Modernize Your SaaS Enterprise With AWS

Modernize Your SaaS
Enterprise With AWS

page. 1
Introduction Modernize Your SaaS Enterprise

With A Multi-Tenant Architecture on AWS
SaaS applications are the new normal and Zendesk can serve multiple orga-
nowadays, and software providers are nizations? Does each one have its
looking to transform their web applica- unique and custom cloud software per
tions into a Software As a Service applica- customer? For example, have you ever
tion. For this, the only solution is to build noticed that, on Slack, you have your
a Multi tenant architecture SaaS applica- own URL ‘yourcompanyname.slack.-
tion. Have you ever wondered how Slack, com’?
Salesforce, AWS (Amazon Web Services),
Here are the specific points that we will cover in the ebook in order to modernize your SaaS
Enterprise:
Index
1. What is a Multi tenant Architecture? 3
Multi-tenant Benefits 5
SaaS Technology Stack for an Architecture on AWS 6
2. Types of Multi-tenant SaaS Architectures 13

The Application Layer Multi-tenancy 13
The Database Layer Multi-tenancy 20
3. Application Code Changes 24

Python Django Multi-tenancy in a nutshell* 25
Wildcard DNS Subdomain: URL based SaaS application. 25
Web Server Setup with NGINX configuration 26
SSL Certificates 26
4. Follow the 12-Factor Methodology Framework or Die Trying! 27
5. Multi-tenant SaaS Architecture Best Practices 27

How is your SaaS Application going to scale? 27
Final Thoughts 30
www.clickittech.com info@clickittech.com +52 (844) 141-8485

page. 2
Most people think that in the back- This research is intended to showcase
ground, they created a particular environ- an overview of the strategies, challen-
ment for each organization, –application ges and constraints that DevOps and
or codebase–, and believe that slack cus- Software Developers are likely to face
tomers have their own server/app envi- when architecting a SaaS multi-tenant
ronment. If this is you, you might have application.
assumed that they have a repeatable pro-
cess to run thousands of apps across all
their customers. Well, definitely No. And
Visualize the Multi tenant
the real solution is a Multi tenant archi- Architecture on page 14
tecture on AWS for a SaaS application.
Let’s start with this impressive fact: 70%

of all web applications are considered
SaaS applications according to IDC
Research. So, if you know about SaaS
architecture and multi-tenant, you are
probably covering 70% of the web appli-
cation architecture landscape that would
be available in the future.
“70% of all Web Apps are SaaS, have met

the advantages of multi-tenant”
70% of all Web Apps are SaaS

page. 3
There are two concepts that are important for us to understand before starting
Tenant / Organization
Tenant = An organization, client or customer
User = A user inside a tenant.
*A tenant can have multiple, and even, thousands of users. Users Users Users
The next points are what we will explore in a Multi tenant architecture for your SaaS
application, and my contributions will be:
1 What is a Multi tenant Architecture?

First of all, let’s dive into what a single tenant A multi-tenant architecture
and a multi-tenant architecture are. is an ecosystem or model, in which a
single environment can serve multiple
A single-tenant architecture tenants utilizing a scalable, available,
(siloed model) is a single architecture per and resilient architecture. The underl-
organization where the application has ying infrastructure is completely
its own infrastructure, hardware, and shared, logically isolated, and with
software ecosystem. Let’s say you have fully centralized services. The multi-te-
ten organizations; in this case, you would nant architecture evolves according to
need to create ten standalone environ- the organization or subdomain (orga-
ments, and your SaaS application or nization.saas.com) that is logged into
company will function as a single tenant the SaaS application; and is totally
architecture. Additionally, it implies more transparent to the end-user.
costs, more maintenance, and a level of
difficulty to update across the environ-
ments.

page. 4
Single Tenant vs Multi tenant
Single-Tenant Multi-Tenant
SaaS application SaaS application
DB
Org1 Org2
Org1 Org2
VS
App App
Org3 Org4
DB DB
Cluster
Docker Docker Docker
App App App
Load Balancer
Org1 Org2 Org3
Bear in mind that in this paper, we will discuss two Multi tenant architecture
models, one for the application layer and one for the database layer. Visit this
text in order to extend knowledge around Single Tenant vs Multi Tenant.

page. 5
Multi-tenant Benefits
The adoption of a Multi tenant architec- extremely complicated. This is unvia-
ture approach will bring extensive valuable and time-consuming. With a
ble benefits for your SaaS application. multi tenant SaaS architecture, you
avoid this type of conflict, where
Let’s go through the next contributions: you’ll have one codebase (source of
trust), and a code repository with a
a) A reduction of server Infrastruc- few branches (dev/test/prod). By
ture costs utilizing a Multi tenant following below practices, –with a
architecture strategy. single command (one-click-deploy-
Instead of creating a SaaS environment ment)–, you will quickly perform the
per customer, you include one applica- deployment process in a few seconds.
tion environment for all your customers.
This enables your AWS hosting costs to
c) Cost reductions of develop-
be dramatically reduced from hundreds
ment and time-to-market.
of servers to a single one.
Cost reduction considers a sequence
of decisions to make, such as having a
b) One single source of trust.
single codebase, a SaaS application
Let’s say again you have a customer
environment, a multi-tenant database
using your SaaS, imagine how many code
architecture, a centralized storage,
repositories you would have per custo-
APIs, and following The Twelve-Factor
mer? At least 3-4 branches per customer,
Methodology; all of them will allow
which would be a lot of overhead and
you to reduce development labor
misaligned code releases. Even worse,
costs, time-to-market, and operatio-
visualize the process of deploying your
nal efficiencies.
code to the entire farm of tenants; it is
Quickly Scale Your Business with

