Networking in Multitenant Solutions on Azure

Introduction

In today’s cloud-driven world, multitenant solutions are becoming increasingly common, especially for businesses seeking scalability, efficiency, and cost optimization. When deploying solutions on Azure, networking plays a crucial role in ensuring isolation, performance, and security for each tenant. This blog post delves into the architectural approaches for networking in multitenant environments on Azure, covering key considerations, patterns, and practices, as well as some common antipatterns to avoid.

Key Considerations and Requirements

Networking in Azure is not a “one-size-fits-all” approach, especially in multitenant environments. Depending on the services and deployment architecture used, the networking requirements can vary. Here are a few key considerations when designing networking for multitenancy:

Infrastructure vs. Platform Services

• Infrastructure Services: When using infrastructure services like Azure Virtual Machines (VMs) or Azure Kubernetes Service (AKS), you need to design virtual networks (VNets) that underpin the services’ connectivity. Additional layers of security (like Network Security Groups) should be implemented beyond just network isolation.
• Platform Services: For Azure’s Platform-as-a-Service (PaaS) offerings (e.g., Azure App Service, Azure Cosmos DB, Azure SQL Database), VNets may or may not be required. For example, services accessed via public IPs may rely on firewalls, identity, and access control to maintain security, while VNets can be used for isolation and compliance-driven requirements.

Compliance and Tenant Requirements

Multitenant architectures often involve customers (tenants) who have specific network isolation requirements. For example:

• Compliance: Some tenants may require compliance with industry standards that necessitate private networking, specific routing policies, or secure access methods.
• Tenant-specific isolation: Some tenants might need dedicated virtual networks or private endpoints to ensure their data and network traffic is completely isolated from others.

Complexity and Security

While creating isolated networks improves security, it also increases complexity. Managing VNets, subnetting, private endpoints, and hybrid networking requires a deep understanding of Azure’s network infrastructure. Failing to plan properly can lead to insecure or misconfigured environments, so it’s critical to understand the implications of private networking and subnet segmentation.

Sizing Subnets

When deploying resources in VNets, you must carefully plan the sizing of your subnets. The number of resources like VMs or AKS nodes that you intend to deploy within a subnet must be considered upfront, particularly if your solution is tenant-specific. For example:

• Azure Kubernetes Service (AKS) with Azure Container Networking Interface (CNI) consumes IP addresses from the subnet based on node count and service deployment.
• Azure App Service and Azure Functions with VNet integration also consume IP addresses based on the number of plan instances.

Approaches and Patterns to Consider

1. Tenant-specific VNets with Service Provider-selected IP Addresses

One approach is to create dedicated VNets for each tenant using IP addresses managed by the service provider (you). This allows for centralized traffic control through hub-and-spoke topologies and ensures isolated environments for each tenant. However, this can become complex if the tenant requires VNet peering with their own resources due to potential IP address conflicts.

2. Tenant-specific VNets with Tenant-selected IP Addresses

This pattern allows the tenant to select their own IP address ranges for their VNet, which avoids conflicts during VNet peering. While it offers more flexibility for tenants, it can become difficult to create centralized hub-and-spoke topologies due to overlapping IP ranges.

3. Hub-and-Spoke Topology

The Hub-and-Spoke topology is a widely used pattern for multitenant architectures. In this pattern:

• A centralized hub VNet handles shared services (e.g., firewalls, VPN gateways).
• Multiple spoke VNets represent tenant-specific VNets that can communicate with the hub but remain isolated from each other.

This topology is useful when deploying VNets with provider-managed IP addresses, enabling shared services like Azure Firewall or VPN Gateway in the hub. However, care must be taken when scaling, as there are limits to the number of VNet peerings.

4. Static IP Addresses

Certain tenants may require static IP addresses for inbound or outbound traffic. Azure provides several mechanisms to assign static IPs, including:

• NAT Gateway: Control outbound IPs for resources in a VNet.
• Azure Load Balancer: Assign static IPs for inbound traffic.
• PaaS Solutions: For services like Azure App Service, static outbound IPs can be managed via APIs and services.

5. Agents for Tenant Connectivity

When accessing data or sending messages to tenants’ networks, consider using agents (also known as on-premises gateways). Agents can initiate outbound connections from a tenant’s network to your service, reducing the need for tenants to expose inbound ports.

Public or Private Access

When deciding how tenants will access your solution, you have two main options:

Public Access

For services accessible over the public internet, consider using:

• Firewall rules
• IP allowlists/denylists
• Shared secrets and identity-based controls for security.

Private Access

For private connectivity between your service and tenants’ networks:

• Azure Private Link: Secure private communication over private IP addresses.
• Virtual Network Peering: Connect VNets across different tenants.
• Azure ExpressRoute or VPN Gateway: Useful for smaller numbers of tenants with strict compliance requirements for private networking.

Antipatterns to Avoid

Designing networking for multitenant solutions can be fraught with pitfalls. Here are a few common antipatterns to avoid:

1. Failing to Plan for VNet Connectivity

It’s crucial to test and plan how resources connect in VNets. Misconfigurations can lead to traffic bottlenecks, security vulnerabilities, and outages. Plan your network strategy and test before deploying in production.

2. Not Planning for Limits

Azure imposes various networking limits, such as maximum VNet peerings, TCP connections, and SNAT port limits. High-scale multitenant solutions may run into these limits if not planned carefully, leading to bottlenecks.

3. Small Subnets

Improperly sized subnets can limit scalability. Plan for the maximum expected number of resources (e.g., VMs, containers, etc.) during both initial deployment and future scaling.

4. Improper Network Segmentation

When building multitenant solutions, it’s essential to decide early how to segment your VNets (tenant-specific vs. shared VNets). Reconfiguring network segmentation after deployment can be challenging and costly.

5. Relying Solely on Network-layer Security Controls

Relying only on firewalls or network segmentation is not sufficient. Employ zero-trust principles by combining network-layer security with identity-based controls, encryption, and role-based access controls (RBAC).

Conclusion

Building multitenant solutions in Azure requires a thorough understanding of networking components, including VNets, private endpoints, and hybrid networking. Choosing the right architectural pattern, planning subnet sizing, and understanding compliance requirements are key to building secure and scalable multitenant solutions. Moreover, avoiding common antipatterns like poor network segmentation and not accounting for Azure limits can save time and prevent costly mistakes.

References

-> https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/approaches/networking