Part 1: The two halves of Multi-tenancy

Multitenant implementation plan

• The two halves of multi-tenancy

  • Control plane - the management and operation layer

  • Application plane - the actual multi-tenant services where end user workloads run, data is processed, and core business functionality lives.

Key Components That Live in the SaaS Control Plane

These services enable the SaaS to manage the entire fleet of tenants in a centralized, standardized way:

• Tenant Onboarding / Provisioning: The automated (or semi-automated) process of introducing a new tenant. This includes:

  • Collecting tenant details (company info, tier/subscription level)

  • Creating tenant identity/metadata records

  • Provisioning any required tenant-specific resources (e.g., databases, namespaces, isolated environments in silo/bridge models)

  • Setting up initial configurations, roles, and policies

  • Integrating with billing/subscription systems

  • Often triggered via self-service signup flows or internal admin actions

• Billing & Metering: Tracks tenant-specific consumption (usage metrics, API calls, storage, compute, etc.) Aggregates data for invoicing. Supports usage-based, tiered, or subscription pricing models. Integrates with payment processors, AWS Marketplace, Stripe, etc.

• Metrics, Observability & Telemetry: Collects and aggregates tenant-aware metrics, logs, and traces. Enables provider-wide monitoring, alerting, noisy-neighbor detection, and performance insights. Supports tenant-specific dashboards or cost reporting (often with tenant-level granularity)

• Tenant Management / Lifecycle: Offboarding, suspension, tier upgrades/downgrades, relocation, policy management. Tenant catalog/metadata store (e.g., which tier, region, status, isolation model each tenant uses)

• Identity & Authentication (SaaS-level): Provider-side identity management, SSO configuration, tenant-user mapping, custom claims for tenant context

• Administration Application / Console This is the key UX piece you mentioned - a web-based admin portal, CLI, or API used exclusively by the SaaS provider's internal teams (sys admins/operators). It provides a single pane of glass to:

  • View/manage all tenants

  • Trigger onboardings/provisionings

  • Monitor health, costs, and usage across the fleet

  • Handle support/incidents

  • Configure global policies, rollouts, or experiments

Why This Separation Matters

• Enables operational scale - One team manages thousands of tenants without per-tenant ops overhead.

• Provides consistency - Unified onboarding, billing, metrics, and admin experience regardless of underlying isolation model (pooled, bridge, silo, or hybrid).

• Supports business agility - Faster feature rollouts, tiering experiments, and revenue models (e.g., usage-based billing).

• Improves security & compliance - The control plane is tightly controlled (provider-only access), while the application plane handles tenant isolation.

The application plane

The application plane (sometimes called the data plane or tenant plane) in a multi-tenant SaaS architecture is where the actual customer-facing workloads run. This is the environment that processes real user requests, handles business logic, stores and retrieves tenant data, and delivers the core value of your SaaS product.

1. Tenant Context

The "Tenant Context" is the identity package that follows a user’s request through the system. It is usually extracted from a JWT (JSON Web Token) or an API key.

• What it contains: The unique tenant_id, the user’s role (Admin vs. Member), and their subscription tier (Free vs. Premium).

• Why it matters: Every microservice in the application plane uses this context to decide which data to show and which features to enable.

2. Tenant Isolation

Isolation is the "wall" that prevents one tenant from seeing another's data. It is often enforced at two levels:

• Compute Isolation: Ensuring that heavy processing by one tenant (the "noisy neighbor") doesn't slow down the application for others.

• Logic Isolation: Hardcoded checks in the application code or middleware that automatically filter every database query by the tenant_id stored in the context.

3. Data Partitioning

This defines how the data is physically stored. There are three common models:

• Silo (Database-per-Tenant): Each tenant has their own separate database. This is high-security but expensive.

• Bridge (Schema-per-Tenant): Tenants share a database but have separate "folders" (schemas).

• Pool (Row-per-Tenant): All tenants share the same tables. A tenant_id column is used to tell them apart.

4. Tenant Routing

Routing is the mechanism that directs a user's request to the correct part of the application plane.

• Subdomain Routing: tenant-a.saas.com vs tenant-b.saas.com.

• Path-based Routing: saas.com/tenant-a/....

• Header-based Routing: The application looks at a hidden "Tenant-ID" header in the API call to decide where to send the request.

5. Multi-tenant Application Deployment

This is the strategy for how the code itself is updated and run.

• The "One Version" Rule: In a true multi-tenant application plane, you run a single version of the code for all tenants. This makes maintenance easy because you only have one codebase to patch or upgrade.

Feature Flags: If Tenant A wants a new feature but Tenant B doesn't, the code includes "toggles." Both tenants run the same code, but the Application Plane checks the Control Plane's settings to see if the toggle is "on" for that specific tenant.