Book a Call
a DevOps Team

page. 6
SaaS Technology Stack for an

Architecture on AWS
In order to build a multi tenant architec- community. The latest trends to
ture, you need to integrate the correct build SaaS applications are Python +
AWS web stack, including OS, language, React + AWS. Another “variant” is
libraries, and services to AWS technolo- Node.js + React + AWS, but in the
gies. This is just the first step towards end, the common denominators are
creating a next-generation multi tenant always AWS and React. If you are a
architecture. financial company, ML or AI, with
complex algorithms or backend work,
In case you haven’t chosen your web I’ll say you should go for Python.
stack, hereafter, I’ll suggest you The Per-
fect AWS SaaS Tech Stack. Even though On the other hand, if you are using
we will surface a few other multi-tenant modern technologies like real-time
architecture best practices, this article chats, mini feeds, streaming, etc.;
will be primarily oriented to this AWS then go for Node.js. If you want to
SaaS web stack. learn more about it, I recommend
this blog about the Basics of Multi
Let’s dive into our SaaS Technology Stack tenant Node.js and PostgreSQL,
on AWS: where you’ll find valuable information
about this topic. There is a market in
Programming Language the banking sector that is leveraging

Java, but that’s for established enter-
It doesn’t really matter which language
prises. Any new SaaS application
platform you select. What is vital is that
better goes with the mentioned web
your application can scale, able to utilize
stack. Again, this is just what I’ve noti-
multi-tenant architecture best practices,
ced as a trend, and what the commu-
cloud-native principles, and a we-
nity is demanding.
ll-known language by the open-source

page. 7
Note: This data comes from a survey that we performed a few months ago for
Financial Services and SaaS companies.
Ideal languages:
Python Node Js Java React Go
Cloud Provider are not only my words but also ideas

supported by multiple DevOps Part-
As a team of DevOps experts, I’ve noti-
ners. So, I strongly recommend deplo-
ced a cloud variation in the last two
ying your SaaS application under AWS.
years, and which corresponds to these
It has a number of benefits; every day
percentages: 70% of our DevOps imple-
there is a new service available for
mentations are based on AWS, 25%
you, and a new feature that facilitates
with Azure, and 5% go to GCP and
your development and deployment.
Digital ocean. Each year the trend is
Totally recommended to deploy your
similar, with the exception that Azure is
SaaS on AWS.
gradually growing with the years. Those
Why Build SaaS on AWS multi-tenancy?

Because the AWS Cloud is essential to perform the digital
transformation. Over here, you’ll be able to find more details
BLOG about Why Build SaaS on AWS.

page. 8
Microservices ghly recommended for startups, small

SaaS, and medium SaaS).
If you are planning to leverage the cloud,
you must leverage cloud-native princi-
ples. One of these principles is to incor- Amazon Fargate
porate microservices with Docker. Make Almost Serverless, price,
sure that your SaaS application is under AWS Fargate and management is per
microservices, which brings multiple task. Minimal operational
benefits, including flexibility and standar- effort vs. ECS. There are some studies
dization, easier to troubleshoot, pro- conducted by our DevOps team; in
blems isolation, and portability. Just like terms of performance. Fargate can be
the cloud, Docker and microservices slower than ECS, so for this particular
have transformed the IT ecosystem and case, I would recommend Amazon
will stay for a long while. ECS, instead of Fargate. Another
thought is that if your team is pure
Microservices vs Monolith: Which is the developers and not planning to hire a
best to build your SaaS application? DevOps engineer, perhaps Fargate is
the way to go.
Container
Orchestration Platform Amazon EKS
It is a managed service
This is a complicated and abstract deci-
Amazon EKS that makes Kubernetes on
sion; there are three options in AWS to
AWS easy to manage. Use
manage, orchestrate, and create a
Amazon EKS instead of deploying a
microservice cluster environment.
Kubernetes cluster on an EC2 instan-
ce, set up the Kubernetes networking,
Amazon ECS
and worker nodes. (Recommended
It is the natural Amazon con-
for large SaaS apps and a sophistica-
Amazon Elastic tainer orchestration system
ted DevOps and web development
Container Service
in the AWS ecosystem. (Hi-

page. 9
Team). Read about the best practices will be mentioned below about Multi
you should consider for your Kuber- tenant Database. In this case, I would
netes multi tenancy SaaS application go for Amazon RDS with PostgreSQL
with Amazon EKS. or DynamoDB (Mongodb).
Which is the best? What shall you use?

