Building a Robust Multi-Tenant Serverless Application: Essential Insights
Written on
Understanding Multi-Tenancy in Serverless Applications
Creating a multi-tenant application can be intricate and may lead to complications if certain crucial aspects are overlooked.
A few years back, I had the opportunity to lead a team of engineers tasked with exploring how to build applications in the cloud. We had minimal guidelines, just a broad vision of what we were supposed to accomplish. This might sound like a developer's paradise, and in many ways, it was.
However, navigating the complexities of cloud development from an enterprise viewpoint proved to be a formidable challenge. We needed to grasp the essence of cloud computing, understand CI/CD processes, delve into serverless architectures, learn to design NoSQL data models, and make decisions regarding microservices structure. Additionally, we had to understand cloud cost analysis and, importantly, figure out multi-tenancy and how to implement it effectively.
The list of challenges we faced was extensive, filled with nuanced details. Despite this, the experience was rewarding.
Among all the concepts, frameworks, and design patterns we explored, one of the most challenging was multi-tenancy. While we were familiar with the theory, actual implementation was a different story.
What is Multi-Tenancy?
When I discuss multi-tenancy, I often encounter the question: "What exactly is a tenant?"
There’s no one-size-fits-all answer. For our team, a tenant referred to a paying customer, while for others, it might have a different connotation. This variation reflects how we chose to implement segmentation in our application.
A tenant can be defined as a group of users who share access to a specific set of data. In a multi-tenant system, numerous groups of users share the same application instance but have access only to their designated data.
This model is advantageous for larger applications, simplifying release management since you don’t need to deploy a separate instance for every customer. However, this setup carries risks; if one tenant encounters an issue, it could potentially affect all users.
Implementing Multi-Tenancy in a Serverless Environment
To clarify these concepts, I'll showcase a GitHub repository containing a fully functional multi-tenant application designed to manage state parks.
Each defined role in the system grants access to various endpoints, and users can hold multiple roles, expanding their access to different features. Although users can belong to multiple tenants, they can only have one "active" tenant at a time, which streamlines authentication and maintains data boundaries.
By switching tenants, users change the data they can access. In our reference application, the roles assigned to users are based on their active tenant, allowing for varied access control.
Authorization Strategies
While Amazon Cognito offers various multi-tenancy options, our example focuses on a request-based Lambda authorizer that assesses the caller's identity and identifies their active tenant. This authorizer operates in front of an API gateway, evaluating the provided authentication token and returning an IAM policy for the user.
To visualize the authorizer's flow:
Our example leverages the authorizer context to enrich data passed to downstream services. The context includes user details and can look like this:
{
"userId": "testuserid",
"tenantId": "texas",
"email": "[email protected]",
"roles": "["admin"]",
"firstName": "Test",
"lastName": "User"
}
The operational flow of our Lambda authorizer involves several key steps:
- Validate JWT: The workflow authenticates the JWT from the Authorization header.
- Load User Details: User information, including the active tenant and roles, is retrieved from DynamoDB.
- Determine Access Policy: Based on the roles of the active tenant, an IAM policy is constructed for allowed endpoints.
- Build Authorizer Context: A data object containing user information is created for downstream services.
- Return Policy and Context: The access policy is sent back to the API Gateway for endpoint access evaluation.
Implementing this authorizer context enhances security in multi-tenant environments, ensuring that malicious users cannot manipulate tenant information.
Data Access Control in Multi-Tenant Applications
The primary goal of multi-tenancy is to ensure that users cannot access data from other tenants. Strong data isolation is essential to prevent unauthorized access.
To achieve this, all indexes should be prefixed with the tenant ID. For example, consider a dataset of state parks:
In this dataset, parks belong to three tenants: Texas, Washington, and Colorado. Both the primary key and GSI should include the tenant ID prefix.
This approach guarantees that requests include the tenant ID, ensuring that data retrieved belongs solely to that tenant. However, be cautious: this method becomes ineffective during table scans.
Scaling Infrastructure and Managing Service Limits
As your application scales to accommodate more tenants, your serverless infrastructure will evolve. However, certain components require careful consideration during the initial design phase.
In a previous discussion on avoiding serverless service limits, I highlighted the discrepancy between the number of SNS topics and subscription filters in AWS accounts. You can create 100,000 SNS topics, but only 200 subscription filters, which are soft limits but crucial to consider in multi-tenant applications.
Instead of static SNS topics, consider creating topics dynamically based on tenant and event type. This approach allows you to scale without the worry of hitting service limits.
As your infrastructure grows, the architecture shifts from synchronous REST API paradigms to batching, caching, and queuing mechanisms. Maintaining the tenant ID during these processes is vital to prevent data mishaps.
Conclusion
Adopting a multi-tenant architecture presents both advantages and challenges. It simplifies maintenance by supporting a single application instance, yet introduces complexity through the necessary tenancy logic.
Data security is paramount; you must ensure that data isolation is maintained to prevent accidental cross-tenant data exposure. By employing a tenant ID in all lookups and avoiding table scans, you can significantly reduce risks.
Be mindful of service limits as you scale up with more tenants. Assessing the limits of the services you plan to utilize before development is always wise.
Ultimately, defining a tenant is a conceptual choice. How you implement it is flexible, as long as you maintain data isolation and create a scalable application. Whether you opt for Amazon Cognito or build a custom solution for access control, meticulous planning is essential for a successful multi-tenant application.
Happy coding!
Multi-tenant serverless SaaS | Serverless Office Hours - YouTube
Building a Multi-tenant SaaS solution on AWS - YouTube