aws re:invent 2016: architecting next generation saas applications on aws (arc301)

Download AWS re:Invent 2016: Architecting Next Generation SaaS Applications on AWS (ARC301)

Post on 11-Jan-2017

114 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

  • 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

    Tod Golding, Partner Solutions Architect

    November 2016

    Architecting Next Generation

    SaaS Applications on AWS

    ARC 301

  • Where Does SaaS Fit?

    Identity

    Billing &

    Metering

    Management

    & Monitoring

    Analytics

    Scale &

    Availability

    Storage

    PartitioningContinuous

    Delivery

    Agility

    SaaS

  • Multi-Tenancy Patterns

    Tenant Tenant

    Tenant Tenant

    Tenant TenantTenant

    Tenant TenantTenant

    Tenant TenantTenant

    Silo Bridge Pool

  • Partitioning Tug of War

    Silo Model Pool Model

    Compliance alignment

    Partitioned environments

    No cross-tenant impacts

    Tenant-specific tuning

    Tenant level availability

    Cost

    Agility compromised

    Management complexity

    Deployment challenges

    Analytics/metering aggregation

    Agility

    Cost optimization

    Centralized management

    Simplified deployment

    Analytics/metering aggregation

    Cross-tenant impacts

    Compliance challenges

    All or nothing availability

    Pros

    Cons

    Pros

    Cons

  • SaaS Reference Architecture Landscape

    Identity

    Tenant Isolation

    Data Partitioning

    Manag

    em

    ent

    & M

    onitoring

    Pro

    filin

    g &

    Analy

    tics

    Mete

    ring,

    Bill

    ing &

    Tenant

    Adm

    inis

    tration

    Operational View

    Applic

    ation V

    iew

    Technical/Business Agility

  • SaaS Identity: Beyond the Front Door

    Injecting Tenant

    Context

    Security &

    Isolation

    Tenant

    Access

    Tenant

    Provisioning

  • On-Boarding a Tenant

    New Tenant

    On-BoardingTenant

    Identity BrokerIdentity

    Provider

    Tenant

    ManagementBilling

    User: bob@test.com

    TenantID: 491048735

    TenantID: 491048735

    Domain: abc.com

    Tier: Platinum

    Status: Active

    Domain

    ProvisioningSSL

    Certificate

    Tenant

    IAM Policy

    User Identity + Tenant Identity = SaaS Identity

  • SaaS Identity Flow

    Web

    Application

    Tenant

    Identity Broker

    Identity

    Provider

    Multi-Factor

    Authentication

    AWS Cloud

    IAM Policy

    UserID: bob@abc.com

    TenantID: 93194942

    Role: Admin

    mailto:bob@abc.com

  • IAM Policies Scope Tenant Access

    Web Tier

    App Tier

    Tenant1 Access

    Policy

    CustomerTable

    Tenant2 Access

    Policy

    T1-Bucket T2-Bucket

  • Applying Tenant Context

    Tenant

    Access Control

    Homepage

    Access Control

    Catalog

    Service

    Access Control

    Cart Service

    Tenant

    Conte

    xt

    {

    UserID: bob@abc.com

    Role: Admin,

    TenantID: 93194942

    }

    JWT Token

    Authorization: Bearer

    Authorization: Bearer

    Authorization: Bearer

    Access Control

    Auth ServiceTenant Service

  • SaaS Identity Considerations

    SaaS identity is bigger than authentication

    Leave the heavy lifting, risk, and innovation to someone

    else

    Use identity broker pattern to decouple from identity

    providers

    Automate role and policy provisioning/management

    Add tenant context to identity token to limit bottlenecks

    If your identity solution is invasive, youre doing it wrong

  • Tenant Isolation

    Layered Isolation

    App Tier

    Web Tier

    App Tier

    Full Stack Isolation Network Isolation

  • Full Stack Isolation

    EC2 Full Stack IsolationContainer Isolation

    Container

    Instance

    Container

    InstanceContainer

    Instance

    Container

    Instance

    Tenant 1 Tenant 2Tenant 1

    Web Tier

    App Tier

    Tenant 2

    On-Boarding, Billing, Provisioning, Routing

    Web Tier

    App Tier

  • Account Isolation

    Tenant 1 (AWS Account A) Tenant 2 (AWS Account B)

    Auto Scaling Group

    Web Server Web Server

    Auto Scaling Group

    App Server App Server

    Availability Zone 1

    Availability Zone 2

    Region

    Auto Scaling Group

    Web Server Web Server

    Auto Scaling Group

    App Server App Server

    Availability Zone 1

    Availability Zone 2

    Region

    On-Boarding, Billing, Provisioning, Routing

  • Hybrid Isolation

    Mix of single and multi-tenant models

    Web Tier

    App Tier

    Tenant 1

    Web Tier

    App Tier

    Tenant 2

    Web Tier

    Tenants 3 N(multi-tenant shared)

