Multi-tenancy design patterns
This section delves into three primary multi-tenancy design patterns—silo, pool, and bridge models—each with its unique advantages, challenges, and use cases. These patterns not only influence the operational efficiency and scalability of the service but also have a profound impact on security and compliance. We will explore the various levels of isolation these models offer, their applicability in different scenarios, and the factors to consider when choosing the right pattern for your organization.
The silo model
The silo model is one of the most straightforward designs for implementing multi-tenancy. In this model, each tenant is assigned to a separate set of resources, effectively creating isolated silos. While this approach offers the highest level of security and isolation, it often comes at the cost of resource efficiency.
The following diagram (Figure 8.2) illustrates the silo model:
Figure 8.2 – The silo model
Levels of isolation
The silo model can be implemented at various levels of isolation, each offering a different balance between security and resource utilization:
- Account segregation: At the most isolated level, each tenant can have a separate AWS account. This not only isolates resources such as compute, storage, and networking but also segregates governance aspects such as IAM. It can even allow tenants some level of control and visibility over their resources. However, this approach can lead to increased operational overhead due to the complexity of managing multiple accounts.
- VPC segregation: A more balanced approach is to segregate tenants at the VPC level. Each tenant gets its own VPC within a single AWS account, offering a good balance between isolation and manageability.
- Subnet segregation: For finer-grained control, tenants can be segregated at the subnet level within a VPC. This allows for more flexible resource allocation but requires careful network planning and management involving complex routing and security configurations. Therefore, this approach is generally not recommended due to the increased risk of configuration errors, especially as the number of tenants grows.
- Individual resource segregation: At the most granular level, individual resources can be segregated for each tenant. This is particularly relevant for non-VPC attached serverless components where segregation cannot be achieved at the network level using VPCs and subnets. While this offers the most flexibility, it can become complex to manage and increase the risk of configuration errors, especially as the number of tenants grows.
Use cases
The silo model is best suited for scenarios requiring strict data isolation, such as in highly regulated industries such as healthcare or financial services. It is also well suited for organizations with a limited number of tenants who require complete isolation.