A Guide to Create a SaaS Platform with Multiple Tenants using Amazon EKS

Overview

Organizations are increasingly adopting the SaaS model, with Amazon EKS as a favored platform. Amazon EKS offers cost-efficiency, security, and operational benefits. However, transitioning to Amazon EKS for SaaS presents unique multi-tenant challenges. This blog explores Amazon EKS based SaaS architecture, covering tenant isolation, onboarding, and identity management. It includes a functional SaaS app and admin console for insights into multi-tenant design on Amazon EKS.

Introduction

Amazon EKS SaaS is a cloud-based solution that lets businesses create and deploy their Software as a Service (SaaS) offerings on Amazon Web Services (AWS). It uses Amazon’s Elastic Kubernetes Service (Amazon EKS) for a scalable, secure, and flexible environment to host multiple tenants’ applications.

Companies can deliver their unique SaaS apps to diverse customers without facing infrastructure complexities. Amazon EKS SaaS leverages Kubernetes benefits like auto-scaling and high availability, supports multi-tenancy for cost efficiency, and ensures data privacy and regulatory compliance.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Use Cases

Microservices Deployment: Amazon EKS SaaS is ideal for deploying microservices-based apps. It simplifies managing Kubernetes infrastructure, letting developers concentrate on building and scaling individual services, leading to better scalability and flexibility.
DevOps and Continuous Delivery: Amazon EKS SaaS aligns with DevOps principles by automating containerized app deployments using AWS tools like AWS CodePipeline and AWS CodeDeploy. This accelerates updates, reduces deployment times, and enhances development speed.
Big Data and Analytics: Amazon EKS SaaS supports big data processing and analytics. It streamlines complex cluster management, allowing data professionals to focus on efficient data processing and analysis. AWS services like Amazon S3 and Amazon Redshift can be integrated for end-to-end data pipelines with Amazon EKS SaaS.

Isolation Model

When building a multi-tenant SaaS solution on Amazon EKS, one must decide how to ensure tenant isolation effectively. There are different approaches:

Cluster-per-tenant: Each tenant gets their dedicated cluster for strong isolation but higher costs.
Shared compute: Tenants share the same cluster and rely on application-level isolation, which is cost-efficient but less isolation.
Namespace-per-tenant: Tenants are in the same cluster but separated by namespaces, balancing isolation and cost efficiency. This model is used in the Amazon EKS SaaS sample solution, affecting tenant onboarding, isolation, and traffic routing.

Amazon EKS SaaS Baseline Infrastructure

Tenant Onboarding – Onboarding multiple tenants in Amazon EKS involves specific configurations, user management, and ensuring seamless integration of tenant context. JWT tokens are used for authentication and routing within Amazon EKS microservices.
Multi-Tenant Microservices – Building Amazon EKS microservices for multi-tenancy involves unique data partitioning schemes to ensure safe and isolated data access. Tenant isolation and access control to external resources are top priorities.
SaaS Architecture – A complete SaaS architecture includes metering, metrics, and analytics for data collection. DevOps, management, and operations are also considered for visibility into tenant activities, efficient deployment, and optimal service availability with zero downtime.

Image Ref: AWS Docs

saas

Figure 1 – Amazon EKS SaaS Baseline Infrastructure

The View of High-level Architecture

saas2

Figure 2 – Conceptual architecture

Amazon EKS cluster includes two services

Shared Services – All multi-tenant design and implementation utilize these. They include registration, user management, and tenant management services responsible for introducing, managing, and creating tenants in the environment.
App Services – These services form the core of the application. Examples are the order service and the product service.

The following sections outline each layer comprising the Amazon EKS SaaS solution.

There are three different applications.

Landing Page / Signup Page – This is the marketing page where we promote our application, increasing its visibility. Users interested in our solution can sign up and choose from different plans.

saas3

2. SaaS Commerce Application with Microservices – This application handles authentication through Amazon Cognito. Users authenticate and receive a JWT token, which they send to our backend services. The application comprises several microservices.

saas4

3. Admin Console – As SaaS providers, we use the admin console to manage tenants and users. It also employs Cognito for authentication. The admin console and other services access the backend, which is our Amazon EKS cluster.

saas5

Overall setup allows us to efficiently manage tenants, handle user authentication, and deploy the essential components of our SaaS application using Amazon EKS.

Tenant Microservice

The Tenant registration service collects tenant data from the landing page or admin app and stores it in Amazon DynamoDB via the tenant management service. A new user pool is set up for the tenant, and the tenant admin user is added through the user management service. AWS CodePipeline and AWS CodeBuild are used to provision the tenant’s app services, including creating a namespace and deploying the Product and Order microservices. Security policies are enforced for network and data to ensure tenant isolation and security.

saas6

Tenant Onboarding

Tenant Onboarding – Tenant registration service stores tenant data in Amazon DynamoDB and creates a dedicated user pool. The user management service sets up the tenant admin user. AWS CodePipeline and AWS CodeBuild provision tenant application services.
Security Measures – Security policies for network and data isolation are enforced to protect tenant resources and data.
Namespace-Per-Tenant – Pod security and network policies ensure tenant isolation. IAM roles for Service Account enforce credential isolation. Different DynamoDB table strategies are used for order and product microservices and network isolation at the namespace level to control pod-to-pod communication and prevent cross-namespace access.

saas7

Conclusion

Throughout this process, we have gained the complete end-to-end experience of constructing a functional Amazon EKS SaaS solution on AWS. This comprehensive understanding serves as a solid foundation while still allowing for customization based on specific policies that align with the unique requirements of each SaaS environment. With this knowledge, developers and architects can confidently build tailored SaaS solutions while adhering to best practices and optimizing their specific use cases.

Drop a query if you have any questions regarding Amazon EKS and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.

FAQs

1. What are the key advantages of using Amazon EKS for hosting a SaaS solution?

ANS: – Amazon EKS offers a compelling programming model, cost-efficiency, robust security features, and operational benefits. It simplifies container orchestration, making it an attractive choice for organizations looking to deliver SaaS solutions.

2. How does Amazon EKS address the multi-tenant considerations in a SaaS environment?

ANS: – Amazon EKS provides tools and features to achieve core SaaS principles. These include tenant isolation through namespaces and network policies, automated tenant onboarding using infrastructure as code, and identity management through AWS IAM roles. It helps architects and developers build secure and scalable multi-tenant systems.

3. What does the provided sample solution include, and how can it benefit SaaS architects and developers?

ANS: – The sample solution comprises a fully functional SaaS application and an administration console for managing the SaaS environment. It is a practical example of implementing multi-tenant architecture on Amazon EKS, offering valuable insights and best practices for those designing and deploying SaaS solutions on this platform.

WRITTEN BY Deepika N

Deepika N works as a Research Associate - DevOps and holds a Master's in Computer Applications. She is interested in DevOps and technologies. She helps clients to deploy highly available and secured application in AWS. Her hobbies are singing and painting.