Exploring Multi-Tenant SaaS Resource Isolation in AWS

Introduction

Currently, there are plans to offer SaaS subscriptions, including Basic, Advanced, and Enterprise plans. To effectively manage these plans within your system, it’s essential to explore the most efficient implementation strategies. Below are examples of SaaS plans offered by Shopify and Vercel. So I’d like to write how do we silo each tenant in AWS in this article.

Shopify Pricing - Setup and Open Your Online Store Today - Free Trial

Find a plan to power your projects. - Vercel

Architecture

In the Basic plan, all companies share the same network, cluster, and data sources.
The Advanced plan builds on this by isolating the network for each tenant while keeping the same shared cluster. In this setup, each tenant has its own product and order services. If you’re using ECS Fargate, you can isolate services per tenant at this level. Additionally, data resources are siloed for each tenant.
Finally, in the Premium plan, each tenant has its own dedicated cluster and data resources, ensuring full isolation.

Source: AWS, retrieved from https://aws.amazon.com/jp/builders-flash/202410/multi-tenant-saas-pattern/

How do we divide tenant in our system

We now understand the common architecture for multi-tenancy. Let’s explore how we can silo resources for each tenant effectively.

AWS Account

Using separate AWS accounts provides complete resource isolation for each tenant. This method ensures a single-tenant architecture, offering the highest level of security and independence.

Network

There are two ways to silo tenant in network such as VPC and subnet.

Using VPCs
Creating separate VPCs for each tenant provides full network isolation. This ensures that each tenant operates in its own dedicated environment, which enhances security and prevents accidental data exposure or interference between tenants.

Using Subnets
Alternatively, tenants can be isolated within the same VPC by assigning each one to a separate subnet. This method is more cost-effective than creating individual VPCs.

Computing

There are two ways to silo tenant in computing such as cluster and service. Assigning each tenant to a separate cluster provides strong isolation but can be resource-intensive and costly.
If you use ECS Fargate, you can use service. Isolating tenants at the service level within a shared cluster is more cost-effective.

Database

We can divide data resources such as AWS RDS, Aurora, or DynamoDB. Options for siloing include creating separate databases, implementing sharding, and other partitioning strategies.

How do we access

When tenants access our system, there are several options to consider:

By Path

In the architecture below, clients can access the system via Amazon API Gateway. The traffic then flows through an AWS Network Load Balancer (NLB) and is automatically distributed by an AWS Application Load Balancer (ALB) to multiple targets.

Source: AWS, retrieved from https://aws.amazon.com/jp/builders-flash/202410/multi-tenant-saas-pattern/

By Domain

If a unique domain can be created for each tenant, this approach becomes viable. By using alternate domains in CloudFront, access can be segregated based on the domain.