“If you are projecting a high-traffic for
Here is a video where I explain the
your SaaS application, you’d better
main differences, pros, and cons of
architect your database with Mongo-
Kubernetes vs Amazon ECS; which is
DB”
the best container orchestration?
Kubernetes vs Amazon ECS:

GraphQL or Amazon
Best Container Orchestration AppSync
Watch the video here

GraphQL is a query language and an
alternative to a RESTful API for your
"Looking for a hint? In the end, we database services. This new and
chose Amazon ECS" modern ecosystem is adopted as a
middleman among the client and the
Database database server. It allows you to
retrieve database data faster, mitiga-
The inherent database will be Post- te the over-fetching in databases,
greSQL with Amazon RDS. However, I retrieve the accurate data needed
strongly recommend that if you have from the GraphQL Schema, and
a senior development team, and are mainly the speed of development by
projecting a high-traffic for your SaaS iterating more quickly than a RESTful
application, –or even hundreds of service. Adopting a monolithic bac-
tenants–, you’d better architect your kend application into a Multi tenant
database with MongoDB. In addition microservice architecture is the per-
to this, utilize the best practices that fect time to leverage GraphQL or

page. 10
AppSync. Hence, when transforming Automation and IaC is that you need
your SaaS application, don’t forget to a mechanism to automate your SaaS
include GraphQL! application for your code deploy-
ments. In the same lines, automate
Note: I didn’t include this service the provisioning of new Infrastructure
in the AWS SaaS architecture for your Dev or Test environments.
diagram, because it is implemen-

ted in multiple ways, and it would
Infrastructure As Code
require an in-depth explanation
and Automation Tools
on this topic.
It doesn’t matter which Infrastructure

as Code Tool to use, they are both
Automation
useful (Terraform and CloudForma-
tion); they do the same job, and are
You need a mechanism to trigger or
highly known by the DevOps commu-
launch new tenants/organizations and
nity. I don’t have a winner, they are
attach it to your multi tenant SaaS
both good. However, if you want to
architecture. Let’s say you have a new
know more about the advantages and
client that just subscribed to your
disadvantages of each of them, I
SaaS application, how do you include
recommend this blog about Terra-
this new organization inside your
form vs Amazon CloudFormation.
environment, database, and business
logic? You need an automated pro-
cess to launch new tenants; this is Terraform
called Infrastructure as Code (IaC). (from Hashicorp)
This script/procedure should live Terraform A popular Cloud-agnostic
within a git or bitbucket repository, tool. Used widely for all
one of the fundamental DevOps prin- DevOps communities. It is easier to
ciples. A strong argument to leverage find DevOps with this skill.

page. 11
AWS CloudFormation bility and persistence with critical

It is easier to integrate web transactions, decoupling your
AWS
with Amazon Web Servi- monolithic or micro-service applica-
CloudFormation
ces, AWS built-in Automa- tion, and, most importantly: using a
tion tool. Whenever there is a new Queue System to communicate
Amazon technology just released, the Event-driven Serverless applications
compatibility with AWS and CloudFor- (Amazon Lambda functions).
mation is released sooner than Terra-
form. Trust on an AWS CloudForma-
tion expert to automate and release Caching System
in a secure manner.
AWS ElastiCache is a caching and data
storage system that is fully scalable,
Message Queue System available, and managed. It aims to
(MQS)
improve the application performance
The common MQS are Amazon SQS, of distributed cache data and in-me-
RabbitMQ, or Celery. What I suggest mory data structure stores. It’s an
here is to utilize the service that requi- in-memory key-value store for Mem-
res you less operation, in this case, cached and Redis engines. With a few
Amazon SQS. There are multiple clicks, you can run this AWS compo-
times that you need asynchronous nent entirely self-managed. It is
communication. From delaying or essential to include a caching system
scheduling a task, to increasing relia- for your SaaS application.
Make the most of your

Get Started
Infrastructure as Code Tool

page. 12
Cloud Storage System –the cloud system with infinite stora-

ge and elasticity. In front of Amazon
Amazon S3 and Amazon CloudFront S3 we will include AWS CloudFront,
CDN for your static content. All static integrating this pair of elements is
content, including images, media and vital, in order to cache the entire
HTML, will be hosted on Amazon S3, static content and reduce bandwidth
costs.
SaaS Multi tenant web stack architecture and diagram on AWS

(Amazon Web Services).

page. 13
2 Types of Multi-tenant SaaS

Architectures
One of the most important questions Monolithic Architecture
among the multitenant adoption for SaaS.
would be which Multi tenant architec-
Probably, if you haven’t seen this
ture suits better for your SaaS Appli-
article before, –or if you have already
cation on AWS. We will explore the
developed and architected your own
two layers needed to enable your
SaaS application–, I’m sure you have
application to act as a real SaaS appli-
fallen into this approach. The monoli-
cation since it is paramount to decide
thic components include EC2 instan-
which multi-tenant architecture you’ll
ces in the web tier, app tier, and
incorporate in your SaaS application
Amazon RDS with MySQL for your
from the application and database
Database. The monolithic architectu-
layer. These two types of multi-tenant
re is not a bad approach, with the
architectures are the Application layer
exception that you are wasting
Multi-tenancy and the Database layer
resources massively in the mentioned
Multi-tenancy.
tiers. At least around 50% and 70% of
your CPU/RAM usage is wasted due
The Application to the nature of the monolithic
Layer (cloud) architecture.
Multi-tenancy
The application layer is an architectu-
Pros:
ral design that enables hosting for
Easy-to-build approach.
tenants and is primarily delivered for
Software as a Service applications Minimal configuration.
(SaaS apps). In this first model the
application layer is commonly shared Multi tenant database.
among multiple customers.

