What Happens If You Destroy All of Alipay’s Storage Servers? A Deep Dive into Data Center Architecture and Disaster Recovery

The article begins with a provocative question: what would happen if all of Alipay’s storage servers were destroyed, and proceeds to examine the underlying financial information system architecture.

It explains that a typical financial system uses a "two‑site three‑center" model, meaning two data centers in the same city operating in hot‑backup or active‑active mode. Active‑active implies both centers run simultaneously, while hot‑backup allows traffic to be switched to the secondary center with minimal impact.

To truly disrupt the service, both data centers must be taken down. The discussion then moves to cold backups, which are periodic, offline copies; these are slower to restore and may result in data loss for the interval between backups.

Using DNS analysis of the alipay.com domain, the author shows that multiple IP addresses are active, indicating a multi‑active deployment. However, DNS locations do not reveal the actual data storage locations.

The article outlines data‑center classification methods: international T‑levels (T1‑T4), China’s GB50174 standards (A, B, C classes), and carrier‑specific star ratings (1‑5 stars). Financial services require an A‑class data center per GB50174.

Power redundancy is described in detail: a 2N+1 configuration provides two independent power supplies plus a backup, UPS systems can sustain full load for about 15 minutes, and generators with diesel tanks can keep the center running for over 12 hours.

Fire suppression mechanisms are covered, noting that data centers use clean agents such as heptafluoropropane (FM‑200) rather than water or dry powder, which could damage equipment. The gas is colorless, odorless, low‑toxicity, non‑conductive, and non‑corrosive.

Physical security measures are also highlighted: anti‑thunderbolt grounding, sealed access, strict location requirements (no nearby railways, airports, chemical plants, etc.), and seismic and flood resistance standards.

Finally, the author acknowledges the difficulty of completely disabling a modern data center and ends with a call to share the article and join the architecture community.