Complete Guide to Alibaba Cloud Website Architecture: The Full Request Path from DNS to Auto Scaling
A complete walkthrough of Alibaba Cloud website architecture from DNS resolution to auto scaling.
This article traces the full path of a user request through Alibaba Cloud's website architecture, covering DNS resolution, CDN acceleration, WAF security, CLB/ALB load balancing, ECS compute, Redis caching, NAS/OSS storage, NAT gateway, auto scaling (ESS), and cross-region networking (CEN). It helps beginners build a comprehensive understanding of how these cloud components work together.
Introduction: From Virtual Machines to Cloud Servers
In real-world production and work environments, cloud servers have become the mainstream choice. Domestically in China, Alibaba Cloud leads the market, while Amazon Web Services (AWS) dominates internationally. Alibaba Cloud currently ranks among the top three to four globally in cloud computing market share, and its share continues to grow.
This article systematically walks through the core components of Alibaba Cloud's website architecture by following the complete flow of a user request, helping beginners build a comprehensive understanding of cloud architecture.
The Entry Layer: DNS, CDN, and WAF
DNS Resolution
The first step when a user visits a website is DNS resolution. DNS (Domain Name System) is one of the foundational pieces of internet infrastructure, responsible for translating human-readable domain names (e.g., www.example.com) into machine-readable IP addresses. Traditional DNS resolution involves a multi-level process of recursive and iterative queries, progressing from local DNS cache to root name servers, top-level domain servers, and authoritative name servers.
In Alibaba Cloud, once you've purchased a domain, you can configure DNS records through the "DNS Resolution" service. This is essentially the same as the traditional DNS resolution process, except Alibaba Cloud provides a visual management interface that makes operations more intuitive and convenient. As an authoritative DNS service, Alibaba Cloud DNS also offers advanced features such as intelligent resolution (returning the optimal IP based on the visitor's geographic location), DNS load balancing, and automatic failover, with resolution response times at the millisecond level.
CDN (Content Delivery Network)
After DNS resolution, the request passes through the CDN caching layer. CDN primarily caches a website's static resources (such as images, CSS, and JS files) and distributes content to edge nodes closest to the user, significantly improving access speed and reducing load on the origin server.
CDN core technologies include intelligent scheduling systems (typically based on DNS scheduling or HTTP 302 scheduling), edge node caching strategies, and origin-pull mechanisms. Alibaba Cloud CDN has thousands of edge nodes worldwide and uses AnyCast technology and intelligent routing algorithms to direct user requests to the nearest node. Beyond accelerating static resources, modern CDNs also support Dynamic Site Acceleration (DSA), which optimizes transmission paths and protocols (such as QUIC) to speed up dynamic content delivery.
WAF (Web Application Firewall)
Unlike traditional firewalls that can only filter by IP and port (Layer 4), WAF operates at Layer 7 (the application layer) and can identify and block common web attacks such as SQL injection and XSS (Cross-Site Scripting).
WAF performs traffic inspection at the application layer of the OSI model, deeply parsing HTTP/HTTPS protocol content. Its detection mechanisms typically include a rule-matching engine (signature matching based on regular expressions), a semantic analysis engine (understanding SQL/JS syntax structures), and machine learning models (identifying abnormal behavior patterns). Beyond SQL injection and XSS, WAF can also defend against CSRF, file inclusion, command injection, CC attacks, and other threats. Alibaba Cloud WAF also integrates Bot management and API security protection capabilities, forming a complete web application security solution.
Alibaba Cloud offers two primary security protection mechanisms:
- WAF: A paid service specifically designed to handle Layer 7 application security threats
- Security Groups: A free built-in feature, similar to traditional firewall port and IP access controls
The Load Balancing Layer: From SLB to CLB/ALB
After passing through the security layer, user requests enter the load balancing stage. Alibaba Cloud's load balancing products have undergone a significant upgrade:
- Former SLB: Now renamed to CLB (Classic Load Balancer)
- New ALB: Application Load Balancer, launched around May 2020
From a technical architecture perspective, CLB operates at both Layer 4 (TCP/UDP) and Layer 7 (HTTP/HTTPS), built on an LVS (Linux Virtual Server) + Tengine architecture. ALB is a pure Layer 7 load balancer designed with a cloud-native architecture, natively supporting modern protocols like HTTP/2, WebSocket, and gRPC, while offering richer routing rules (based on Headers, Cookies, Query parameters, etc.). In Kubernetes scenarios, ALB can be used directly as an Ingress Controller. Additionally, Alibaba Cloud offers NLB (Network Load Balancer) for ultra-high-performance Layer 4 forwarding scenarios.
