Palani works as a Senior Architect in the Cloud Engineering Studio division of Brillio. He has deep expertise in multi-cloud initiatives for large enterprises.
26th April, 2022
A continuation of part one of the blog series.
AWS provides several cloud-enabled solutions, which in effect, can be utilized as the following SaaS deployment models:
Multi-tenancy Isolation Through the Governance Model
In the governance model, all the tenants can be attached to a master (root) organization account (OU), which manages all the accounts associated. Organizational accounts can provide separations of concerns with account-level isolation. The AWS Organizations service helps in defining central configurations, resource sharing across accounts in the organization, and account & group creation. Its policies can be automated to reflect business needs by using governance. Billing for all accounts can be simplified by setting up a single payment method for all the owner AWS accounts, and cost reports can be ascertained for each account separately.
Tenant Isolation at the AWS Account Level
In this model, all the tenants will have their specific AWS accounts, which will be isolated – to an extent. In essence, as a multi-tenant SaaS solution, this can be treated as a managed solution on AWS. This model’s advantages are account-level tenant isolation ranging from resource isolation and billing to metrics and security. A marketplace solution that can be deployed on each AWS account is a good example of this model.
Tenant Isolation at the Amazon VPC Layer
In this model, all tenant solution deployments are within the same AWS account. However, the level of separation is at the VPC layer. For every tenant deployment, there is a separate VPC, which creates a logical separation between tenants. It is easier to manage as the entire solution is deployed within a single account (rather than in a multi-account setup). Further, appropriate isolation via a VPC provides better economies of scale and improved utilization of Amazon EC2-reserved instances, as all pricing constructs are applicable on the same AWS account. The limitation of this model is that in consolidated billing, separate account billing by VPC cannot be ascertained.
Tenant isolation at the Amazon VPC subnet layer
In this model, there is a single AWS account and a single VPC for all tenant deployments. The isolation is prevalent at the subnets level. Each tenant owns a separate application or solution version, without any sharing across tenants. The advantages of this model: no requirement of VPC peering and simplification of VPN and AWS Direct Connect connectivity to a single on-premises site. This model’s limitation is that its NACLs (Network Access Control Lists) and security groups need to be managed very carefully.