloud_ess_scaling_group" "app" {
scaling_group_name = "${var.project}-app-asg"
min_size = var.environment == "prod" ? 2 : 1
max_size = 10
vswitch_ids = alicloud_vswitch.app[*].id
removal_policies = ["OldestInstance", "NewestInstance"]
tags = local.common_tags
}
resource "alicloud_ess_scaling_configuration" "app" {
scaling_group_id = alicloud_ess_scaling_group.app.id
image_id = data.alicloud_images.ubuntu.images[0].id
instance_type = "ecs.g6.large"
security_group_id = alicloud_security_group.app.id
system_disk_category = "cloud_essd"
system_disk_size = 50
user_data = base64encode(file("${path.module}/scripts/user-data.sh"))
tags = local.common_tags
}
resource "alicloud_ess_scaling_rule" "cpu_scale_out" {
scaling_group_id = alicloud_ess_scaling_group.app.id
scaling_rule_name = "cpu-scale-out"
scaling_rule_type = "TargetTrackingScalingRule"
target_tracking_configuration {
metric_name = "CpuUtilization"
target_value = 70
}
}
```
## SLB (Server Load Balancer)
### Application Load Balancer
```hcl
resource "alicloud_slb_load_balancer" "app" {
load_balancer_name = "${var.project}-slb"
load_balancer_spec = "slb.s2.small"
vswitch_id = alicloud_vswitch.app[0].id
address_type = "intranet"
tags = local.common_tags
}
resource "alicloud_slb_listener" "https" {
load_balancer_id = alicloud_slb_load_balancer.app.id
backend_port = 8080
frontend_port = 443
protocol = "https"
bandwidth = -1
server_certificate_id = alicloud_slb_server_certificate.main.id
health_check = "on"
health_check_uri = "/health"
health_check_connect_port = 8080
healthy_threshold = 3
unhealthy_threshold = 3
health_check_timeout = 5
health_check_interval = 10
sticky_session = "on"
sticky_session_type = "insert"
cookie_timeout = 3600
}
resource "alicloud_slb_server_group" "app" {
load_balancer_id = alicloud_slb_load_balancer.app.id
name = "${var.project}-app-servers"
}
resource "alicloud_slb_backend_server" "app" {
load_balancer_id = alicloud_slb_load_balancer.app.id
dynamic "backend_servers" {
for_each = alicloud_instance.app
content {
server_id = backend_servers.value.id
weight = 100
}
}
}
```
## RDS (ApsaraDB for RDS)
### PostgreSQL Instance
```hcl
resource "alicloud_db_instance" "main" {
engine = "PostgreSQL"
engine_version = "15.0"
instance_type = var.environment == "prod" ? "pg.n2.medium.2c" : "pg.n2.small.1"
instance_storage = 100
instance_charge_type = var.environment == "prod" ? "Prepaid" : "Postpaid"
instance_name = "${var.project}-postgres"
vswitch_id = alicloud_vswitch.db[0].id
security_ips = [alicloud_vswitch.app[0].cidr_block, alicloud_vswitch.app[1].cidr_block]
db_instance_storage_type = "cloud_essd"
parameters {
name = "log_connections"
value = "on"
}
parameters {
name = "log_disconnections"
value = "on"
}
tags = local.common_tags
}
resource "alicloud_db_database" "main" {
instance_id = alicloud_db_instance.main.id
name = var.database_name
character_set = "UTF8"
}
resource "alicloud_db_account" "app" {
db_instance_id = alicloud_db_instance.main.id
account_name = "app"
account_password = random_password.db.result
account_type = "Normal"
}
resource "alicloud_db_account_privilege" "app" {
instance_id = alicloud_db_instance.main.id
account_name = alicloud_db_account.app.account_name
privilege = "ReadWrite"
db_names = [alicloud_db_database.main.name]
}
```
## OSS (Object Storage Service)
### Secure Bucket
```hcl
resource "alicloud_oss_bucket" "data" {
bucket = "${var.project}-data"
acl = "private"
versioning {
status = "Enabled"
}
server_side_encryption_rule {
sse_algorithm = "KMS"
kms_master_key_id = alicloud_kms_key.oss.id
}
lifecycle_rule {
id = "archive"
enabled = true
prefix = ""
transitions {
days = 90
storage_class = "IA"
}
transitions {
days = 180
storage_class = "Archive"
}
expiration {
days = 365
}
}
logging {
target_bucket = alicloud_oss_bucket.logs.id
target_prefix = "oss-logs/"
}
tags = local.common_tags
}
# Block public access
resource "alicloud_oss_bucket_public_access_block" "data" {
bucket = alicloud_oss_bucket.data.bucket
block_public_access = true
ignore_public_acls = true
restrict_public_buckets = true
}
```
## Function Compute
### Serverless Function
```hcl
resource "alicloud_fc_service" "main" {
name = "${var.project}-service"
description = "Function Compute Service"
role = alicloud_ram_role.fc.arn
vpc_config {
vswitch_ids = alicloud_vswitch.app[*].id
security_group_id = alicloud_security_group.app.id
}
