The tenancy of a system should be determined by the data characteristics just described. When referring to the data layer of an architecture, multitenancy means that multiple organizations or customers (tenants) share a group of servers. Most defi nitions would say a single server, but it typically requires multiple servers (i.e., master–slave) to support a tenant. Single tenant means that only one tenant is supported per each group of servers. Figures 8.1 and 8.2 show three multitenancy design strategies that each solve a unique set of requirements.
App Server
Multitenancy Isolation Approaches
Database Server Total Isolation
App Server Shared
App 1 App 2
Database Server Data Isolation
Tenant 1 App
Tenant 1 Tenant 2 Tenant 1 Tenant 2
Tenant 2 App
Figure 8.1 Total Isolation and Data Isolation
In Figure 8.1 , the image on the left is the “total isolation” strategy, which is an example of single tenant. In this example, both the database layer and the application layer have dedicated resources for each tenant.
Advantages Disadvantages
Provides independence Most expensive
Privacy Minimal reuse
Highest scalability Highest complexity
By isolating tenants to their own servers, each tenant has a high degree of independence, meaning that if there is an application or database bottleneck in any of the servers, it has limited or no impact on the other tenants. Because no other tenant has access to these servers, there is a higher degree of privacy.
Also, systems with dedicated servers for each tenant scale better because of the increase in compute power. However, these advantages come with costs.
Single tenant is the most expensive strategy. Each tenant bears an indepen-dent cost to the overall system. The ability to reuse existing infrastructure is limited, which creates complexities for managing infrastructure due to the increasing number of servers. The applications must also be infrastructure aware and know how to point to the correct infrastructure.
The image on the right in Figure 8.1 is the “data isolation” strategy. In this model, the application takes a multitenant approach to the application layer by sharing application servers, web servers, and so on. The database layer is single
Shared App Server
Multitenancy Isolation Approaches
App 1 App 2
Tenant 2 Tenant 1
Database Server Data Segregation
Figure 8.2 Data Segregation
tenant, making this a hybrid approach between multitenancy and single tenant. In this model, we still get the advantages of independence and privacy while reducing some of the cost and complexities. Figure 8.2 shows a true multitenancy model.
The “data segregation” strategy separates the tenants into different data-base schemas, but they do share the same servers. In this model, all layers are shared for all tenants.
Advantages Disadvantages Most cost effective Lack of independence Least complex Lowest performance Highest reuse Lowest scalability
This model is the most cost effective due to the large amount of reuse. It is also the least complex because it requires many fewer servers. The challenge is that a performance issue with one tenant can create issues for other tenants.
Also, fewer servers means less performance and less scalability. In fact, as ten-ants are added to the system, the system becomes more vulnerable to failure.
When would we use these strategies? The total isolation approach is commonly used when a tenant has enormous amounts of traffi c. In this case it makes sense to dedicate servers to this tenant so it can maximize scaling while not causing disruptions to other clients. The data isolation strategy is often used to protect the privacy of each tenant ’s data and also to allow ten-ants to scale independently. The data isolation strategy is often used when the amount of traffi c is not overwhelming, yet there still is a need to store a tenant ’s data in its own schema for privacy reasons.
One company I worked for had many retail clients. Some clients had hundreds and even thousands of stores with several millions shoppers, while other retailers may have had a dozen or fewer stores with shopper counts under a million. The really big retailers were very strict about security and privacy while the smaller chains were not as strict. As a young start-up, we had to balance our costs with our contractual agreements with the retailers. We implemented a hybrid solution. We had one extremely large client that had several thousand stores. We decided to implement a total isolation strategy for this client because of its potential to drive enormous amounts of traffi c and because of the importance of delivering to a customer of that size. For all of the smaller retailers that had very average traffi c, we used the data seg-regation model to keep our costs to a minimum. For all other customers that were large to average size in terms of both stores and traffi c, we used the data isolation method. Each tenant had its own independent database servers but a shared web and application layer.
Every business is different. It is important to understand what the differ-ent tenancy options are. Based on the business requiremdiffer-ents, choose the right
strategy or combination of strategies to support the needs around indepen-dence, security, privacy, scalability, complexity, and costs.