page. 14
Cons:
Waste of AWS resources. within the app-tier, and not just
Not very fault-tolerant per servi- with a specific isolated service.
ce (If the app tier goes down, the Not flexible to maintain.
whole backend is down). Slows time to market.
When deploying your code, you HIPAA and PCI compliance cons-
have to deploy all your services traints.
Monolithic Architecture Diagram

page. 15
Microservices Architecture With a talented team, the best Mul-

for SaaS with Containers ti-tenant SaaS architecture approach
and Amazon ECS would be this use case scenario. Along
the same lines, it covers the SaaS sof-
Microservices are a recommended
tware and architecture’s main attribu-
type of architecture since they provide
tes, including agility, innovation,
a balance between modernization and
repeatability, reduced cycle time, cost
maximum use of available cloud
efficiency, and manageability.
resources (EC2 instances and compute
units). As well as it introduces a The perfect match
decomposed system with more granu-
Multi tenant architecture + AWS Servi-
lar services (microservices). We won’t
ces + microservices + Amazon ECS
touch much about the Microservice
benefits since it’s widely expressed in
Pros:
the community. However, I’ll recom-
Adds a key DevOps principle:
mend you to utilize the formula of
Loosely coupled architecture.
Multi tenant architecture + AWS Servi-
Easier to deploy new code to
ces + microservices + Amazon ECS as
production.
the container orchestrator; they can
Helps perform smaller deploy-
be the perfect match. Mainly, consider
ments per microservice with
that Amazon ECS gives fewer efforts to
better agility.
configure your cluster and more
Pure and real distributed service.
NoOps for your DevOps team
Repeatability and manageability.
A much better level of resource
utilization than monolithic.
By 2022, 90% of all new apps will feature microservices architectures that
improve the ability to design, debug, update, and leverage third-party code; 35% of
all production apps will be cloud-native
- Forbes, 2019

page. 16
Cons:
A decent grade of complexity to Amazon ECS natively lives in the
create the microservices archi- AWS Cloud; you can't port this
tecture and the ECS clustering. service into another cloud provi-
der since it is a proprietary servi-
ce from AWS.
Microservices Architecture Diagram
User Devices Internet
AWS Cloud
Cloudfront Distribution
VPC
Public subnet Public subnet
Application S3 Media
Load Balancer
Private subnet
EC2 instance contents EC2 instance contents

Organization1 Organization N
Microservice Microservice Microservice Microservice Microservice Microservice

A B C A B C ECR
ECS Cluster Docker Registry
Private subnet
Postgre SQL Postgre SQL

Organization 1 Organization N

page. 17
Kubernetes Architecture could, but in order to satisfy a diffe-

for SaaS with Amazon rent approach). By using Resource-
EKS Quota you can limit the resources
What about Kubernetes or Amazon used per namespace and avoid crea-
EKS?... you might be wondering. Well, ting noise to the other tenants. Ano-
Kubernetes is another alternative of ther point to consider is that if you
microservice architecture which adds would like to isolate your namespaces,
an extra layer of complexity in the you need to include Kubernetes Ne-
SaaS equation. However, you can over- twork policies because by default the
come this complexity by leveraging networking is open, and can commu-
Amazon EKS, –Amazon Elastic Contai- nicate across namespaces and contai-
ner Service for Kubernetes; the mana- ners.
ged Kubernetes service from Here is a comparison of Amazon ECS
Amazon–, which is a de facto service vs Kubernetes. You can also visit our
by the Kubernetes community. youtube channel and watch a video
What highlights of this component that compares and declares which is
from the rest of the architectures is the Best Container. Alternatively, –if
that it provides the use of namespa- you have a SaaS enterprise–, I'd
ces. This attribute aids to isolate every better recommend controlling your
tenant and its own environment within microservice via Amazon EKS or Ku-
the corresponding Kubernetes cluster. bernetes since it allows you to have
In this sense, you don’t have to create more granular changes.
different clusters per each tenant (you
Pros: Cons:
Same pros as the microservices The classic, a higher learning
architecture with Amazon ECS. curve vs Amazon ECS.
Exceptional in-depth custom A re-architecture of your SaaS
SaaS configuration. application.
Used more by SaaS companies.

page. 18
So, how would a Kubernetes Multi Serverless Architecture

tenant architecture look like? Here is a for SaaS on AWS
simple Kubernetes Multi-tenant archi-
tecture and siloed by its respective The dream of any AWS architect is to
namespaces. create a Multi tenant SaaS architectu-
re with a Serverless approach. That's a
Kubernetes Architecture
Diagram dream that can come true as a
DevOps or SaaS architect, but it espe-
cially adds a fair amount of complexity
User Devices Internet
AWS Cloud as a tradeoff. Additionally, it requires a
VPC reasonable amount of collaboration
Public subnet Public subnet

time with your dev team, extensive
changes of code application, and a
transformative Serverless mindset.
Application
Load Balancer
Private subnet Given said that, anyhow in a few years,

