More Related Content Similar to SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPSTEC302) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) SaaS Reference Architectures: Review of Real-World Patterns & Strategies (GPSTEC302) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS Reference Architectures: A Review of Real
World Patterns and Strategies
Tod Golding
Partner Solutions Architect
Amazon Web Services
G P S T E C 3 0 2
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS: One goal, many flavors
App tier
Tenant 2
Web tier
App tier
Tenant 1
Web tier Web tier
App: Tenant 1 App: Tenant 2
Web tier
App tier
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The key challenges of SaaS architecture
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-tenancy can vary at every layer
Web tier
App tier – T1 App tier – T2
Tenant 1 1992093
Tenant 2 9828519
Tenant 1 4940492
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The common thread: Agility
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS architecture pattern landscape
Onboarding
Application
access
Metering,metrics,&analytics
Billing&tiering
Management&monitoring
API accessDeployment&agility
ServiceService Service
Tenant
isolation
Tenant
isolation
Tenant
isolation
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS architecture pattern landscape
Onboarding
Application
access
Metering,metrics,&analytics
Billing&tiering
Management&monitoring
API accessDeployment&agility
ServiceService Service
Tenant
isolation
Tenant
isolation
Tenant
isolation
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The SaaS monolith
Availability Zone Availability Zone
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Microservices SaaS with containers
NAT gateway NAT gateway
Availability Zone Availability Zone
Microservice Microservice
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Serverless SaaS
Amazon API Gateway
AWS Lambda functions
Storage services
Custom
authorizer
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comparing models
Monolith
Container
microservices
Serverless
Zero downtime deployment Low High Very high
Scaling with tenant activity Low Medium Very high
Scaling granularity Low High Very high
Development ease High High Medium
Fault tolerance support Low High Very high
Cost optimization Low Medium High
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-tenant aware application services
Application service
Tenant data partitioning mapping
Logging&
metering
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extracting and applying tenant context
Application
service
GET /products
Authorization: Bearer <Token>
{
” tenantId” : ”8391”
“role” : “Admin”
}
JWT Token
1
Data access
layer
GetProducts()2
Token
Manager
3 Partition
Manager
4
5
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Storage partitioning patterns
Silo
relational
Silo
NoSQL
Pool
relational
& NoSQL
TenantID ProductID
Tenant-2 929443903
Tenant-1 384914810
Object
storage
Tenant 1
Tenant 2
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Avoiding tenant bottlenecks
TenantID ProductID
Tenant-2 929443903
Tenant-1 294020999
Tenant-1 384914810
TenantID ProductID
Tenant-1 929443903
Tenant-1 294020999
Tenant-1 384914810
Tenant-1 202030340
Tenant-2 534538388
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scaling tenant partitioned data
TenantID ShardID
Tenant-2 Shard-1
Tenant-1 Shard-2
Proxy fleet
Amazon Aurora instances
Storage Storage
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role and policy-based isolation
Tenant 1 Tenant 2
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Siloed compute isolation
Tenant 1 Tenant 2 Tenant 1 Tenant 2 Tenant 1 Tenant 2
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pooled compute isolation
Identity Policies
Pooled computeTenant
scoped creds
Tenant
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tenant data isolation
TenantID ProductID
Tenant-2 929443903
Tenant-1 294020999
Tenant-1 384914810
Tenant-2 948393991
Tenant-2 429919495
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using policies to isolation shared resources
{
"Sid": "TenantReadOnlyOrderTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:000000000000:table/Order"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"5bd24c40d66c4755819d28ceab9f0826"
]
}
}
}
Tenant
Identity
Policy
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Full stack isolation
Tenant 1 Tenant 2
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Onboarding, access, and operations patterns
Onboarding
Application
access
Metering,metrics,&analytics