log_config {
project = alicloud_log_project.main.name
logstore = alicloud_log_store.fc.name
}
}
resource "alicloud_fc_function" "api" {
service = alicloud_fc_service.main.name
name = "api-handler"
description = "API Handler Function"
runtime = "nodejs18"
handler = "index.handler"
memory_size = 512
timeout = 30
filename = data.archive_file.function.output_path
code_checksum = data.archive_file.function.output_base64sha256
environment_variables = {
NODE_ENV = "production"
DATABASE_URL = alicloud_db_instance.main.connection_string
}
}
resource "alicloud_fc_trigger" "http" {
service = alicloud_fc_service.main.name
function = alicloud_fc_function.api.name
name = "http-trigger"
type = "http"
config = jsonencode({
authType = "anonymous"
methods = ["GET", "POST", "PUT", "DELETE"]
})
}
```
## CLI Reference
```bash
# Configure CLI
aliyun configure
# ECS
aliyun ecs DescribeInstances
aliyun ecs StartInstance --InstanceId i-xxx
aliyun ecs StopInstance --InstanceId i-xxx
# ACK
aliyun cs GET /clusters
aliyun cs GET /k8s/clusters/{ClusterId}/user_config
# OSS
aliyun oss ls oss://bucket-name/
aliyun oss cp local.txt oss://bucket-name/
aliyun oss sync ./folder oss://bucket-name/folder
# RDS
aliyun rds DescribeDBInstances
aliyun rds DescribeDatabases --DBInstanceId rm-xxx
# Function Compute
aliyun fc GET /services
aliyun fc POST /services/{serviceName}/functions/{functionName}/invocations
```
## Regional Considerations
### China Regions
- Requires ICP license for public websites
- Different regulatory requirements
- Separate Alibaba Cloud account (China vs International)
### International Regions
- Singapore, Hong Kong, Japan, etc.
- No ICP requirements
- Same account as global cloud
## Security Checklist
- [ ] RAM roles with least privilege
- [ ] Security groups properly configured
- [ ] VPC with private subnets
- [ ] OSS buckets private by default
- [ ] RDS in private subnets
- [ ] KMS for encryption
- [ ] ActionTrail for audit logs
- [ ] Cloud Security Center enabled
## Integration
Works with:
- `/terraform` - Alibaba Cloud provider
- `/k8s` - ACK deployments
- `/devops` - CI/CD pipelines
- `/security` - Security reviewRelated Skills
architecture-specialist
16
from diegosouzapw/awesome-omni-skill
提供系统架构设计、技术选型、架构审查和组件设计能力。当需要设计新系统、重构现有架构或进行架构审查时使用。
architecture-decision-records
16
from diegosouzapw/awesome-omni-skill
Write and maintain Architecture Decision Records (ADRs) following best practices for technical decision documentation. Use when documenting significant technical decisions, reviewing past architectural choices, or establishing decision processes.
architecture-decision-record
16
from diegosouzapw/awesome-omni-skill
ADR format and methodology for documenting significant technical decisions with context, alternatives considered, and consequences. Use when making or documenting architectural decisions.
alchemy-cloudflare
16
from diegosouzapw/awesome-omni-skill
Alchemy IaC patterns for deploying TanStack Start apps to Cloudflare Workers with D1 databases. Use when setting up new TanStack Start projects, configuring Alchemy deployments, working with D1/Drizzle migrations, local development with Cloudflare bindings, or deploying to custom domains.
agentuity-cli-cloud-thread-get
16
from diegosouzapw/awesome-omni-skill
Get details about a specific thread. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-stream-get
16
from diegosouzapw/awesome-omni-skill
Get detailed information about a specific stream. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-ssh
16
from diegosouzapw/awesome-omni-skill
SSH into a cloud project or sandbox. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-session-logs
16
from diegosouzapw/awesome-omni-skill
Get logs for a specific session. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-session-get
16
from diegosouzapw/awesome-omni-skill
Get details about a specific session. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-secret-pull
16
from diegosouzapw/awesome-omni-skill
Pull secrets from cloud to local .env file. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-scp-upload
16
from diegosouzapw/awesome-omni-skill
Upload a file using security copy. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-scp-download
16
from diegosouzapw/awesome-omni-skill
Download a file using security copy. Requires authentication. Use for Agentuity cloud platform operations