EC2 Master Node
Control Plane it will be the ultimate solution, and it
all depends on the talent, capabilities,
Amazon
Kubernetes
Service Ingress Controller and use case.
NGINIX
Private subnet
A Serverless SaaS architecture ena-
EC2 Worker Node EC2 Worker Node
bles applications to obtain more agili-
Containers Containers
ty, resilience, and fewer development
Namespace Organization 1 Namespace Organization N efforts, a truly NoOps ecosystem.
Serverless is disrupting the IT stack,
Private subnet
and you still on-premises? Go throu-

gh this paper I created a few months
ago which shows more details about
DB DB
Organization 1 Organization N
the serverless ecosystem.

page. 19
At a high-level, what are the new parts

of this next-generation serverless Serverless Architecture Diagram
SaaS architecture?
Every call becomes an isolated
tenant call, either going to a logical
service (Lambda function) or going
to the database data coming from
the Amazon API Gateway as an entry
point in the serverless SaaS
application. Now that you have
decou-pled every logical service, the
authenti-cation and authorization
module needs to be handled by a
third-partyservice like Amazon
Cognito, which will be the one in
charge to identify the tenant, user,
tier, IAM tenant role, and bring back
an STS token with these aspects.
Particularly, the API Gateway will
route all the tenant functions to the
correct Lambda functions mat-ching
the STS Token.
Here is a diagram of a multi tenant

architecture example for AWS SaaS
Applications that are using serverless.
Hire DevOps to build a Serverless

Hire Now
Architecture

page. 20
The Database isolation, database costs (per tenant
Layer costs), development complexity (chan-
Multi-tenancy ges in schemas, queries, etc.), and

operational complexity (Database
clustering, update tenant data, data-
The multi-tenancy concept comes with
base administration, and maintenan-
different architecture layers. We have
ce).
already advocated the multi-tenancy
application layer and its variants. Now,
it is time to explore multi-tenancy in Single Database:
the Database layer, which is just ano- A Table Per Tenant
ther aspect to consider while building
a SaaS Application. Paradoxically, the A table per tenant single database
easiest and cost-effective Multi-tenant refers to a pure database multi-tenan-
database architecture is the pure and cy and pooled model. This database
real database multi-tenancy. architecture is the common and the
default solution by DevOps or softwa-
The Database layer is right the opposi- re architects. It is very cost-effective
te of the previous model, the applica- when having a small startup or a few
tion layer. Over here, the DB layer is dozen organizations. It consists of
kept in common among tenants, and leveraging a table per each organiza-
the application layer is isolated. As a tion within a database schema. There
next step, you need to evaluate what are specific trade-offs for this archi-
Multitenant database architecture to tecture, including the sacrifice of data
pursue with tables, schemas, or siloed isolation, noise among tenants, and
databases. performance degradation –meaning
that one tenant can overuse compute
When choosing your database archi- and ram resources from another.
tecture there are multiple criterias to Lastly, every table name has its own
assess: Scalability (Number of tenants, tenantID, which is very straight-
storage per-tenant, workload), Tenant forward to design and architect.

page. 21
In regard to data isolation and com- Cons:

pliance, let’s say that one of your deve- Hard to troubleshoot a sin-
lopers makes a mistake and brings the
gle-tenant per table.
wrong tenant information to your cus-
Hard to backup and restore a
tomer. Imagine the data breach!
Please ensure never to expose infor- single tenant per table.
mation from more than one tenant; Reaching the single database
that's why SaaS applications get com-
limits, it becomes extremely
pliant. This architecture model is not
difficult to control.
recommended, however, it is widely
used because of its cost-effectiveness. Low tenant isolation.
Alternative single-tenant database

architecture: a Shared table, in a Single Database: A
single schema, in a single database. Schema Per Tenant
Perfect for DynamoDB. (We didn’t
cover this approach - FYI) A schema per tenant single database,
also known as the bridge model, is a
Pros: multi-tenant database approach
which is still very cost-effective and
Lowest cost per tenant.
more secure than the pure tenancy
The easiest architecture to
(DB pooled model), since you are with
scale your database (however, a single database, with the exception
you always have a limit). of the database schema isolation per
tenant. If you are concerned about
Great approach for hundreds/-
data partitioning, this solution is
thousands of tenants.
slightly better than the previous one
(a table per tenant). Similarly, it is
simple to manage across multiple

page. 22
schemas in your application code con- You can customize specific

figuration.
schemas per tenant (a different
One important distinction to notice is version per schema).
that with more than 100 schemas or Scales horizontally.

tenants within a database, it can pro-
voke a lag in your database perfor-
mance. Hence, it is recommended to Cons:
split the database into two and add It doesn’t comply with PCI,
the second database as a replica. HIPAA or Fedramp regulations.

