book

Building Multi-Tenant SaaS Architectures

Name: Building Multi-Tenant SaaS Architectures
Author: Tod Golding
ISBN: 9781098140649

by Tod Golding

April 2024

Intermediate to advanced

486 pages

15h 45m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Quizzes

Preface
An Evolving LandscapeWho’s This Book For?A Foundation—Not a BibleWhat’s Not in This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. The SaaS Mindset
Where We StartedThe Move to a Unified ModelRedefining Multi-TenancyWhere Are the Boundaries of SaaS?The Managed Service Provider ModelAt Its Core, SaaS Is a Business ModelBuilding a Service—Not a ProductDefining SaaSConclusion
2. Multi-Tenant Architecture Fundamentals
Adding Tenancy to Your ArchitectureThe Two Halves of Every SaaS ArchitectureInside the Control PlaneOnboardingIdentityMetricsBillingTenant ManagementInside the Application PlaneTenant ContextTenant IsolationData PartitioningTenant RoutingMulti-Tenant Application DeploymentThe Gray AreaTieringTenant, Tenant Admin, and System Admin UsersTenant ProvisioningIntegrating the Control and Application PlanesPicking Technologies for Your PlanesAvoiding the AbsolutesConclusion
3. Multi-Tenant Deployment Models
What’s a Deployment Model?Picking a Deployment ModelIntroducing the Silo and Pool ModelsFull Stack Silo DeploymentWhere Full Stack Silo FitsFull Stack Silo Considerations Full Stack Silo in ActionRemaining Aligned on a Full Stack Silo MindsetThe Full Stack Pool ModelFull Stack Pool Considerations A Sample ArchitectureA Hybrid Full Stack Deployment ModelThe Mixed Mode Deployment ModelThe Pod Deployment ModelConclusion
4. Onboarding and Identity
Creating a Baseline EnvironmentCreating Your Baseline EnvironmentCreating and Managing System Admin IdentitiesTriggering Onboarding from the Admin ConsoleControl Plane Provisioning OptionsThe Onboarding ExperienceOnboarding Is Part of Your ServiceSelf-Service Versus Internal OnboardingThe Fundamental Parts of OnboardingTracking and Surfacing Onboarding StatesTier-Based OnboardingTracking Onboarded ResourcesHandling Onboarding FailuresTesting Your Onboarding ExperienceCreating a SaaS IdentityAttaching a Tenant IdentityPopulating Custom Claims During OnboardingUsing Custom Claims JudiciouslyNo Centralized Services for Resolving Tenant ContextFederated SaaS IdentityTenant Grouping/Mapping ConstructsSharing User IDs Across TenantsTenant Authentication Is Not Tenant IsolationConclusion
5. Tenant Management
Tenant Management FundamentalsBuilding a Tenant Management ServiceGenerating a Tenant IdentifierStoring Infrastructure ConfigurationManaging Tenant ConfigurationManaging Tenant LifecycleActivating and Deactivating a TenantDecommissioning a TenantChanging Tenant TiersConclusion
6. Tenant Authentication and Routing
Entering the Front DoorAccess via a Tenant DomainAccess via a Single DomainThe Man in the Middle ChallengeThe Multi-Tenant Authentication FlowA Sample Authentication FlowFederated AuthenticationNo One-Size-Fits-All AuthenticationRouting Authenticated TenantsRouting with Different Technology StacksServerless Tenant RoutingContainer Tenant RoutingConclusion
7. Building Multi-Tenant Services
Designing Multi-Tenant ServicesServices in Classic Software EnvironmentsServices in Pooled Multi-Tenant EnvironmentsExtending Existing Best PracticesAddressing Noisy NeighborIdentifying Siloed ServicesThe Influence of Compute TechnologiesThe Influence of Storage ConsiderationsUsing Metrics to Analyze Your DesignOne Theme, Many LensesInside Multi-Tenant ServicesExtracting Tenant ContextLogging and Metrics with Tenant ContextAccessing Data with Tenant ContextSupporting Tenant IsolationHiding Away and Centralizing Multi-Tenant DetailsInterception Tools and StrategiesAspectsSidecarsMiddlewareAWS Lambda Layers/ExtensionsConclusion
8. Data Partitioning
Data Partitioning FundamentalsWorkloads, SLAs, and ExperienceBlast RadiusThe Influence of IsolationManagement and OperationsThe Right Tool for the JobDefaulting to a Pooled ModelSupporting Multiple EnvironmentsThe Rightsizing ChallengeThroughput and ThrottlingServerless StorageRelational Database PartitioningPooled Relational Data PartitioningSiloed Relational Data PartitioningNoSQL Data PartitioningPooled NoSQL Data PartitioningSiloed NoSQL Data PartitioningNoSQL Tuning OptionsObject Data PartitioningPooled Object Data PartitioningSiloed Object Data PartitioningDatabase Managed AccessOpenSearch Data PartitioningPooled OpenSearch Data PartitioningSiloed OpenSearch Data PartitioningA Mixed Mode Partitioning ModelSharding Tenant DataData Lifecycle ConsiderationsMulti-Tenant Data SecurityConclusion
9. Tenant Isolation
Core ConceptsCategorizing Isolation ModelsApplication-Enforced IsolationRBAC, Authorization, and IsolationApplication Isolation Versus Infrastructure IsolationThe Layers of the Isolation ModelDeployment-Time Versus Runtime IsolationIsolation Through InterceptionScaling ConsiderationsReal-World ExamplesFull Stack IsolationResource-Level IsolationItem-Level IsolationManaging Isolation PoliciesConclusion

