Building A Multi Tenant SaaS Solution
Building A Multi Tenant SaaS Solution
solution on AWS
using Serverless
Anubhav Sharma
Principal Solutions Architect
AWS SaaS Factory
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark. 2
There are many advantages to a customer-centric
approach, but here’s the big one: Customers are
always beautifully, wonderfully dissatisfied, even
when they report being happy and business is great.
Even when they don’t yet know it, customers want
something better, and your desire to delight
customers will drive you to invent on their behalf.
Jeff Bezos
Founder and Executive Chair, Amazon.com, Inc.
2016 letter to shareholders
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
What it means to be SaaS
Application plane Control plane
Onboarding Provisioning
Multi-tenant Multi-tenant
microservice microservice
Identity Tenant
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Application plane deployment models
Dedicated resources for each tenant Shared resources for all tenants
(silo model) (pool model)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Serverless SaaS reference
architecture
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
AWS Services & Features Used
• AWS Serverless Application Model (SAM)
• AWS Cloud Development Kit (CDK)
• Amazon API Gateway
§ REST APIs
§ Lambda Authorizer
§ Usage plans & API keys
• Amazon Cognito
§ User Pools
• AWS Lambda
§ Fine-grained access control (AWS STS)
§ Lambda Layers
• Code Pipeline
§ Canary deployments
• Amazon DynamoDB
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tiered based deployment model
User management
Tenant provisioning
Tenant 3..N Tenant 1 Tenant 2
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Baseline Architecture
Web application
Log Manager
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Registering new tenants
• Provision tenant
• Configure tenant settings
(silo/pool) 4
Tenant Provisioning
• Create stack for siloed
SaaS Admin
tenants
Console
Administrator
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant registration
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Authentication and authorization
Cognito Hosted UI
{
1 2
JWT
tenantId: “abc”
userRole: “Admin” Evaluate usage based
} upon API key
GET
Sample SaaS 3 4
Authorizer
5
policy
Tenant commerce
JWT
application Authorizer POST
Lambda
Allow/disallow routes functions
API Gateway
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Routes based on user roles
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant isolation: Silo model
JWT
Tenant
API Gateway Lambda function Order_Tenant1
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Dynamic policy
{
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:{0}:{1}:table/Product-*".format(region, aws_account_id),
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"{0}-*".format(tenant_id)
]
}
}
}
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Code snippet: STS credentials
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Authorizer output
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant isolation: Pooled model
Runtime-acquired
tenant scope
IAM
AWS STS
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Pool-based partition with DynamoDB
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Multi-tier, multi-account, multi-region CI/CD
Deployment
pipelines
Pooled
Build pipeline
Prod
Prod
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Tenant routing
Pooled
Hosted UI redirect
3
Sample SaaS application
1 Platinum 1
Login à Tenant Name JWT token
Tenant 1 4
Platinum 2
5
JWT token 2
Tenant identity
settings
Pooled Platinum 1 Platinum 2
Tenant
management
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Final View of Architecture
Source Sign-up SaaS Admin
application application console
Tenant Amazon Cognito Tenant SaaS provider
Build
Logging &
metrics
Tenant User
provisioning management
Auth
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.
Serverless SaaS reference links
• https://catalog.us-east-1.prod.workshops.aws/workshops/b0c6ad36-0a4b-45d8-856b-
8a64f0ac76bb/en-US
• https://github.com/aws-samples/aws-serverless-saas-workshop
• https://aws.amazon.com/blogs/apn/building-a-multi-tenant-saas-solution-using-aws-
serverless-services/
• https://github.com/aws-samples/aws-saas-factory-ref-solution-serverless-saas
• https://aws.amazon.com/blogs/devops/parallel-and-dynamic-saas-deployments-with-cdk-
pipelines/
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Confidential and Trademark.