Back to Solutions

Cellular Architecture for Multi-Tenant SaaS

AWS account-per-cell isolation for enterprise customers, compliance requirements, and blast radius containment

The Problem with Shared Infrastructure

Most multi-tenant SaaS applications start with shared infrastructure—one database, one set of Lambda functions, one everything. It's simpler to build and cheaper to run. Until it isn't.

The cracks appear when enterprise customers show up with compliance requirements, when one tenant's traffic spike affects everyone else, or when a deployment bug takes down the entire platform. Shared infrastructure means shared risk.

Common Breaking Points

  • • Enterprise customer requires dedicated infrastructure for compliance
  • • Noisy neighbor problem—one tenant's load affects others
  • • Blast radius of failures or bad deployments is the entire platform
  • • Service limits hit across all tenants simultaneously
  • • Audit requirements demand provable data isolation

The Cellular Pattern

Cellular architecture isolates tenants (or groups of tenants) into independent "cells"—each with its own infrastructure. A cell failure affects only the tenants in that cell, not the entire platform.

Cell Isolation Model

🏢

Enterprise Cell

Single tenant, dedicated AWS account, isolated VPC

🏬

Shared Cell

Multiple tenants, shared account, logical isolation

🎛️

Control Plane

Shared services: routing, auth, billing, admin

The key insight: not every tenant needs the same level of isolation. Enterprise customers paying premium prices get dedicated cells. Smaller tenants share cells with logical separation. The architecture supports both without requiring different codebases.

AWS Account-Per-Cell

For true isolation, each cell runs in its own AWS account within an AWS Organization. This provides the strongest possible boundary—separate IAM, separate service limits, separate billing, separate blast radius.

Benefits

  • • Hard security boundary between tenants
  • • Independent service limits per cell
  • • Per-tenant cost visibility
  • • Isolated blast radius for failures
  • • Simplified compliance audits

Trade-offs

  • • More accounts to manage
  • • VPC endpoints multiply costs
  • • Cross-account complexity
  • • Deployment automation required
  • • Centralized observability needed

The VPC endpoint cost is real—each cell with a private VPC needs its own set of endpoints (S3, DynamoDB, Secrets Manager, etc.). For enterprise cells where the customer is paying premium pricing, this is acceptable. For shared cells, the cost is amortized across tenants.

Architecture Components

Control Plane (Shared)

Services that span all cells and don't contain tenant data:

  • • Tenant routing and cell placement
  • • Authentication and identity
  • • Billing and subscription management
  • • Admin dashboards and support tools
  • • Cell provisioning automation

Data Plane (Per Cell)

Everything that touches tenant data lives in the cell:

  • • Application services (Lambda, ECS)
  • • Databases (DynamoDB, RDS)
  • • Storage (S3 buckets)
  • • Queues and event buses
  • • Cell-specific secrets

Cell Provisioning

Automated infrastructure deployment for new cells:

  • • AWS Account creation via Organizations
  • • Infrastructure as Code (CDK/CloudFormation)
  • • VPC and networking setup
  • • Cross-account role configuration
  • • DNS and routing registration

When Cellular Makes Sense

Cellular architecture adds complexity. It's not the right choice for every SaaS application. Consider it when:

Good Fit

  • • Enterprise customers require isolation
  • • Regulated industries (healthcare, finance)
  • • Tenants with vastly different scale
  • • Need to limit deployment blast radius
  • • Per-tenant cost tracking required

Probably Overkill

  • • All tenants are similar size
  • • No compliance requirements
  • • Early stage, still finding product-market fit
  • • Cost is the primary constraint
  • • Small number of tenants

Technology Stack

AWS Organizations Control Tower VPC PrivateLink Transit Gateway Route 53 DynamoDB Lambda CDK Step Functions

Outcomes

Enterprise Ready

Dedicated cells satisfy enterprise isolation requirements without custom engineering

Contained Failures

Bad deployment or infrastructure issue affects one cell, not the platform

Flexible Scaling

Scale from shared cells for small tenants to dedicated cells for enterprise

Clear Cost Attribution

Per-account billing makes tenant cost tracking straightforward

📖 Complete Multi-Tenant Architecture Guide

A comprehensive guide covering tenant isolation models, data partitioning, authentication patterns, noisy neighbor prevention, and more.

Read the Full Guide →

Related

Unified API Router Security Cost Optimization

Considering Cellular Architecture?

Let's discuss whether it's the right fit for your SaaS platform.

Get in Touch