10. EKS (Kubernetes) SaaS: Architecture Patterns and Strategies
The EKS–SaaS FitDeployment PatternsPooled DeploymentSiloed DeploymentsMixing Pooled and Siloed DeploymentsThe Control PlaneRouting ConsiderationsOnboarding and Deployment AutomationConfiguring Onboarding with HelmAutomating with Argo Workflows and FluxTenant-Aware Service DeploymentsTenant IsolationNode Type SelectionMixing Serverless Compute with EKSConclusion
11. Serverless SaaS: Architecture Patterns and Strategies
The SaaS and Serverless FitDeployment ModelsPooled and Siloed DeploymentsMixed Mode DeploymentsMore Deployment ConsiderationsControl Plane DeploymentOperations ImplicationsRouting StrategiesOnboarding and Deployment AutomationTenant IsolationPooled Isolation with Dynamic InjectionDeployment-Time IsolationSimultaneously Supporting Silo and Pool IsolationRoute-Based IsolationConcurrency and Noisy NeighborBeyond Serverless ComputeConclusion
12. Tenant-Aware Operations
The SaaS Operations MindsetMulti-Tenant Operational MetricsTenant Activity MetricsAgility MetricsConsumption MetricsCost-per-Tenant MetricsBusiness Health MetricsComposite MetricsBaseline MetricsMetrics Instrumentation and AggregationBuilding a Tenant-Aware Operations ConsoleCombining Experience and Technical MetricsTenant-Aware LogsCreating Proactive StrategiesPersona-Specific DashboardsMulti-Tenant Deployment AutomationScoping Deployments Targeted ReleasesConclusion
13. SaaS Migration Strategies
The Migration Balancing ActTiming ConsiderationsWhat Kind of Fish Are You?Thinking Beyond Technology TransformationMigration PatternsThe FoundationSilo Lift-and-ShiftLayered MigrationService-by-Service MigrationComparing PatternsA Phased ApproachWhere You Start MattersConclusion
14. Tiering Strategies
Tiering PatternsConsumption-Focused TieringValue-Focused TieringDeployment-Focused TieringFree TiersComposite Tiering StrategiesBilling and TieringTiering and Product-Led GrowthImplementing TieringAPI TieringCompute TieringStorage TieringDeployment Models and TieringThrottling and Tenant ExperienceTier ManagementOperations and TieringConclusion
15. SaaS Anywhere
The Fundamental ConceptsOwnershipLimiting DriftMultiple Flavors of Remote EnvironmentsRegional Deployments Versus Remote ResourcesArchitecture PatternsRemote DataRemote Application ServicesRemote Application PlaneStaying in the Same CloudIntegration StrategiesOperations Impacts and ConsiderationsProvisioning and OnboardingAccess to Remote ResourcesScale and AvailabilityOperational InsightsDeploying UpdatesConclusion
16. GenAI and Multi-Tenancy
Core ConceptsThe Influence of Multi-TenancyCreating Custom Tenant AI ExperiencesA Broad Range of PossibilitiesSaaS and AI/MLIntroducing Tenant RefinementsSupporting Tenant-Level Refinement with RAGSupporting Tenant Refinement with Fine-TuningCombining RAG and Fine-TuningApplying General Multi-Tenant PrinciplesOnboardingNoisy NeighborTenant IsolationGenAI Pricing and Tiering ConsiderationsDeveloping a Pricing ModelCreating Tiered Tenant ExperiencesConclusion
17. Guiding Principles
Vision, Strategy, and StructureBuild a Business Model and StrategyA Clear Focus on EfficiencyAvoiding the Tech-First TrapThinking Beyond Cost SavingsBe All-In with SaaSAdopt a Service-Centric MindsetThink Beyond Existing Tenant PersonasCore Technical Considerations No One-Size-Fits-All ModelProtect the Multi-Tenant PrinciplesBuild Your Multi-Tenant Foundation on Day OneAvoid One-Off CustomizationMeasure Your Multi-Tenant ArchitectureStreamline the Developer ExperienceOperations MindsetThinking Beyond System Health Introducing Proactive Constructs Validating Your Multi-Tenant StrategiesYou’re Part of the TeamConclusion
Index
About the Author

Content preview from Building Multi-Tenant SaaS Architectures

Chapter 6. Tenant Authentication and Routing

At this stage, our focus on the control plane has been squarely on building a foundation that allows us to introduce multi-tenancy into our architecture. Onboarding, user management, and tenant management all allow us to configure, capture, and prepare our tenant for entry into a SaaS environment. Now it’s time to start thinking about how a tenant uses these constructs (and others) to enter the front door of our multi-tenant environment.

It’s at this point where you authenticate a user that all the pieces of your onboarding and tenant management come together. Here you’ll see how the configuration information that was stored in tenant management can play a role in the flow and implementation of your authentication experience. We’ll also see how the work that was done to connect our users to tenants will yield the tenant context that becomes essential to the downstream services that are part of your multi-tenant architecture.

For this chapter, I’ll begin by looking at the fundamentals of how you expose the entry point to your multi-tenant solution. There are multiple strategies that can be used to access a SaaS environment, some of which explicitly identify the tenant that is entering the system and others that rely on internal mechanisms to determine which tenant is accessing the system. Each of these have implications on how your tenant is authenticated and connected with the appropriate identity provider.

We’ll also look at how your ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098140632Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Building Multi-Tenant SaaS Architectures

by Tod Golding

Chapter 6. Tenant Authentication and Routing

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.