Resources for architects and developers of multitenant solutions
Architectures for multitenant applications
The following articles provide examples of multitenant architectures on Azure.
| Architecture | Summary | Technology focus |
|---|---|---|
| Multitenant SaaS on Azure | Reference architecture for a multitenant SaaS scenario on Azure, which is deployed in multiple regions | Web |
| Use Application Gateway Ingress Controller with a multitenant Azure Kubernetes Service (AKS) | Example for implementing multitenancy with AKS and AGIC | Kubernetes |
| All multitenant architectures | Lists all the architectures that include multitenancy | Multiple |
Cloud design patterns
The following cloud design patterns are frequently used in multitenant architectures.
| Pattern | Summary |
|---|---|
| Deployment Stamps pattern | Deploy multiple independent copies (scale units) of application components, including data stores. |
| Federated Identity | Delegate authentication to an external identity provider. |
| Gatekeeper | Protect applications and services, by using a dedicated host instance that acts as a broker between clients and the application or service, validates and sanitizes requests, and passes requests and data between them. |
| Queue-Based Load Leveling | Use a queue that acts as a buffer between a task and a service that it invokes, in order to smooth intermittent heavy loads. |
| Sharding | Divide a data store into a set of horizontal partitions or shards. |
| Throttling | Control the consumption of resources that are used by an instance of an application, an individual tenant, or an entire service. |
Antipatterns
Consider the Noisy Neighbor antipattern, in which the activity of one tenant can have a negative impact on another tenant's use of the system.
Microsoft Azure Well-Architected Framework
While the entirety of the Azure Well-Architected Framework is important for all solutions, pay special attention to the Reliability pillar. The nature of cloud hosting leads to applications that are often multitenant, use shared platform services, compete for resources and bandwidth, communicate over the internet, and run on commodity hardware. This increases the likelihood that both transient and more permanent faults will arise.
Multitenant architectural guidance
- Architecting multitenant solutions on Azure (video): This video discusses how to design, architect, and build multitenant solutions on Azure. If you're building a SaaS product or another multitenant service, there's a lot to consider when you plan for high performance, tenant isolation, and to manage deployments. This session is aimed at developers and architects who are building multitenant or SaaS applications, including startups and ISVs.
- Azure Friday - Architecting multitenant solutions on Azure (video): This video from Azure Friday discusses how to design, architect, and build multitenant software-as-a-service (SaaS) solutions on Azure.
- Accelerate and De-Risk Your Journey to SaaS (video): This video provides guidance for transitioning to the software as a service (SaaS) delivery model - whether you're starting by lifting-and-shifting an existing solution from on-premises to Azure, considering a multitenant architecture, or looking to modernize an existing SaaS web application.
Resources for Azure services
Governance and compliance
- Organizing and managing multiple Azure subscriptions: It's important to consider how you manage your Azure subscriptions, as well as how you allocate tenant resources to subscriptions.
- Cross-tenant management experiences: As a service provider, you can use Azure Lighthouse to manage resources, for multiple customers from within your own Microsoft Entra tenant. Many tasks and services can be performed across managed tenants, by using Azure delegated resource management.
- Azure Managed Applications: In a managed application, the resources are deployed to a resource group that's managed by the publisher of the app. The resource group is present in the consumer's subscription, but an identity in the publisher's tenant has access to the resource group.
Compute
- Best practices for cluster isolation in Azure Kubernetes Service (AKS): AKS provides flexibility in how you can run multitenant clusters and can isolate resources. To maximize your investment in Kubernetes, you must first understand and implement AKS multitenancy and isolation features. This best practices article focuses on isolation for cluster operators.
- Best practices for cluster security and upgrades in Azure Kubernetes Service: As you manage clusters in Azure Kubernetes Service (AKS), workload and data security is a key consideration. When you run multitenant clusters using logical isolation, you especially need to secure resource and workload access.
Networking
Private Link
- Azure Private Link Service explanation and demos from provider (SaaS ISV) and consumer perspectives: A video that looks at the Azure Private Link service feature that enables multitenant service providers (such as independent software vendors building SaaS products). This solution enables consumers to access the provider's service using private IP addresses from the consumer's own Azure virtual networks.
- TCP Proxy Protocol v2 with Azure Private Link Service—Deep Dive: A video that presents a deep dive into TCP Proxy Protocol v2, which is an advanced feature of the Azure Private Link service. It's useful in multitenant and SaaS scenarios. The video shows you how to enable Proxy Protocol v2 in the Azure Private Link service. It also shows you how to configure an NGINX service to read the source private IP address of the original client, rather than the NAT IP, to access the service via the private endpoint.
- Using NGINX Plus to decode Proxy Protocol TLV
linkIdentifierfrom the Azure Private Link service: A video that looks at how to use NGINX Plus to get the TCP Proxy Protocol v2 TLV from the Azure Private Link service. The video shows how you can then extract and decode the numericlinkIdentifier, also calledLINKID, of the private endpoint connection. This solution is useful for multitenant providers who need to identify the specific consumer tenant from which the connection was made. - SaaS Private Connectivity pattern: An example solution that illustrates one approach to automate the approval of private endpoint connections, by using Azure Managed Applications.
Web
- Claims based routing for SaaS solutions: This article discusses the usage of a reverse proxy to facilitate tenant routing and mapping requests to tenants, enhancing the management of backend services in SaaS solutions.
Storage and data
- Design and build multitenant SaaS apps at scale with Azure Cosmos DB (video): Learn how to design and optimize multitenant SaaS applications using Azure Cosmos DB. This session explores key design considerations related to tenant isolation, cost optimization, and global distribution. The contents of this session applies whether you have a high volume of small B2C tenants or a low volume of highly skewed B2B tenants.
