Cloud‑Native Multi‑Tenant Architecture and Network Isolation in Taobao Open Platform

The article introduces the Taobao Open Platform as a crucial gateway for external ecosystems, delivering Alibaba’s core services to merchants, developers, and partners.

It highlights the challenges faced by small‑scale developers, especially those building mini‑programs, who encounter high complexity and resource waste when using the traditional "container cluster + application" model.

To address these issues, the platform adopts a cloud‑hosting (cloud‑native) approach that abstracts underlying infrastructure, allowing developers to focus on business code while the platform manages compute, storage, and network resources.

The solution separates resource management into two categories: compute resources (containers on ASI/Kubernetes clusters) and application‑dependent cloud resources (databases, middleware) that are fully managed by the platform.

For multi‑tenant isolation, two models are discussed: an independent switch‑plus‑security‑group scheme and a shared switch‑plus‑security‑group scheme, each with trade‑offs regarding scalability and pod communication.

Network communication and control are achieved by attaching two ENI network interfaces to each pod—one for platform control traffic and another for tenant‑specific traffic—enabling fine‑grained network policies across different business scenarios (closed, controlled, open environments).

The article also covers automatic scaling (auto‑scaling) using Kubernetes HPA, KEDA, and custom metrics to balance stability and cost, supporting both resource‑level and business‑level scaling triggers.

Overall, the cloud‑hosting model transforms the platform into a serverless‑like PaaS, simplifying onboarding for ISVs, reducing operational overhead, and paving the way for future extensions such as low‑code and function‑as‑a‑service capabilities.