However, the best database tool for However, if you don't need
this approach is PostgreSQL, which
them, who cares?
supports multiple schemas without a
Can get slower by the fact that
lot of complexity. And lastly, this stra-
loading a specific schema can
tegy of –a schema per tenant– shares
resources, compute, and storage be an expensive operation.
across all its tenants. As a result, it pro- Medium tenant isolation.

vokes noisy tenants that utilize more Updating a database structure
resources than expected. would need an update to all
Pros: schemas.
Low development complexity.
This pattern is best used for a
few dozens of schemas.
More secure vs pooled model
(table per tenant).
Architect your SaaS App with AWS Sart now!

page. 23
Database Server Per Pros:

Tenant
Low development complexity.
High tenant and data isolation.

Also call the Siloed model, where you
need a database instance per custo- Widely used and accepted by
mer. Expensive, but the best for isola- the customer.

tion and security compliance. This
technique is significantly more costly
than the rest of multi-tenant database Cons:
architectures, but it complies with Highest costs per tenant.
security regulations; the best for per- Complex to manage n-number
formance, scalability, and data isola-
of database servers (hard mana-
tion. This pattern uses one database
gement).
server per tenant, it means that if the
Hard to scale more than 100
SaaS app has 100 tenants, therefore
there will be100 database servers, servers
extremely costly. Scales vertically.
When PCI, HIPAA or SOC2 is needed, it

is vital to utilize a database siloed
Multi tenant Database
model, or at least find a workaround
Architecture Tools
with the correct IAM roles and the best
container orchestration –either Kuber- Amazon RDS with
netes or Amazon ECS namespaces–, a PostgreSQL
VPC per tenant and encryption Amazon RDS (best option).
with PostgreSQL
everywhere
Comply Security Regulations

Get a Quote
for Your SaaS Application

page. 24
DynamoDB GraphQL
(a great option for a sin- As described previously,
gle-tenant database with use it in front of any of
Dynamo DB GraphQL
a single shared table). these databases to

increase speed on data retrieval,
speed on development, and alterna-
Amazon RDS with tive to RESTful API, which helps to
MySQL relieve requests from the backed
Amazon RDS
wih MySQL
(a good option) servers to the client.
3 Application Code Changes

Once you have selected your Multi URL or subdomain that is coming from
tenant strategy in every layer, let’s start the request. The ability to obtain this
considering what is needed to change information (subdomain) at runtime is
in the code level, in terms of code chan- critical to handling dynamic subdo-
ges. If you have decided to adopt mains for your Multi-tenant architec-
Django, from Python, for your SaaS ture. We won’t cover in-depth what
application, then you need a few tweak lines of code we need to include in
changes to align your current applica- your Django application –or in any
tion with your Multi-tenant architecture other framework–, but at least I’ll let
from the database and application you know what items should be consi-
layer. dered in this section.
Fortunately, web application languages

and frameworks are able to capture the

page. 25
Python Django Multi-tenancy in a

nutshell*
1 Add an app called tenant.py, a method to get the tenant.
class for tenantAwareModel with multi-
3 Determine how to extract the
ple pool classes.
tenant utilizing the host header (sub-
2 In order to identify tenants, you domain).
need to give each tenant a subdomain;
4 Admin isolation.
to do so, modify a few DNS changes,
Nginx/Apache tweaks, and add a utility
* Previous code suggestions could change
method (utils.py). Now, whenever you
depending on the architecture.
have a request, you can use this
Wildcard DNS Subdomain: URL based

SaaS application
Basically, every organization must have not recommended, for example,
its own subdomain, and they are quite ‘app.saas.com/org1/…’, ‘app.saas.-
useful for identifying organizations. com/org2…’, and so on.
Per tenant, it is a unique dedicated So, the following is required in this
space, environment, and custom appli- particular section:
cation (at least logically); for example,
‘org1.saas.com’, ‘org2.saas.com’, and 1 A wildcard record should be in
so on. This URL structure will dynami- place in your DNS management
cally provision your SaaS multi-tenant records.
application, and this DNS change will 2 This wildcard subdomain redi-
facilitate the identification, authentica- rects all routes to your Multi-tenant
tion, and authorization of every tenant. architecture (either to the load balan-
However, another workaround is cer, application server or cluster
called path-based per tenant, which is end-point).

page. 26
3 Similarly, a CNAME record labeled 4 As a final step, another (A) record

(*) pointing to your ‘app.saas.com’ or pointing your ‘app.saas.com’ domain
‘saas.com/login’. An asterisk (*) means to your amazon ECS cluster, ALB, or
a wildcard to your app domain. IP
DNS Records entries:
*. s aas. com CN AME ‘a pp.sa a s.co m

ap p. saas.co m A 1.2.3.4 OR a p p.sa a s.co m A ( a lia s)
bal an cer.us- ea st-1.elb.am a zo n aws.co m
Note: An (A) Alias record is when you are utilizing an ALB/ELB (Load Balancer) from AWS.
Web Server Setup with NGINX

configuration
Let’s move down to your web server, your subdomains and route accordin-
specifically Nginx. In this stage, you will gly to the correct and unique path of
need to configure your nginx.conf and your SaaS app document root.
server blocks (virtual hosts). Set up a
wildcard vhost for your Nginx web SSL Certificates
server. Make sure it is an alias (Serve- Just don’t forget to deal with the certi-
rAlias) and a catch-all wildcard site. You ficates under your tenant subdo-
don’t have to create a subdomain Vir- mains. You would need to add them
tualHost in Nginx per tenant; instead, either in the Cloudfront CDN, Load
you need to set up a single wildcard balancer, or in your web server.
VirtualHost for all your tenants. Natu- Note: This solution can be accomplished
rally, the wildcard pattern will match using the Apache web server.

