Multi-tenant system architecture design for SaaS 2023

SaaS multi-tenant isolation mode

For the SaaS model, resource isolation between multiple tenants is a very basic capability. For cost and operational efficiency considerations, SaaS service providers need to build an environment where multiple tenants can access the software at the same time. Although different tenants access the same set of SaaS product services, the resource Access needs to be strictly isolated.

SaaS resource isolation consists of several levels: 

• The first layer is the isolation of computing, storage, network, and other resources involved in the bottom layer of the SaaS system.
• The second layer is the isolation of basic system data, mainly including organizations, users, roles, permissions, product capability authorization relationships, etc.
• The third layer is the isolation of various business dynamic data during system use, such as business documents, operation records, etc.

The multi-tenant architecture mainly solves the isolation problem of the first layer, that is, the isolation of computing, storage, network, and other resources. In order to realize the multi-tenant isolation architecture, we must first figure out several common multi-tenant isolation modes.

Shaft Isolation Mode

Some SaaS service providers choose the silo isolation mode, that is, each tenant runs in an isolated set of resources. Some people will say, isn't this the traditional software model, why is it the SaaS model? But if these silo resources have standardized tenant identification, occupancy process, billing system, deployment process, and operation process, it is still a SaaS model, but each customer has a set of end-to-end infrastructure. 

Advantage

• Reduce the impact of failures: Because each customer's system is deployed in its own environment, if one of the environments fails, it will not affect other customers' use of software services.
• The billing logic is simple: SaaS service providers need to bill for the resources used by tenants. For complex business scenarios, the relationship between computing, storage, and network resources will also be very complicated. The billing model is very challenging, but in the silo mode, the billing model is relatively simple.
• Meet strong isolation requirements: Some customers may put forward very strict isolation requirements for the system and data security, expecting software products to be deployed in a completely independent environment, not placed together with other tenants' application instances and data.

Disadvantage

• Scale problem: Since the SaaS environment of tenants is independent, a SaaS environment needs to be created and operated every time a tenant settles in. If there are only a small number of tenants, it may be manageable, but if there are thousands of tenants, Managing and operating these environments will be very challenging.
• Cost problem: Each tenant has an independent environment, and the cost spent on a single customer will be very high, which will greatly reduce the profitability of SaaS software services.
• Agile iteration problem: One advantage of the SaaS model is that it can quickly respond to market demand and iterate product functions. However, the silo isolation strategy will hinder this agile iteration capability, because updating, managing, and supporting the SaaS environment of these tenants will become very complicated and inefficient.
• System management and monitoring: In the same environment, it is relatively simple to manage and monitor the deployed infrastructure. However, each tenant has an independent environment. In this decentralized mode, it is also very complicated and difficult to manage and monitor the infrastructure of each tenant. 

Shared mode

It is believed that many SaaS service providers will give priority to the sharing model, that is, multi-tenants share a set of infrastructure resources, which can make SaaS software services more efficient, agile, and low-cost.

Advantage

• Efficient management: Under the shared strategy, all tenants can be managed and operated in a centralized manner, and the management efficiency is very high. At the same time, it will be easier to manage and monitor infrastructure configuration. Compared with the silo strategy, the iterative update of the product will be faster.
• Low cost: A large part of the cost structure of SaaS service providers is the cost of infrastructure. Under the sharing model, the service provider can dynamically scale the system according to the actual resource load of the tenants, so that the utilization rate of the infrastructure will be very high. 

Disadvantage

• Interaction between tenants: Since all tenants share a set of resources, when one tenant occupies a large number of machine resources, the user experience of other tenants is likely to be affected. In this scenario, it is necessary to design some restrictive measures on the technical architecture (current limiting, downgrade, server isolation, etc.) to make the impact surface controllable.
• Tenant billing difficulties: Under the silo model, it is very easy to count the resource consumption of tenants. However, under the shared model, since all tenants share a set of resources, more energy needs to be invested in calculating the reasonable cost of a single tenant.

