Resources for architects and developers of multitenant solutions
Architectures for multitenant applications
The following articles provide examples of multitenant architectures on Azure.
Architecture | Summary | Technology focus |
---|---|---|
Multitenant SaaS on Azure | Reference architecture for a multitenant SaaS scenario on Azure, which is deployed in multiple regions | Web |
Use Application Gateway Ingress Controller with a multi-tenant Azure Kubernetes Service | Example for implementing multitenancy with AKS and AGIC | Kubernetes |
All multitenant architectures | Lists all the architectures that include multitenancy | Multiple |
Cloud design patterns
The following cloud design patterns are frequently used in multitenant architectures.
Pattern | Summary |
---|---|
Deployment Stamps pattern | Deploy multiple independent copies (scale units) of application components, including data stores. |
Federated Identity | Delegate authentication to an external identity provider. |
Gatekeeper | Protect applications and services, by using a dedicated host instance that acts as a broker between clients and the application or service, validates and sanitizes requests, and passes requests and data between them. |
Queue-Based Load Leveling | Use a queue that acts as a buffer between a task and a service that it invokes, in order to smooth intermittent heavy loads. |
Sharding | Divide a data store into a set of horizontal partitions or shards. |
Throttling | Control the consumption of resources that are used by an instance of an application, an individual tenant, or an entire service. |
Antipatterns
Consider the Noisy Neighbor antipattern, in which the activity of one tenant can have a negative impact on another tenant's use of the system.
Microsoft Azure Well-Architected Framework
While the entirety of the Azure Well-Architected Framework is important for all solutions, pay special attention to the Resiliency pillar. The nature of cloud hosting leads to applications that are often multitenant, use shared platform services, compete for resources and bandwidth, communicate over the internet, and run on commodity hardware. This increases the likelihood that both transient and more permanent faults will arise.
Multitenant architectural guidance
- Architecting multitenant solutions on Azure (video): This video discusses how to design, architect, and build multitenant solutions on Azure. If you're building a SaaS product or another multitenant service, there's a lot to consider when you plan for high performance, tenant isolation, and to manage deployments. This session is aimed at developers and architects who are building multitenant or SaaS applications, including startups and ISVs.
- Azure Friday - Architecting multitenant solutions on Azure (video): This video from Azure Friday discusses how to design, architect, and build multitenant software-as-a-service (SaaS) solutions on Azure.
- Accelerate and De-Risk Your Journey to SaaS (video): This video provides guidance for transitioning to the software as a service (SaaS) delivery model - whether you're starting by lifting-and-shifting an existing solution from on-premises to Azure, considering a multitenant architecture, or looking to modernize an existing SaaS web application.
Resources for Azure services
Governance and compliance
- Organizing and managing multiple Azure subscriptions: It's important to consider how you manage your Azure subscriptions, as well as how you allocate tenant resources to subscriptions.
- Cross-tenant management experiences: As a service provider, you can use Azure Lighthouse to manage resources, for multiple customers from within your own Microsoft Entra tenant. Many tasks and services can be performed across managed tenants, by using Azure delegated resource management.
- Azure Managed Applications: In a managed application, the resources are deployed to a resource group that's managed by the publisher of the app. The resource group is present in the consumer's subscription, but an identity in the publisher's tenant has access to the resource group.
Compute
- Best practices for cluster isolation in Azure Kubernetes Service: AKS provides flexibility in how you can run multitenant clusters and can isolate resources. To maximize your investment in Kubernetes, you must first understand and implement AKS multitenancy and isolation features. This best practices article focuses on isolation for cluster operators.
- Best practices for cluster security and upgrades in Azure Kubernetes Service: As you manage clusters in Azure Kubernetes Service (AKS), workload and data security is a key consideration. When you run multitenant clusters using logical isolation, you especially need to secure resource and workload access.
Networking
Private Link
- Azure Private Link Service explanation and demos from provider (SaaS ISV) and consumer perspectives: A video that looks at the Azure Private Link service feature that enables multitenant service providers (such as independent software vendors building SaaS products). This solution enables consumers to access the provider's service using private IP addresses from the consumer's own Azure virtual networks.
- TCP Proxy Protocol v2 with Azure Private Link Service—Deep Dive: A video that presents a deep dive into TCP Proxy Protocol v2, which is an advanced feature of the Azure Private Link service. It's useful in multitenant and SaaS scenarios. The video shows you how to enable Proxy Protocol v2 in the Azure Private Link service. It also shows you how to configure an NGINX service to read the source private IP address of the original client, rather than the NAT IP, to access the service via the private endpoint.
- Using NGINX Plus to decode Proxy Protocol TLV
linkIdentifier
from the Azure Private Link service: A video that looks at how to use NGINX Plus to get the TCP Proxy Protocol v2 TLV from the Azure Private Link service. The video shows how you can then extract and decode the numericlinkIdentifier
, also calledLINKID
, of the private endpoint connection. This solution is useful for multitenant providers who need to identify the specific consumer tenant from which the connection was made. - SaaS Private Connectivity pattern: An example solution that illustrates one approach to automate the approval of private endpoint connections, by using Azure Managed Applications.
Web
- Claims based routing for SaaS solutions: This article discusses the usage of a reverse proxy to facilitate tenant routing and mapping requests to tenants, enhancing the management of backend services in SaaS solutions.
Storage and data
- Azure Cosmos DB and multitenant systems: A blog post discussing how to build a multitenant system that uses Azure Cosmos DB.
