🚀 Fauna Architectural Overview White Paper: Learn how Fauna's database engine scales with zero ops required
Download free
Fauna logo
Product
Solutions
Pricing
Resources
Company
Log InContact usStart for free
Fauna logo
Pricing
Customers
Log InContact usStart for free
© 0 Fauna, Inc. All Rights Reserved.

Related posts

How to maintain high availability in a multi-tenant SaaS appAnnouncing General Availability of Fauna SchemaFauna adds support for Change Data Capture

Start for free

Sign up and claim your forever-free Fauna account
Sign up and get started

Table of Contents

multi-tenancy blog header

Exploring Multi-Tenancy Options in Fauna

Kirk Kirkconnell |Jul 15th, 2024|

Categories:

SecurityFeaturesMulti-tenancy
Building multi-tenant applications has historically posed significant challenges for developers. Traditional databases often require complex configurations and extensive manual intervention to ensure data isolation, security, and compliance across multiple tenants. Managing separate databases, configurations, and security protocols for each tenant can lead to increased operational overhead, higher costs, and slower development cycles. These issues are exacerbated when trying to balance performance and maintainability.
Fauna addresses these challenges with its innovative approach to multi-tenancy. Fauna’s architecture offers native support for hierarchical parent-child database structures, enabling streamlined management of tenant databases with individual access controls and logical isolation. This reduces the complexity of multi-tenant deployments, allowing developers to focus on building features and improving user experience rather than managing infrastructure. With Fauna, you can achieve optimal performance, robust security, and compliance with minimal manual configuration. These benefits significantly reduce cognitive overhead, minimize errors in your code, and accelerate feature development.

Fauna Multi-tenant Architecture Approaches

When designing a multi-tenant architecture in Fauna, your choices impact your system’s maintainability, ease of use, and performance. In this post, we’ll dive into the nuances of two popular strategies used by Fauna customers: 1) creating child databases per tenant or 2) using collections per tenant. We’ll discuss the pros and cons of each and how you might decide between them, especially when your application involves shared and tenant-specific resources. Your use case and capabilities should dictate how to structure databases and manage data access efficiently while maintaining security and performance.

Using Child Databases for Each Tenant

Imagine you decide to assign each tenant their own database. This approach is like giving each tenant a secure apartment in a vast complex. They can furnish and manage their space independently without the risk of interfering with their neighbors. This separation simplifies roles and security settings since each tenant's environment is clearly delineated. This also enables you to write your application as a single tenant but deploy it as a multi-tenant. Another benefit of this strategy is how it fits with regulatory needs. If you deal with clients across borders, you can place their databases in appropriate regions, ensuring compliance with local data protection laws. Moreover, if a tenant decides to leave your platform, managing their data removal is as straightforward as vacating an apartment—just delete their database, and you’re set.
While this method has its intricacies, it can be streamlined with automation. Setting up a new environment for each tenant might add to your operational overhead, but automation can simplify this process. Additionally, maintenance—such as applying updates or changes—might require individual attention to each database, but with effective tools and strategies, this effort can be managed efficiently, even with many tenants.
To implement, you’d create a database and then create a child database under that parent database. Each database has separate collections, functions, and roles. The parent database has the top-level collections, functions, and roles needed for the entire database and application. For example, consider a SaaS application. The app’s data for managing the service is in the parent database, but each child database is a separate tenant.
tenant image

Opting for Shared Collections

Now, let’s consider the alternative—using a single database where all tenants' data coexists, differentiated by custom access controls. This setup is akin to having a large open-plan office where everyone works together, but personal files are kept in secure, individual lockers.
This model simplifies many aspects of database management. For one, you only need to maintain one database. Any schema updates or migrations are done once, universally applying to all tenants. It also streamlines the querying process; tenants can access shared and their specific data seamlessly.
Yet, this approach requires careful planning when it comes to security. Defining roles and access permissions becomes more complex as you must ensure that each tenant can only interact with their data and common resources without any leaks. Additionally, if your application’s performance relies on geographic data distribution, you might still find yourself managing multiple databases to ensure compliance, albeit fewer than one per tenant.

Combining the best of both worlds

Given the shared and specific resources your tenants need, why not combine these strategies? You can set up a parent database that houses collections of resources shared across all tenants. Then, each tenant has their own child database for their private data.
This hybrid setup offers the best of both worlds. It maintains isolation and security for tenant-specific data while enabling efficient access to shared resources. It’s flexible enough to adapt to various regulatory requirements and simplifies the process of onboarding and off-boarding tenants.
Feature/ComponentChild DB per TenantCollection per Tenant.
SecurityHigh security due to complete data isolation, reducing blast radius in the event of a breach.Less isolated; requires more sophisticated ABAC rules
Role ManagementSimpler, as roles are defined at the database level and unique to each tenant.More involved, especially with ABAC predicates.
Operational SimplicityEach tenant’s database operates independently, reducing cognitive overhead.Single database simplifies operations and migrations, but issues affect all tenants.
ScalabilityHigh; you can easily add more databases as your business scales.Limited by the maximum number of collections and their manageability.
Database ProvisioningIt requires setting up a new database for each tenant, but can be automated on user signup.A one-time database setup is required, but scalability could be an issue.
Migration ManagementMigrations need to be applied to each database individually.Single migration applies to all data.
Cleanup EfficiencyEasy to remove a tenant’s data by deleting their database.Requires careful data purging within a shared environment.
Key/Token ManagementMore complex; different keys are needed for each database.More simplified, one key grants access as per ABAC rules.

Conclusion

The choice between child databases and collections per tenant largely depends on the specific needs of your application, such as security requirements, ease of management, and performance considerations. In scenarios where both shared resources and tenant-specific data exist, leveraging a combination of a parent database for shared resources and child databases for tenant-specific data often provides a balanced solution. This architecture optimizes for both security and operational efficiency, making it a robust choice for scalable, multi-tenant applications. Get started building with Fauna today for free, and contact us to schedule a demo.

If you enjoyed our blog, and want to work on systems and challenges related to globally distributed systems, and serverless databases, Fauna is hiring

Share this post

‹︁ PreviousNext ›︁

Subscribe to Fauna's newsletter

Get latest blog posts, development tips & tricks, and latest learning material delivered right to your inbox.