TalksAWS re:Invent 2025 - Scaling Multi-Tenant SaaS Delivery with Amazon CloudFront (NET316)

AWS re:Invent 2025 - Scaling Multi-Tenant SaaS Delivery with Amazon CloudFront (NET316)

Scaling Multi-Tenant SaaS Delivery with Amazon CloudFront

Challenges of Multi-Tenant SaaS at the Edge

  • Running SaaS platforms at the edge is challenging due to the need for precision, automation, and isolation as the control and data planes multiply with thousands of tenants.
  • Key challenges include:
    • Managing thousands of micro-behaviors within a single CloudFront distribution
    • Isolating tenant data, routing, and security to prevent cross-tenant impacts
    • Provisioning and managing certificates, DNS entries, cache policies, and custom headers at scale

Tenant Isolation Strategies

  • Three main approaches to tenant isolation:
    1. Siloed Isolation: Dedicated CloudFront distributions per tenant, offering maximum isolation but higher cost and management overhead.
    2. Pool Isolation: Tenants share resources but use logical isolation mechanisms like namespaces and rate-based access control.
    3. Tiered Isolation: High-value tenants get siloed resources, while others are pooled to optimize cost and performance.
  • The isolation strategy is a business decision balancing risk, cost, and customer expectations.

CloudFront SaaS Manager

  • Enables a single multi-tenant CloudFront distribution to serve thousands of tenants with isolated behavior.
  • Key constructs:
    1. Multi-Tenant Distribution: Baseline configuration shared across all tenants.
    2. Per-Tenant Configurations: Tenant-specific overrides for behaviors, routing, security.
    3. Tenant-Scoped Parameters: Variables that allow dynamic customization without modifying the base distribution.
  • Automates tenant onboarding, certificate provisioning, and DNS setup.

Tenant Onboarding Workflow

  1. Tenant-specific resources (compute, storage, database) are provisioned.
  2. CloudFront rules are configured using tenant-specific parameters.
  3. Cache policies are set to isolate content per tenant.
  4. Connection groups control how tenant traffic is routed through CloudFront.
  5. CloudFront requests a certificate from AWS Certificate Manager using HTTP validation.
  6. DNS records are set up to point the tenant's custom domain to CloudFront.

Automation and Advanced Use Cases

  • Netlifi has automated the entire tenant onboarding process, enabling new tenants in seconds.
  • Leveraging CloudFront Functions, Netlifi can:
    • Implement tenant-specific authentication and authorization at the edge
    • Apply tenant-specific WAF rules to mitigate attacks and contain blast radius
  • These capabilities allow Netlifi to offer enterprise-grade security and isolation for their multi-tenant SaaS platform.

Key Takeaways

  • CloudFront SaaS Manager enables efficient, scalable, and secure multi-tenant SaaS delivery at the edge.
  • Tenant isolation strategies are a critical foundation, balancing cost, complexity, and customer requirements.
  • Automation is key to managing the operational overhead of thousands of tenants, from onboarding to security.
  • Leveraging edge compute like CloudFront Functions allows for tenant-specific customizations and advanced security controls.

Your Digital Journey deserves a great story.

Build one with us.

Talk to us
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.