Tuesday, July 23, 2024

The way to construct a scalable, multi-tenant IoT SaaS platform on AWS utilizing a multi-account technique

The way to construct a scalable, multi-tenant IoT SaaS platform on AWS utilizing a multi-account technique

If you got down to construct an IoT SaaS platform the place your buyer, not you, determines how their IoT gadgets work together with the companies, you’ll shortly perceive that no single cloud structure will be optimized for all situations. This weblog submit introduces an implementation technique for constructing multi-tenant IoT SaaS platforms primarily based on actual buyer experiences and the struggles that come up from mixing system fleets with differing operational profiles with a single AWS account. It outlines a way to supply a typical expertise for all clients of the IoT SaaS platform but permits the segmentation of consumers and their system fleets utilizing the AWS infrastructure boundaries and automation capabilities.


Because the Web of Issues (IoT) turns into extra pervasive, many resolution suppliers need to construct and handle IoT functions that combine with current Software program-as-a-Service (SaaS) choices. When contemplating a SaaS providing that features IoT system fleets, the structure should accommodate not solely tenant administration, but additionally fleet affiliation and isolation. This weblog explores a reference structure that makes use of AWS Management Tower with a multi-account technique to implement a multi-tenant IoT SaaS platform.

There are a number of methods to design the structure with totally different deployment fashions. Chances are you’ll select to deploy it right into a single Amazon Internet Providers (AWS) account. Alternately, you would possibly deploy it throughout a number of AWS accounts due to AWS account limits, tenant isolation, area particular deployment limitations, or different structure issues.

Establishing a multi-account technique on AWS helps to shortly take a look at and deploy new utility variations, and securely handle the surroundings. The multi-account deployment mannequin resolves technical challenges in IoT workloads particularly the place the cloud workload must match the system fleet habits, which we are going to focus on additional within the subsequent part.

Addressing the challenges of a multi-tenant IoT SaaS platform

Constructing a multi-tenant IoT SaaS platform service the place clients create and deploy the gadgets presents challenges that should be resolved to have a profitable implementation, similar to the next:

  • Knowledge Isolation – With a multi-tenant construction, the SaaS supplier wants to think about find out how to set the information isolation boundary primarily based on rules or buyer necessities. With an IoT workload, many gadgets and gateways join and ship totally different knowledge varieties and with totally different schemas. Having a boundary outlined by AWS account makes it simpler to handle quotas and particular person buyer fleet wants as a result of you’ll be able to set up totally different account-level insurance policies.
  • Knowledge Privateness – IoT is used globally and throughout many industries. As well as, knowledge privateness rules differ by trade and area. Having separate IoT endpoints for every tenant which can be primarily based on their necessities supplies flexibility to function as a worldwide SaaS platform.
  • System Provisioning and Onboarding – You should have a method to onboard gadgets to a number of tenant endpoints with out altering the foundation system id within the area. IoT safety finest practices recommends the provisioning of gadgets with distinctive, cryptographic id that’s authenticated at every IoT endpoint.
    Programming and establishing the foundation id within the system usually happens in a managed buyer surroundings, similar to throughout manufacturing. It may well take months or years for a tool to maneuver via the worldwide provide chain earlier than it’s put in within the area. Tightly coupling the system’s id to a tenant account’s IoT endpoint throughout manufacturing creates an rigid provide chain. It additionally causes SKU fragmentation for the producers. You should contemplate that onboarding the system id to an IoT endpoint can happen later within the system’s lifecycle.

The reference structure on this weblog addresses the above challenges, simplifies the deployment and operation, and enhances knowledge governance.

The next discusses the important thing factors within the structure (Determine 1):

  • Platform creation automation – If you onboard a brand new tenant, the structure creates a brand new AWS account which establishes tenant-dedicated and region-specific AWS IoT Core endpoints. Afterward, it deploys different associated AWS companies and functions in every new account. This automated course of helps to resolve a number of the knowledge isolation, privateness and quota administration challenges.
  • System provisioning and onboarding – Use a centralized onboarding service to say and route IoT gadgets to designated tenant IoT endpoints. This helps resolve the tenant-specific system provisioning problem throughout manufacturing and late tenant binding.
Figure 1 - Overview of the IoT multi-account architecture at AWS account level by implementing administrative tasks as shared functions in one account and tenant IoT workloads in separate accounts.