Billing&tiering
Management&monitoring
API accessDeployment&agility
Application
services ServiceService Service
Storage
partitioning
Tenant
isolation
Tenant
isolation
Tenant
isolation
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Onboarding patterns: The building blocks
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Zero touch, volume onboarding (pool)
Tenant
Registration
Service
/reg
Tenant
IAM
Identity
Provider
(OIDC)
Tenant
Management
Service
POST
User UserPool
User
Management
Service
New account
queue
Billing Account
Manager
Billing
system
Provision
account
Retry
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enterprise, low volume onboarding (silo)
Tenant
Engineer DevOps
provisioning
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication with delayed tenant resolution
Tenant
Web
application
Identity
provider User/tenant
mapping
UserId
TenantId
RBAC policies
Application
service
Dataaccess
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication with SaaS identity token
Tenant
Web
application
Identity
provider
(OIDC)
Application
service
Dataaccess
ID Token
Access Token
Tenant IAM
policy
Amazon
Cognito
STS Token
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication via external provider
Authentication
Manager
User:
Password::
Identity
provider
config
Amazon
Cognito
External
identity
provider
Tenant
Manager
User Tenant
App Service
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional authentication considerations
jane@example.com
Tenant 1
Tenant 2
Mapping a single user to
multiple tenants
Enabling tenant management
of policies
• MFA policies
• Password expiration
• Password format
• Validation
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-region authentication and access
Identity
repository
Shared
Onboarding
Region A
Region B
Identity
repository
Identity
repository
Tenant 1
Tenant 2
Region
selection&
routing
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Metering and analytics patterns
Metering framework
API Gateway
Product
manager
Ops
engineer
Architect
Tenant context
in every event
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Billing and account lifecycle
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Takeaways
• No single pattern fits all SaaS businesses
• SaaS architecture must embrace variable
consumption
• Metrics and analytics are foundational to SaaS
architecture
• Getting isolation right can be challenging
• Automation and agility are essential to all patterns
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional SaaS breakouts
Monday, 11/26
ARC324 - Architecting Next Generation Serverless SaaS Solutions on AWS
6:15 PM | Venetian, Level 2, Venetian Theater
Tuesday, 11/27
ARC324 - Architecting Next Generation Serverless SaaS Solutions on AWS (Repeat)
4:00 PM | Venetian, Level 2, Titian 2204
Wednesday, 11/28
ARC418 Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS
12:15 PM | Mirage, Mirage Event Center B
Thursday, 11/29
ARC418 Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (Repeat)
4:00 PM | Aria, Aria West, Level 3, Ironwood 5
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS Chalk Talks
Monday, 11/26
ARC216 - SaaS Operations: The Foundation of SaaS Agility
11:30 – 12:30 | Venetian, Level 2, Veronese 2406
Tuesday, 11/27
ARC210 - SaaS Jumpstart: A Primer for Launching Your SaaS Journey
9:15 – 10:15 | Venetian, Level 4, Lando 4304
Wednesday, 11/28
ARC419 – Optimizing Your SaaS Solutions on AWS
1:00 – 2:00 | Venetian, Level 3, Murano 3202
ARC326 - Migrating Single-Tenant Applications to Multi-Tenant SaaS
4:00 – 5:00 | Aria West, Level 3, Starvine 7
ARC210 - SaaS Jumpstart: A Primer for Launching Your SaaS Journey
1:45 – 2:45 | Aria West, Level 3, Ironwood 8
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS Chalk Talks
Thursday, 11/29
ARC210 - SaaS Jumpstart: A Primer for Launching Your SaaS Journey
1:45 – 2:45 | MGM, Level 1, South Concourse 105
Friday, 11/30
ARC326 – Migrating Single-Tenant Applications to Multi-Tenant SaaS
10:00 – 11:00 | MGM, Level 1, South Concourse 105
ARC419 – Optimizing Your SaaS Architecture on AWS
1:00 – 2:00 | Venetian, Level 3, Murano 3202
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS Workshops
Monday, 11/26
Hands-on SaaS: Constructing Multi-Tenant Solutions on AWS
4:00 – 6:15 PM | Mirage, Mirage Event Center C3
Wednesday, 11/30
Hands-on SaaS: Constructing Multi-Tenant Solutions on AWS
9:15 AM – 11:30 AM | Mirage, Mirage Event Center C2
40. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tod Golding
todg@amazon.com
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.