Numino Client-Ready Multitenant Architecture with AWS PaaS

Overview

The purpose of developing the Client-Ready Multi Tenant Framework with AWS as PaaS is to streamline the onboarding process for new projects requiring a multi-tenant architecture. By establishing this framework, we have created a readily available architectural style that serves as a design pattern for new software product onboarding, ensuring consistency and efficiency. This framework is a vital component of the Numino Software Development Toolkit for the AWS platform, enabling us to save significant time and resources during project initiation. It creates a layer above the PaaS offerings of AWS, providing a robust, reusable solution that simplifies and accelerates the development of multi-tenant applications for our clients.
Project Info

Category

Cloud Backend

Client

Numino

Tags

Product Features

Tenant Data Isolation<br /><br />
Tenant Data Isolation

Choose a suitable strategy (e.g., separate databases, shared database or combination of both) based on product use case.



User Pools based User Management <br />using AWS Cognito
User Pools based User Management
using AWS Cognito
Cognito handles user sign-up, sign-in, and access control, including features like multi-factor authentication and social identity federation ensuring a seamless and secure user experience.
Request Management  using API Gateway<br /><br />
Request Management using API Gateway

provides a highly scalable and secure way to manage, monitor, and throttle API requests, while providing detailed metrics and logs for monitoring and troubleshooting.
Ease of provisioning new tenant<br /><br />
Ease of provisioning new tenant

Automate tenant provisioning using AWS CloudFormation to quickly set up new tenants.
Role-Based Access Control (RBAC) using IAM
Role-Based Access Control (RBAC) using IAM
simplifies user permissions management across the multitenant environment through just policies.

Workflow

<span class="mil-accent">01</span> User Login Request​
01 User Login Request​
Users authenticate using their email and password, which are validated against the Cognito user pool. Upon successful authentication, a JWT (Access Token) is returned to the client.
<span class="mil-accent">02</span> Request to API Gateway​
02 Request to API Gateway​
All subsequent requests are directed to the API Gateway, which forwards them to the Lambda Authorizer for authentication.
<span class="mil-accent">03</span> Lambda Authorizer​
03 Lambda Authorizer​
Validates the access token for expiry and user validity from the user pool. It then returns an IAM policy based on the user's role and adds a tenant context.
<span class="mil-accent">04</span> API Gateway Authorization​
04 API Gateway Authorization​
The API Gateway authorizes the call based on the IAM policy returned by the Lambda Authorizer and appends the tenant ID to the request.
<span class="mil-accent">05</span> REST Service​
05 REST Service​
The REST Service sets the tenant context based on the 'Tenant-Id' header and retrieves the required data from the database.

Architecture

The reference solution illustrates many of the components needed to build a multi-tenant SaaS solution using AWS PaaS. This SaaS solution incorporates two deployment models—silo (Dedicated Services) and pool (Shared Services)—to demonstrate how these models impact onboarding, isolation, noisy neighbor effects, performance, and tiering in a serverless SaaS environment.

Key Components

<span class="mil-accent">01.</span> Web Applications
01. Web Applications
The web application utilizes Amazon Cognito user pools to authenticate users. The specific user pool for authentication is determined by the domain of the user's email address. For instance, a user with an email address like user@mydomain.com will be authenticated using the user pool configured for "mydomain". Upon successful authentication, the web application receives a token that can be used for all subsequent requests For paid tiers, a separate domain can be created to enhance security. This ensures that each paid tenant has a distinct and isolated environment, providing an additional layer of protection for their data and interactions with the web application.​
<span class="mil-accent">02.</span> Shared Services
02. Shared Services
These services are foundational to the SaaS environment, providing cross-cutting functionality that is separate from business application services and shared across all tenants. They handle operations and data related to onboarding, managing, authenticating, and configuring tenants or users.​
<span class="mil-accent">03. </span> Application Services
03. Application Services
These represent the microservices that provide the business functionality of the application. The deployment and role of these services change based on the tenant's tier. Later, as one onboard Paid tier tenants, we can deploy separate application services for each tenant in this tier.​
04. Multi-Tenant Data Storage

Access to the database in the multi tenancy architecture is provided in three ways. Each of the following is achieved using Spring Data JPA configurations.

Separate database
every client has its own database. The application will decide which database to connect to based on the tenantId. This is the most secure solution & is offered in higher tiers.
Separate schema
every client has its own schema within one database. In this case, the tenantId defines which schema to connect to & provides users authorized access only to one schema.
Shared schema
All clients have data in one schema. The discriminator in this case will be an additional column in each table that defines the record affiliation to the customer. This level is applicable to the free tier users.
<span class="mil-accent">05.</span> Role based access control using IAM​
05. Role based access control using IAM​

In IAM, role-based policies are created and linked to Cognito user groups. When a user requests access to a resource, the Lambda authorizer validates the access token to determine the user's roles. The authorizer then generates an IAM policy based on these roles, allowing or denying access accordingly, which the API Gateway enforces to control access to AWS resources.

Tenant Registration and Onboarding

The steps of the sign-up process are as follow

Practical Insights

Cognito provides three additional methods for implementing multitenancy: application clients, custom attributes, and group-based approaches. While these methods streamline onboarding, managing users can become cumbersome. In contrast, user pool-based implementation ensures clear segregation of users, simplifying management and enhancing organizational clarity.

API Gateway integration does not natively support authentication from multiple user pools. This requires the implementation of a custom Lambda authorizer. Fortunately, Numino has already developed and tested a Lambda authorizer to support this use case, ensuring secure authentication across multiple user pools without additional development effort.

As of June 2024, Amazon Cognito allows up to 1000 user pools per AWS region, with each pool supporting up to 40,000,000 users. While these limits are substantial, they can become a constraint if the application requires more than 1000 tenants. Here, it’s recommended to monitor for dropped tenants and potentially migrate this data over to another region.

Conclusion

There are various alternatives to implements multitenancy architecture in AWS. Choosing one approach initially and later discovering its limitations can pose significant challenges. Adopting a tried-and-tested approach from the outset can mitigate risks and ensure a more seamless implementation and management of security measures across diverse tenant requirements

The architecture style also takes into consideration the ease of maintainability thus allowing teams to dedicate more time and effort to activities critical for business onboarding, such as optimizing user experience, developing core features, and enhancing application performance.

As Numino continues to learn from these architectural pattern implementations across its client base, proactive updates to this architecture style can be applied to the existing as well as new clients. This approach ensures that clients benefit from continuous enhancements and best practices, fostering a dynamic and evolving framework that adapts to industry trends and client feedback. Ultimately, this ongoing refinement process reinforces Numino’s commitment to delivering robust, future-proof solutions that meet the evolving needs of its clients effectively.