page. 27
4 Follow the 12-Factor Methodology

Framework or Die Trying!
Following the 12-factor methodology more.
represents the pure DevOps and Willing to know more about the
cloud-native principles, including 12-factor methodology? This article
immutable infrastructure, dev/test and deeply explains how to adopt the
prod parity with Docker, CI/CD princi- 12-factor methodology for any SaaS
ples, stateless SaaS application, and application on AWS.
5 Multi-tenant SaaS Architecture

Best Practices
We’re in the last section of this multite- multi-tenant Architectures for SaaS
nant ebook for SaaS apps, and before applications. Let’s go into the best of
ending and declaring a conclusion, I’d them.
like to suggest the best practices of
How is your SaaS Application going

to scale?
Consider following a strategy on how to DynamoDB.
scale your SaaS application, here is a
3 Application Load Balancer.
good one:
1 Amazon AutoScaling, either with 4 Including a CloudFront CDN for

ec2 instances or microservices. your static content.
2 Database replication with 5 Amazon S3 for all your static/me-

Amazon RDS, Amazon Aurora or dia content.

page. 28
6 Caching system including Redis/- with a team like ClickIT. CI/CD is just
Memcached or its equivalent in the one of the five principles of DevOps
AWS cloud - Amazon ElastiCache. practices, and it is pretty lean for us to
adopt it into your SaaS application.
7 Multi-availability zone set up for
redundancy and availability.
Ready to go?
More details about how to scale a SaaS

Application. What tools to embrace CI/CD?
CI/CD Tools: Jenkins, CircleCi, or AWS

Practice #1: Code Deployments Code pipelines (along with Codebuild
with CI/CD and CodeDeploy).
Another crucial aspect to consider is

how to deploy your code releases My advice: If you want a sophisti-
across tenants and your multiple envi- cated DevOps team and a widely
ronments (dev, test, and prod). You will known tool, go for Jenkins;
need a Continuous Integration and otherwise, go for CircleCI. If you
Continuous Delivery (CI/CD) process to want to keep leveraging AWS tech-
streamline your code releases across nologies exclusively... then go for
all environments and tenants. If you AWS Code pipelines. But if you’re
follow-up on my previous best practi- looking for compliance, banks, or
ces, it won't be difficult. The CI/CD prac- regulated environments, go for
tice is another world that your DevOps Gitlab.
team needs to get familiar with, but
Build a Multitenant Architecture

Start Today
for SaaS Applications

page. 29
Practice #2: DevOps Automation

Ansible
The purpose is to automate the whole Ansible
new tenant creation process, so how

are you creating new tenants per subs-
Note: Ensure you utilize Infrastruc-
cription? Identify the process of laun-
ture As Code principles in this
ching new tenants into Yherheeeheyo
aspect.
qur SaaS environment. You need to
trigger a script to launch or attach the
new Multi tenant environment to your Practice #3: Siloed compute
existing Multi-tenant architecture, mea- and siloed storage.
ning to automate the setup of new
tenants. Consider that it can be after How will your architecture be isolated
your customer gets registered in your from other tenants? You just need to
onboarding page, or you need to trig- identify the next: Every layer of the
ger the script manually. SaaS application needs to be isolated.
The customer workflow is touching
multiple layers, pages, backend,
Automation tools: networking, front-end, storage, and
more bits, so… How is your isolation
Terraform strategy?
(Recommended)
Terraform Take in mind the next aspects:
1 IAM Roles per function or micro-

Amazon
CloudFormation services.
(Trust on an AWS Cloud-
AWS 2 Amazon S3 security policies.
CloudFormation Formation certified team)

page. 30
3 VPC isolation. Practice #5: Tenant clean-up
4 Amazon ECS / Kubernetes

What are you doing with the tenants
Namespace isolation.
that are idle or not used anymore?
5 Database isolation (tenant per Perhaps a clean-up process for any
table/schema/silo database) tenant that has been inactive for a

prolonged period, or remove unused
resources and tenants by hand… but
Practice #4: Tenant compute you need a process or automation
capacity. script.
Have you considered how many SaaS