    App Tier

    Build with pooled model in mind

    Unified on-boarding and billing

    Siloes are a standalone instance of

    the pooled environment

    Avoid one-off customization

    Shared tooling and provisioning

    New features go to all tenants (agility)

  • Network Isolation

    Web Tier

    App Tier

    Web Tier

    App Tier

    Tenant 1 Tenant 2

    T2 App SubnetT1 App Subnet

    T2 Web SubnetT1 Web Subnet

    VPC Partitioning Subnet Partitioning

  • Layered Tenant Isolation

    Billing

    Administration

    On-Boarding

    Tenant 1 Tenant 2

    Web

    App

    Web

    App

    Route 53

    Web Tier

    App: Tenant 1 App: Tenant 2

    Billing

    Administration

    On-Boarding Route 53

    Web Tier

    Billing

    Administration

    On-Boarding Route 53

    AppTier

  • Serverless SaaS

    REST API

    Static web content

    AWS Lambda Functions

    Amazon

    CloudFront

    Storage Services

    Finer-grained mapping of tenant

    consumption

    Simplifies scaling policies

    Improved fault tolerance model

    Better deployment agility

    Separates API management from

    execution

    Aligning with SaaS Tenets

  • Compute Partitioning Considerations

    Dont assume isolation is required for all tenants

    Start with pooled and let isolation earn its way in

    Resist the temptation for one-off tenant customization

    Create an aggregate view of health and activity

    Adjust service limits when provisioning new tenants

    Use tags to identify tenant resources

    Limit the impact of partitioning on agility

  • Data Partitioning

    Separate database

    for each tenant

    Tenant 1 Tenant 2

    Storage Storage

    Tenant 1

    Tenant 2

    Schema

    Schema

    Single database,

    multiple schemas

    Tenant Id Item Id

    A93-9494 239

    B38-3929 3434

    Schema

    Shared database,

    single schema

  • The Hot Key Problem

    Tenant Key Distribution

    TenantID Shard

    Tenant1 1

    Tenant7 2

    Tenant9 1

    Tenant4 3

    Shard1

    Shard2

    Shard3

    Shard of Shards

  • Multi-Tenant RDS

    Tenant 1

    Instance

    Tenant 2

    Instance

    Tenant 2

    Tenant 1

    Instance Per Tenant Table Per Tenant Multi-Tenant Tables

    Tenant 1 84049-49 True

    Tenant 2 82-84-949 False

    Tenant 1 Bob Smith

    Tenant 2 Lisa Johnson

    Tables partitioned by tenant id

  • Multi-Tenant DynamoDB: Silo Model

    Tenant1_Account Tenant1_CustomerIAM

    _Tenant1

    _R

    ole

    Tenant3_Account Tenant3_CustomerIAM

    _Te

    na

    nt3

    _R

    ole

    Tenant2_Account Tenant2_CustomerIAM

    _Te

    na

    nt2

    _R

    ole

  • Multi-Tenant DynamoDB: Pool Model

    Partition Key Attributes

    TenantID

    Tenant1

    CustomerTable

    {

    ShardCount: 3,

    ShardSize: [4, 9, 5],

    ShardIds: [93, 932, 21]

    }

    AccountTable

    {

    ShardCount: 4,

    ShardSize: [3, 4, 4, 5],

    ShardIds: [43, 19, 971, 85]

    }

    Partition Key Attributes

    ShardID

    93

    CustomerID

    4923000093

    Name

    Bob Jones

    ShardID

    932

    CustomerID

    9839839939

    Name

    Sally Smith

    ShardID

    932

    CustomerID

    4394992099

    Name

    Mary Young

    Partition Key Attributes

    ShardID

    43

    AccountID

    739193984

    Status

    Active

    ShardID

    43

    AccountID

    113948390

    Status

    Active

    ShardID

    19

    AccountID

    732933209

    Status

    InactiveCusto

    mer

    Ta

    ble

    Accoun

    t Ta

    ble

    Tenant

    Lookup

  • Real-Time Optimization: Dynamic DynamoDB

    Dynamic configuration of PIOPS

    Aligns storage throughput with

    real-time tenant load

    Optimizes tenant costs

    Improves tenant experience

    Average consumed write capacity

    Provisioned write capacity

  • Minimizing Tenant Awareness

    Service Authorization (RBAC)

    Your Service Code

    Data Access

    Serv

    ice L

    ifecycle

    (con

    fig,

    bo

    ots

    trap,

    dis

    covery

    )

    Logging AnalyticsTenant

    Configura

    tio

    n

    Metrics

    Syste

    m

    Configura

    tio

    n

    Abstracting away tenant awareness & policies

    Maximizing developer productivity

  • Management & Monitoring

    S3

    CloudWatch

    AWS Config

    CloudTrailTenant

    Conte

    xt

    Splunk

    Sumologic

    Kibana

    Create custom views that aggregate

    and summarize cross-tenant activity

    Proactively identify cross-tenant issues

    Introduce cross