Compared to using Nginx + Keepalived for load balancing and high availability in on-premises environments, Alibaba Cloud's ALB/CLB products come with built-in high availability. Users only need to configure them through the console without worrying about underlying implementation details. This is the core advantage of cloud services — encapsulating operational complexity into ready-to-use productized services.
The Compute and Storage Layer: ECS, Redis, and Databases
ECS (Elastic Compute Service)
The load balancer distributes requests to backend ECS (Elastic Compute Service) instances. ECS is what we commonly refer to as cloud servers — the core compute resources that host business applications and the primary component in Alibaba Cloud's website architecture that operations engineers need to log into and manage directly.
Under the hood, ECS is built on KVM virtualization technology and Alibaba Cloud's proprietary X-Dragon architecture. The X-Dragon architecture uses hardware offloading to shift virtualization overhead from the software layer to dedicated hardware chips, bringing cloud server performance close to bare-metal levels. ECS instance types span general-purpose, compute-optimized, memory-optimized, GPU-accelerated, and more, allowing users to choose the optimal configuration based on workload characteristics. ECS also supports Spot Instances, priced as low as 10% of on-demand pricing, suitable for fault-tolerant batch processing tasks.
Redis Cache Service
Alibaba Cloud provides a managed Redis service that requires no manual installation or configuration. Redis is an in-memory key-value database widely used for caching, session management, leaderboards, message queues, and other scenarios thanks to its extremely low read/write latency (microsecond-level).
Compared to self-managed Redis, the cloud Redis service offers the following advantages:
- Ready to use out of the box — start using it immediately after purchase
- Built-in primary-replica architecture (referred to as "primary database" and "read-only instances"), with native read-write splitting support
- Automated operations and scheduled backups, reducing manual intervention
Alibaba Cloud Redis is available in three architectures: Standard (primary-replica), Cluster (data sharding), and Read-Write Splitting. The Cluster edition distributes data across multiple shards using consistent hashing, supporting up to several terabytes of memory and millions of QPS per instance. Cloud Redis also includes enterprise-grade features such as data persistence (RDB + AOF), transparent data encryption, and audit logging.
Storage Solutions: NAS and OSS
Alibaba Cloud offers multiple storage solutions. The two most commonly used are:
| Storage Type | Characteristics | Analogy |
|---|---|---|
| NAS | Usage nearly identical to NFS, supports direct mounting | Network File System |
| OSS | Object storage, ideal for unstructured data like images and videos | Cloud Storage Bucket |
NAS provides a POSIX-compatible file system interface based on NFS/SMB protocols, supporting random read/write and file locking — ideal for scenarios requiring shared file system semantics (such as CMS content management and container shared storage). OSS provides object-level storage via RESTful APIs, where each object consists of a Key (path), Data (content), and Metadata, with native support for massive concurrent access. OSS also offers lifecycle management (automatic tiering to infrequent access/archive storage), cross-region replication, image processing, video transcoding, and other capabilities, with a single Bucket supporting unlimited data storage.
NAS is best suited for scenarios where multiple ECS instances need to share files, while OSS is better for storing and distributing massive amounts of static resources. In practice, the two are often used together.
The Operations Enhancement Layer: NAT Gateway and Auto Scaling
NAT Gateway for Shared Internet Access
In cloud architectures, backend ECS instances may not need public IP addresses (since the load balancer handles incoming external traffic). However, servers still need internet access to download software packages, pull updates, and so on. This is where the NAT Gateway comes in, enabling shared internet access — similar to IP masquerading (SNAT) on a traditional firewall.