Conclusions
tenants can it support per environ-
ment? Just think, you have 99 tenants, Multi-tenant architecture and SaaS
compute/database load is almost to the applications under AWS… what a topic
limits, do you have a ready environ- that we just discovered! Now you un-
ment to support the new tenants? What derstand the whole SaaS architecture
about the databases? You have a parti- cycle from end-to-end, including
cular customer that wants an isolated server configuration, code, and what
Tenant environment for its SaaS appli- architecture pursues per every IT
cation. How would you support an layer. As you can notice, there is no
extra Tenant environment that is sepa- global solution for this ecosystem.
rated from the rest of the multi-tenant There are multiple variants per each IT
architecture? Would you do it? What are layer, either all fully multi-tenant, par-
the implications? Just consider a scena- tially tenant or just silo tenants. It falls
rio for this aspect. more on what you need, budget, com-
Architect a Multitenant
Let’s talk
SaaS Application on AWS

page. 31
plexity, and the expertise of your ClickIT is an AWS Select partner with
DevOps team. I strongly recommend multiple AWS Certifications. Every
going for microservices (ECS/EKS), par- engineer on ClickIT loads more than
tially multi-tenant in the app, and data- 10 DevOps projects based on SaaS
base layer. As well, include cloud-native architectures and cloud-native appli-
principles, and finally, adopt the mul- cations including PHP, Laravel, React,
ti-tenant architecture best practices Angular, NodeJS, Python, Go, Ruby,
and considerations described in this and Java. In the DevOps space, we
article. That being said, brainstorm your work with any cloud provider you’re
SaaS architecture firstly by thinking on willing to use (Azure, AWS, Digital
how to gain agility, cost-efficiency, IT Ocean, and Google Cloud), with any
labor costs, and leveraging a Nearshore CI/CD, including Jenkins, CircleCI, bit-
collaboration model (which adds ano- bucket, and more. In regard, Automa-
ther layer of cost-savings). tion with Terraform and CloudForma-
If you ever need a hand on how to archi- tion is our best choice. And even
tect your SaaS application, execute the better, most of our AWS and DevOps
whole AWS/DevOps projects and follow projects are following PCI, HIPAA, and
these principles, or just hire a DevOps SOC2 regulations. If you are a fintech,
engineer to fulfill your DevOps needs, healthcare, or SaaS company, well,
just contact us via our official website at you know these type of requirements
clickittech.com. are a most in your processes.
About Clickit
ClickIT is an experienced Cloud and DevOps Nearshore Solution Provider for 10 years.
Our competencies are Financial Services, Healthcare, MarTech, Ecommerce, Big Data &
Analytics and our Experience comes with startups and mid-large enterprises. We are AWS
and GCP certified partners with an experience of helping more than 200 product and ser-
vice-centric companies based out of the US with their cloud migration and DevOps initia-
tives.

www.clickittech.com

Modernize Your SaaS Enterprise With AWS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Modernize Your SaaS Enterprise With AWS

Uploaded by

Copyright:

Available Formats

Modernize Your SaaS

Enterprise With AWS

Introduction Modernize Your SaaS Enterprise

SaaS Technology Stack for an Architecture on AWS 6

2. Types of Multi-tenant SaaS Architectures 13

3. Application Code Changes 24

Wildcard DNS Subdomain: URL based SaaS application. 25

Web Server Setup with NGINX conﬁguration 26

4. Follow the 12-Factor Methodology Framework or Die Trying! 27

5. Multi-tenant SaaS Architecture Best Practices 27

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Let’s start with this impressive fact: 70%

“70% of all Web Apps are SaaS, have met

70% of all Web Apps are SaaS

www.clickittech.com info@clickittech.com +52 (844) 141-8485

1 What is a Multi tenant Architecture?

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Single Tenant vs Multi tenant

App App App

Org1 Org2 Org3

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Quickly Scale Your Business with

www.clickittech.com info@clickittech.com +52 (844) 141-8485

SaaS Technology Stack for an

Programming Language the banking sector that is leveraging

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Python Node Js Java React Go

Cloud Provider are not only my words but also ideas

Why Build SaaS on AWS multi-tenancy?

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Microservices ghly recommended for startups, small

in the AWS ecosystem. (Hi-

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Which is the best? What shall you use?

Kubernetes vs Amazon ECS:

Watch the video here

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Note: I didn’t include this service the provisioning of new Infrastructure

in the AWS SaaS architecture for your Dev or Test environments.

diagram, because it is implemen-

It doesn’t matter which Infrastructure

www.clickittech.com info@clickittech.com +52 (844) 141-8485

AWS CloudFormation bility and persistence with critical

Make the most of your

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Cloud Storage System –the cloud system with inﬁnite stora-

Amazon S3 and Amazon CloudFront S3 we will include AWS CloudFront,

SaaS Multi tenant web stack architecture and diagram on AWS

www.clickittech.com info@clickittech.com +52 (844) 141-8485

2 Types of Multi-tenant SaaS

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Monolithic Architecture Diagram

www.clickittech.com info@clickittech.com +52 (844) 141-8485

Microservices Architecture With a talented team, the best Mul-

www.clickittech.com info@clickittech.com +52 (844) 141-8485

der since it is a proprietary servi-

Microservices Architecture Diagram

User Devices Internet

Public subnet Public subnet

EC2 instance contents EC2 instance contents

Microservice Microservice Microservice Microservice Microservice Microservice

Postgre SQL Postgre SQL

www.clickittech.com info@clickittech.com +52 (844) 141-8485