Serverless Function Compute for Mini Programs: Architecture, Security, and Performance Optimizations

With the rapid development of the digital era, mini programs have become an essential part of daily life due to their instant‑use nature. However, developing mini programs is challenging because of highly volatile traffic and fast‑changing requirements, which put pressure on backend stability and operational capabilities.

Function as a Service (FaaS) provides an ideal serverless solution that abstracts away the underlying runtime and servers, allowing developers to focus on business logic. Automatic elastic scaling handles traffic spikes, reduces idle resources, and lowers costs.

Alipay has launched a cloud development product centered on function compute, offering innovations in cold‑start latency, high availability, and security to deliver a seamless experience for mini‑program developers.

The article uses a travel metaphor to describe the technical ecosystem composed of four stations: the mini program, the Alipay app, the gateway, and the function. Security measures such as session‑based authentication, DDoS native protection, access control, and multi‑layer isolation ensure that only legitimate users can access resources.

When a mini program invokes a function, the request is forwarded through a local proxy to the Alipay client for transparent authentication. The client validates the session and retrieves appId, openId, and environment information before allowing the function call.

Below is a minimal code example that initiates a function call from a mini program:

const c1 = my.cloud.createCloudContext({
  env: 'env-123456', // cloud environment id
});
// Initialize cloud environment
await c1.init();
// Call cloud function
const res = await c1.callFunction({
  name: 'add',
  data: { "num1": 1, "num2": 2 }
});

Function requests are routed through a gateway that uses gRPC to forward calls to a function‑node gateway, which caches and groups requests for efficient scheduling. The HUSE scheduler (Hyper‑elastic Unified Serverless Engine) performs real‑time instance placement based on load, providing sub‑20 ms scheduling latency and supporting 10 k QPS.

High‑performance gateway implementation (gw‑on‑envoy) combines Envoy (C++) for layer‑4/7 networking with a Go‑based gateway for service discovery, routing, and access control. This architecture achieves low CPU usage and reduced request latency.

The container runtime NanoVisor, built on gVisor, offers a secure, low‑latency environment with checkpoint/restore techniques that reduce function cold‑start time to under 100 ms. Checkpointed Node.js runtimes are restored instantly, eliminating the need for full initialization.

Security is reinforced through vertical isolation (Go‑based sentry kernel, seccomp) and horizontal isolation (network ACLs, access‑control modules). These layers protect against container escape and malicious network behavior.

Performance tests show that the system can sustain 10 k QPS with an average scheduling delay of 21 ms and container startup latency well below 100 ms, ensuring stable operation even during peak traffic such as holiday travel periods.