- Azure Cosmos DB and multitenant systems: A blog post discussing how to build a multitenant system that uses Azure Cosmos DB.
- Azure Cosmos DB hierarchical partition keys: By using hierarchical partition keys, also known as subpartitioning, you can natively partition your container with multiple levels of partition keys. This enables more optimal partitioning strategies for multitenant scenarios or workloads that would otherwise use synthetic partition keys.
- Azure SQL Database multitenant SaaS database tenancy patterns: A set of articles describing various tenancy models that are available for a multitenant SaaS application, using Azure SQL Database.
- Running 1 million databases on Azure SQL for a large SaaS provider: Microsoft Dynamics 365 and Power Platform: A blog post describing how Dynamics 365 team manages databases at scale.
- Design a multitenant database by using Azure Database for PostgreSQL Hyperscale
- Horizontal, vertical, and functional data partitioning: In many large-scale and multitenant solutions, data is divided into partitions that can be managed and accessed separately. Partitioning can improve scalability, reduce contention, and optimize performance. It can also provide a mechanism for dividing data, by the usage pattern and by the tenant.
- Data partitioning strategies by Azure service: This article describes some strategies for partitioning data in various Azure data stores.
- Building multitenant applications with Azure Database for PostgreSQL Hyperscale Citus (video)
- Multitenant applications with Azure Cosmos DB (video)
- Building a multitenant SaaS with Azure Cosmos DB and Azure (video): A real-world case study of how Whally, a multitenant SaaS startup, built a modern platform from scratch on Azure Cosmos DB and Azure. Whally shows the design and implementation decisions they made related to partitioning, data modeling, secure multitenancy, performance, real-time streaming from change feed to SignalR and more, all using ASP.NET Core on Azure App Services.
- Multitenant design patterns for SaaS applications on Azure SQL Database (video)
Messaging
- Azure Event Grid domains: Azure Event Grid domains allow you to manage multitenant eventing architectures, at scale.
- Service Bus sample: Cross-tenant communication using Azure Service Bus: Sample implementation of Azure Service Bus that shows how to communicate between a central provider and one or more customers (tenants).
Identity
- Tenancy in Microsoft Entra ID: Microsoft Entra ID has its own concept of multitenancy, which refers to operating across multiple Microsoft Entra directories. When developers work with Microsoft Entra apps, they can choose to configure their app to be either single-tenant or multitenant to support different scenarios.
- Custom-branded identity solution with Azure AD B2C: Azure Active Directory B2C is a customer identity access management solution that is capable of supporting millions of users and billions of authentications per day.
- Build a multitenant daemon with the Microsoft identity platform endpoint: This sample application shows how to use the Microsoft identity platform endpoint to access the data of Microsoft business customers in a long-running, non-interactive process. It uses the OAuth2 client credentials grant to acquire an access token, which it then uses to call the Microsoft Graph and access organizational data.
- Authenticate and authorize multitenant apps using Microsoft Entra ID: Learn how Microsoft Entra ID enables you to improve the functionality of cloud-native apps in multitenant scenarios.
- Azure Architecture Walkthrough: Building a multitenant Azure Architecture for a B2C scenario: a walk through the architecture behind a multitenant mobile app with Azure Active Directory B2C and API Management.
- Define and implement permissions, roles, and scopes with Microsoft Entra ID in SaaS solution: This article covers three main concepts related to Microsoft Entra authentication & authorization, which can be used by SaaS providers. It covers Application Roles functionality, Delegated & Application permissions, and Scopes functionality.
Analytics
- Multitenancy solutions with Power BI embedded analytics: When designing a multitenant application that contains Power BI Embedded, you must carefully choose the tenancy model that best fits your needs.
IoT
- Multitenancy in IoT Hub Device Provisioning Service: A multitenant IoT solution commonly assigns tenant devices by using a group of IoT hubs that are spread across regions.
AI/ML
- Design patterns for multitenant SaaS applications and Azure Cognitive Search: This document discusses tenant isolation strategies for multitenant applications that are built with Azure Cognitive Search.
- A Solution for ML Pipeline in Multi-tenancy Manner: This blog post describes how Azure Machine Learning pipelines can be designed to support multiple tenants by using Azure Machine Learning workspaces.
Community content
Kubernetes
- Three Tenancy Models For Kubernetes: Kubernetes clusters are typically used by several teams in an organization. This article explains three tenancy models for Kubernetes.
- Understanding Kubernetes Multi Tenancy: Kubernetes isn't a multitenant system out of the box, and requires custom configuration. This article explains Kubernetes multitenancy types.
- Kubernetes Multi-Tenancy – A Best Practices Guide: Kubernetes multitenancy is a topic that organizations are increasingly interested in as their Kubernetes usage spreads out. However, because Kubernetes isn't explicitly a multitenant system, it can be challenging to design a multitenant Kubernetes implementation. This article describes these challenges and how to overcome them, and some useful tools for Kubernetes multitenancy.
- Capsule: Kubernetes multi-tenancy made simple: Capsule helps to implement a multitenancy and policy-based environment in your Kubernetes cluster. It isn't a platform as a service (PaaS) offering, but instead is a microservices-based ecosystem with a minimalist design approach, using only upstream Kubernetes.
- Crossplane: The cloud native control plane framework: Crossplane enables you to build control planes for your own solution, by using a Kubernetes-based approach.
Contributors
This article is maintained by Microsoft. It was originally written by the following contributors.
Principal authors:
- John Downs | Principal Software Engineer
- Paolo Salvatori | Principal Customer Engineer, FastTrack for Azure
- Arsen Vladimirskiy | Principal Customer Engineer, FastTrack for Azure
- LaBrina Loving | Principal Customer Engineering Manager, FastTrack for Azure
To see non-public LinkedIn profiles, sign in to LinkedIn.