The NAT (Network Address Translation) Gateway operates in two modes: SNAT (Source NAT) and DNAT (Destination NAT). SNAT replaces the source IP of a private ECS instance with the NAT Gateway's public IP, enabling internal servers to access the internet. DNAT translates the destination address of external requests to an internal ECS address, enabling external access to internal services. Alibaba Cloud NAT Gateway supports binding multiple Elastic IP Addresses (EIPs), and through SNAT entries, you can granularly control which subnets or instances use which outbound IPs, supporting up to tens of Gbps of public bandwidth.
ESS (Elastic Scaling Service)
Auto Scaling (ESS) is a core capability unique to cloud servers and one of the most compelling features of cloud computing compared to traditional data centers.
Suppose 4 ECS instances are sufficient for normal traffic, but during promotional events or holiday traffic spikes, ESS can automatically adjust the number of servers based on the following metrics:
- System CPU/memory load
- Network traffic
- Bandwidth utilization
ESS consists of three core components: Scaling Groups (defining instance templates and boundaries), Scaling Rules (defining scaling policies), and Scaling Trigger Tasks (scheduled tasks or CloudMonitor alarms). ESS supports target tracking policies (e.g., maintaining CPU utilization at 60%), step scaling policies (scaling in stages based on alarm severity), and predictive scaling (using machine learning on historical data to forecast future load). After new instances launch, ESS automatically registers them with the load balancer's backend server group and can execute custom initialization scripts via lifecycle hooks, enabling fully automated elastic scaling.
After traffic peaks subside, ESS automatically scales down the number of instances to avoid resource waste. This is what "elasticity" means — scaling up and down on demand, achieving a dynamic balance between cost and performance.
Cross-Region Connectivity: Express Connect and Cloud Enterprise Network
When services are deployed across multiple regions (e.g., Hangzhou and Shenzhen), VPCs in different regions are not interconnected by default. Alibaba Cloud provides "Express Connect" (now upgraded to Cloud Enterprise Network, or CEN) to enable cross-region private network connectivity, ensuring network reachability and data transfer efficiency in multi-region architectures.
Cloud Enterprise Network (CEN) is built on Alibaba Cloud's global backbone network and uses Transit Routers as its core component to achieve full-mesh connectivity between any VPCs. Compared to traditional VPN interconnection, CEN delivers an enterprise-grade network experience with low latency, high bandwidth, and encrypted transmission. CEN also supports bandwidth package management (granular control of cross-region bandwidth), routing policies (flexible traffic steering), flow logs (network traffic auditing), and other advanced features, making it the foundational network infrastructure for building global multi-region architectures.
Summary: A Panoramic View of Alibaba Cloud Website Architecture
The core components of Alibaba Cloud's website architecture can be mapped along the request flow as follows:
User → DNS Resolution → CDN → WAF → CLB/ALB Load Balancer → ECS Cloud Server → Redis/RDS → NAS/OSS
Supporting components include: Security Groups, NAT Gateway, ESS Auto Scaling, Express Connect (Cloud Enterprise Network), and more.
For beginners, the key takeaway is this: apart from ECS, which requires direct login and management, most other cloud products are managed services that work out of the box, dramatically lowering the operational barrier. Mastering this architecture not only helps with real-world project implementation but also serves as an essential foundation for passing the Alibaba Cloud ACP certification.
Key Takeaways
Related articles
Beginner's Guide to Agent Skills: Structure Breakdown & Custom AI Skill Development
A deep dive into Agent Skill's core concepts and internal structure, covering skill.md, references, scripts, and assets with a restaurant poster Skill example.
Complete Guide to Commercial AI Agent Development: From Requirements Analysis to Production Deployment
Complete guide to commercial AI agent development from scratch, covering requirements analysis, architecture design (ReAct framework, deep search, intent recognition), hands-on Coze platform implementation, workflow creation, and production deployment.
Hermes AI Kanban: A Five-Layer Autonomous Architecture for Fully Automated Delivery from Idea to Finished Product
Deep dive into Hermes Kanban 2.0's five-layer autonomous architecture covering intelligent planning, human approval gates, multi-agent execution, and Obsidian integration for fully automated delivery.