Determine 1 – Overview of the IoT multi-account structure by AWS account stage

Automating the tenant surroundings creation utilizing AWS Management Tower and AWS Service Catalog

Automation and pace are key to a greater buyer expertise. Particularly when onboarding a tenant. Use AWS Management Tower and AWS Service Catalog to automate the tenant onboarding course of together with AWS account creation. These companies enhance the client’s course of and reduces your product’s time to market.

By enabling AWS Management Tower, you see a touchdown zone, named Management Tower – Grasp, deployed into the Area. AWS Management Tower additionally creates an audit account and a log archive account (Determine 2). AWS Management Tower supplies configuration, or system controls, to scan your environments for safety and compliance dangers. You’ll be able to handle these controls as policy-as-a-code and apply them to the newly created AWS accounts.

Figure 2 – An organization view of AWS Control Tower service console

Determine 2 – A corporation view of AWS Management Tower service console

As soon as AWS Management Tower is enabled, you’ll be able to create a brand new AWS account and deploy an IoT utility (endpoint) utilizing AWS Management Tower Account Manufacturing unit. Account Manufacturing unit automates the brand new AWS account creation course of, and applies safety and compliance finest practices controls. It additionally deploys tenant utility infrastructure that makes use of AWS IoT Core throughout the account creation course of.

Let’s stroll via AWS Management Tower console to get a greater understanding of the important thing configuration factors.

  1. Within the AWS Management Tower console, select Account manufacturing unit within the navigation pane.
  2. Select the Create Account button and the Create account web page seems.
  3. On this web page, specify account particulars similar to, an account grasp e-mail tackle, AWS IAM Identification Middle identification, and your group info (Determine 3).
Figure 3 – Account creation in AWS Control Tower Account Factor. By adding the above info, an AWS account is created as a part of the platform deployment process

Determine 3 – Account creation in AWS Management Tower Account Manufacturing unit

  1. Scroll down the web page to search out the Account manufacturing unit customization (AFC) part. (Determine 4) On this part, specify a product or utility you need to deploy after creating an AWS account.
    Word: All merchandise must be registered as Service Catalog merchandise to look within the dropdown checklist. You’ll be able to create a Service Catalog product by growing a template your self or utilizing the preconfigured libraries. For extra info, see Getting Began Library.
    Within the illustrated situation, the product is called “iot utility for tenant” and is pre-registered as a product, in order that AFC can set off its deployment throughout the account creation course of. For extra info, see Customise accounts with Account Manufacturing unit Customization (AFC).
  2. Lastly, select the place to deploy the product.
    Account Manufacturing unit deploys into your house area (that is the place you enabled AWS Management Tower), or within the “All Ruled Areas”. This situation deploys into the house area, which is N. Virginia.
Figure 4 – Configuration in Account Factory Customization in AWS Control Tower, where you can customize your deployment based on customers’ needs such as product types and regions

Determine 4 – Configuration in Account Manufacturing unit Customization in AWS Management Tower

  1. After account creation, you see accounts registered and managed below AWS Management Tower.
Figure 5 – List of AWS accounts deployed and managed by AWS Control Tower, with organization structure, and blueprints (templates) used for the account creation

Determine 5 – Record of AWS accounts deployed and managed by AWS Management Tower, with group construction, and blueprints (templates) used for the account creation

Provisioning and onboarding IoT gadgets to tenant accounts

Now that you’ve AWS accounts with the IoT utility deployed. Let’s transfer on to system provisioning and onboarding. To decouple system provisioning throughout manufacturing from particular person tenant accounts, use AWS Management Tower to create a centralized system onboarding service in a devoted AWS account. This situation makes use of the System Foyer reference structure, which supplies a way to onboard IoT gadgets to AWS IoT Core utilizing QR codes.