- Azure Cosmos DB hierarchical partition keys (private preview): A blog post announcing the private preview of hierarchical partition keys for Azure Cosmos DB for NoSQL. With hierarchical partition keys, also known as sub-partitioning, you can now natively partition your container with up to three levels of partition keys. This enables more optimal partitioning strategies for multitenant scenarios or workloads that would otherwise use synthetic partition keys.
- Azure SQL Database multitenant SaaS database tenancy patterns: A set of articles describing various tenancy models that are available for a multitenant SaaS application, using Azure SQL Database.
- Running 1 million databases on Azure SQL for a large SaaS provider: Microsoft Dynamics 365 and Power Platform: A blog post describing how Dynamics 365 team manages databases at scale.
- Design a multitenant database by using Azure Database for PostgreSQL Hyperscale
- Horizontal, vertical, and functional data partitioning: In many large-scale and multitenant solutions, data is divided into partitions that can be managed and accessed separately. Partitioning can improve scalability, reduce contention, and optimize performance. It can also provide a mechanism for dividing data, by the usage pattern and by the tenant.
- Data partitioning strategies by Azure service: This article describes some strategies for partitioning data in various Azure data stores.
- Building multitenant applications with Azure Database for PostgreSQL Hyperscale Citus (video)
- Multitenant applications with Azure Cosmos DB (video)
- Building a multitenant SaaS with Azure Cosmos DB and Azure (video): A real-world case study of how Whally, a multitenant SaaS startup, built a modern platform from scratch on Azure Cosmos DB and Azure. Whally shows the design and implementation decisions they made related to partitioning, data modeling, secure multitenancy, performance, real-time streaming from change feed to SignalR and more, all using ASP.NET Core on Azure App Services.
- Multitenant design patterns for SaaS applications on Azure SQL Database (video)
Messaging
- Azure Event Grid domains: Azure Event Grid domains allow you to manage multitenant eventing architectures, at scale.
- Service Bus sample: Cross-tenant communication using Azure Service Bus: Sample implementation of Azure Service Bus that shows how to communicate between a central provider and one or more customers (tenants).
Identity
- Tenancy in Microsoft Entra ID: Microsoft Entra ID has its own concept of multitenancy, which refers to operating across multiple Microsoft Entra directories. When working with Microsoft Entra apps, developers can choose to configure their app to be either single-tenant or multitenant.
- Custom-branded identity solution with Azure AD B2C: Azure Active Directory B2C is a customer identity access management solution that is capable of supporting millions of users and billions of authentications per day.
- Build a multi-tenant daemon with the Microsoft identity platform endpoint: This sample application shows how to use the Microsoft identity platform endpoint to access the data of Microsoft business customers in a long-running, non-interactive process. It uses the OAuth2 client credentials grant to acquire an access token, which it then uses to call the Microsoft Graph and access organizational data.
- Authenticate and authorize multitenant apps using Microsoft Entra ID: Learn how Microsoft Entra ID enables you to improve the functionality of cloud-native apps in multitenant scenarios.
- Azure Architecture Walkthrough: Building a multi-tenant Azure Architecture for a B2C scenario: a walk through the architecture behind a multi-tenant mobile app with Azure Active Directory B2C and API Management.
- Define and implement permissions, roles and scopes with Microsoft Entra ID in SaaS solution: This article covers three main concepts related to Microsoft Entra authentication & authorization, which can be used by SaaS providers. It covers Application Roles functionality, Delegated & Application permissions, and Scopes functionality.
Analytics
- Multitenancy solutions with Power BI embedded analytics: When designing a multitenant application that contains Power BI Embedded, you must carefully choose the tenancy model that best fits your needs.
IoT
- Multitenancy in IoT Hub Device Provisioning Service: A multitenant IoT solution will commonly assign tenant devices, by using a group of IoT hubs that are scattered across regions.
AI/ML
- Design patterns for multitenant SaaS applications and Azure Cognitive Search: This document discusses tenant isolation strategies for multitenant applications that are built with Azure Cognitive Search.
Community content
Kubernetes
- Three Tenancy Models For Kubernetes: Kubernetes clusters are typically used by several teams in an organization. This article explains three tenancy models for Kubernetes.
- Understanding Kubernetes Multi Tenancy: Kubernetes is not a multitenant system out of the box. While it's possible to configure multitenancy, this can be challenging. This article explains Kubernetes multitenancy types.
- Kubernetes Multi-Tenancy – A Best Practices Guide: Kubernetes multitenancy is a topic that more and more organizations are interested in as their Kubernetes usage spreads out. However, since Kubernetes is not a multitenant system per se, getting multitenancy right comes with some challenges. This article describes these challenges and how to overcome them as well as some useful tools for Kubernetes multitenancy.
- Capsule: Kubernetes multi-tenancy made simple: Capsule helps to implement a multitenancy and policy-based environment in your Kubernetes cluster. It is not intended to be yet another PaaS, instead, it has been designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.
- Loft: Add Multi-Tenancy To Your Clusters: Loft provides lightweight Kubernetes extensions for multitenancy.
- Crossplane: The cloud native control plane framework: Crossplane enables you to build control planes for your own solution, by using a Kubernetes-based approach.
Contributors
This article is maintained by Microsoft. It was originally written by the following contributors.
Principal authors:
- John Downs | Principal Customer Engineer, FastTrack for Azure
- Paolo Salvatori | Principal Customer Engineer, FastTrack for Azure
- Arsen Vladimirskiy | Principal Customer Engineer, FastTrack for Azure
- LaBrina Loving | Principal Customer Engineering Manager, FastTrack for Azure
To see non-public LinkedIn profiles, sign in to LinkedIn.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for