Domain isolation mode

Traditional large enterprises prefer the traditional model of private deployment and personalized delivery because they need stronger control and higher security. However, SMEs have limited payment capabilities and tend to have more standardized needs, so they prefer SaaS products with lower prices and easier ordering. In order to meet the needs of different customers, there is also a mode that mixes the silo model and the shared model, that is, the domain isolation mode.

In this mode, the basic domain and dedicated domain are subdivided. The basic domain uses a shared model, and all tenants share a set of resources; while the dedicated domain uses a silo model, and each tenant has an independent resource environment.

Most small and medium-sized customers, use SaaS products in the basic domain environment, and only a small number of large customers use SaaS products in dedicated domains. Usually, they have strong payment capabilities and strong isolation requirements. 

However, it should be noted that in order to avoid multiple product versions, SaaS service providers need to ensure that the product versions of the basic domain and dedicated domain are consistent, and the personalized part should build a PaaS platform as much as possible and let ISVs participate in the construction. Otherwise, once the standardization of SaaS products is reduced, the maintenance of subsequent versions will become a disaster. 

Positioning for multi-tenant systems

After understanding the various multi-tenant isolation modes, let's summarize the positioning of the multi-tenant system. The multi-tenant system is to satisfy multiple users to use a set of products and to realize data and behavioral isolation between users. However, according to different user needs, software and hardware resources can be shared or isolated, and the system architecture can flexibly support multiple isolation modes.

Capabilities required for a multi-tenant system

• Multiple tenants support sharing a set of cloud resources, such as computing, storage, and network resources. A single tenant can also monopolize a set of cloud resources.
• Data and behavior can be isolated between multiple tenants, and tenants can be controlled by rights and domains.
• The tenant can support management based on the organizational structure and can authorize and manage product capabilities.
• Different product capabilities can be supported to run on different cloud resources according to customer needs.

Multitenancy Conceptual Model

Multi-tenancy Core Concepts

• Tenant: generally refers to an enterprise customer or individual customer, and the data and behavior between tenants are isolated.
• User: A specific user in a tenant can log in to the SaaS system to use software services by using login information such as account name and password.
• Organization: If the tenant is an enterprise customer, it usually has its own organizational structure.
• Employee: refers to a specific employee within the organization.
• Solution: In order to solve certain types of business problems of customers, SaaS service providers combine products and services to provide merchants with an overall packaged solution.
• Product capability: refers to the product application that SaaS service providers sell to customers, especially the ability to help customers realize the closed-loop end-to-end scenario solution.
• Resource Domain: A set of cloud resource environments used to run one or more product applications.
• Cloud resources: SaaS products are generally deployed on various cloud platforms, such as Alibaba Cloud, Tencent Cloud, and Huawei Cloud. The computing, storage, network, container, and other resources provided by these cloud platforms are abstracted as cloud resources. 

Conceptual model design

• The SaaS platform can create and manage multiple platform users, multiple tenants, and multiple resource domains.
• A single platform user can be associated with multiple tenants. For example, platform user Zhang San can be a user of tenant A or tenant B. There can be multiple users under a single tenant.
• A single tenant can order multiple solutions, a solution can contain multiple product capabilities, and the product capabilities run on a certain resource domain.
• There is a superior-subordinate relationship between organizational units. There can be multiple employees under a single organization, and employees are bound to a single user.

Multi-tenant core scenario

Tenant Internal Model Relationships

For SaaS products, tenants are the top-level concept. Tenants have internal models such as organizations, users, product capabilities, and cloud resources. Tenants are like renting a big house, and other models are furniture or facilities inside the house.

Tenant identification

In various isolation modes, it is very important to identify the identity of the tenant and obtain the resource configuration of the tenant. When a user logs in to the SaaS system, the system returns tenant context information, which includes the tenant information bound to the user and the isolation mode. Tenant context information will be attached to each system interaction, running through the entire system call link, so that the upstream caller knows which downstream resources to route to.

Tenant Billing Metering Management

In the silo isolation mode, since the resources themselves are isolated, billing and metering can be done based on the occupied computing, storage, and network resources, and the logic is relatively simple.  In the shared mode, billing and metering are more complicated. We need to be able to accurately collect the usage of actual resources by each tenant. Generally, combined billing will be performed based on data such as concurrent requests, storage capacity, and a number of data objects.