Figure 6 – AWS Device Lobby architecture, which describes communications in between devices and the Lobby service to onboard device fleets to individual tenant accounts.

Determine 6 – AWS System Foyer structure

Just like how a constructing or campus’ bodily foyer supplies a public entry level for guests, the IoT System Foyer establishes an entry level into AWS for unbound IoT gadgets. This method permits versatile onboarding for tenant gadgets although a claiming course of that associates a novel system id with a tenant IoT Core endpoint. As soon as the service claims the gadgets, the System Foyer service account acts as a routing layer to ship the gadgets to the tenant AWS IoT Core endpoint over an outlined MQTT matter (Determine 7).

This structure helps tenants to fabricate gadgets which can be routed to their endpoints anytime throughout the gadgets’ lifecycle. The IoT System Foyer structure additionally helps migrating gadgets from one area, or account, to a different with out re-provisioning them. On this scenario, the service provisions the gadgets with the central endpoint that hosts the System Foyer service and the distinctive credentials primarily based on both the platform’s or the tenant’s Public Key Infrastructure (PKI) when it was manufactured.

For extra info, see IoT System Foyer Structure.

Figure 7 – Routing IoT devices with the Device Lobby architecture, which shows how the lobby service accesses tenant AWS accounts by assuming IAM roles for device registration.

Determine 7 – Routing IoT gadgets and registering in tenant accounts with the System Foyer structure

To deploy the System Foyer structure, create a devoted AWS account to host the service. Since solely a single occasion of the System Foyer service is required, it may be deployed within the devoted account instantly following the deployment information. Optionally, you’ll be able to create a product within the AWS Service Catalog so as to run it with the identical configuration throughout growth, take a look at, and staging accounts. For extra info, see System Foyer Configuration.

Figure 8 – Device Lobby Service product in Service Catalog. In the product section, you find all the products available for you to deploy.

Determine 8 – System Foyer Service product added within the Service Catalog

As soon as you identify the System Foyer service account for the IoT SaaS platform, account blueprints for the tenant IoT functions should embody cross-account belief coverage. This coverage permits the System Foyer service to register and allow gadgets to hook up with the tenant account IoT endpoint.

Utilizing the System Foyer structure permits the IoT SaaS platform to have an excessive amount of flexibility to onboard gadgets to any tenant account or area with out requiring the gadgets to be provisioned particularly for a single tenant account. Due to the time required to construct and deploy gadgets to the sphere, this method can tremendously speed up your clients’ the IoT journey as a result of it re-uses current system SKUs. This resolution may also result in higher economies of scale within the system provide chain.


On this submit, we mentioned how IoT SaaS platforms can tackle the information isolation, privateness, and repair quota administration challenges when internet hosting a number of buyer IoT system fleets. AWS Management Tower helps to take away the handbook and doubtlessly error inclined technique of managing a number of accounts that will comprise a SaaS platform. You’ll be able to handle system onboarding to a number of AWS accounts internet hosting the tenant IoT workloads with a centralized service similar to, the System Foyer structure. Moreover, a multi-account technique permits the internet hosting of separate and ranging buyer system fleets at every tenant AWS account that comprise the IoT SaaS service. This yields higher isolation between the tenant fleets and simpler administration of differing service quotas and insurance policies per tenant which ends up in a extra sturdy and scalable IoT SaaS platform on AWS.

To be taught extra about AWS Management Tower, go to the AWS Management Tower Workshop. To get began with AWS IoT companies, try the AWS IoT Immersion Day Workshop.

Concerning the Authors

Tomo Sakatoku image

Tomo Sakatoku

Tomo is a Principal Enterprise Architect at Amazon Internet Providers in Seattle. Tomo is enthusiastic about working with AWS clients to resolve difficult issues. He additionally likes to unplug and enjoys taking part in tennis, touring together with his household.

Ben Cooke image

Ben Cooke

Ben is a Senior IoT Options Architect at Amazon Internet Providers in Austin, TX the place he focuses on IoT system structure. When not working with AWS companions and clients, you’ll find Ben on adventures together with his household or tinkering in his storage.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles