Tenant Isolation Models

Silo, pool, and the bridge between them

The whole book turns on two terms that describe how application-plane resources map to infrastructure:

• Silo — a resource dedicated to a tenant.
• Pool — a resource shared by tenants.

These deliberately avoid the baggage of “multi-tenant,” apply granularly (per resource or group), and don’t map to any single construct. The deployment models combine them:

graph TD
M["Deployment models"] --> FS["Full Stack Silo<br/>(every tenant fully dedicated)"]
M --> FP["Full Stack Pool<br/>(all resources shared)"]
M --> HY["Hybrid Full Stack<br/>(limited silos + pool)"]
M --> MM["Mixed Mode / Bridge<br/>(silo/pool per service)"]
M --> PD["Pod<br/>(group tenants per unit)"]

• Full Stack Silo — every tenant gets an identical, same-version environment (account-per-tenant or VPC-per-tenant). Drivers: compliance, migration, premium tiering. Reduced blast radius, simple cost attribution — but it doesn’t scale to hundreds/thousands of tenants. Mindset: “build as if it were a full-stack pool, then treat each silo as a single-tenant instance of the pool” — never allow per-tenant customization.
• Full Stack Pool — all resources shared, chasing economies of scale; tenant context becomes essential to every operation. Isolation is harder, noisy-neighbor risk is high, and an outage is an “all-in commitment” hitting all tenants (demanding bulkhead patterns and a higher availability bar).
• Mixed Mode (the bridge) — fine-grained silo/pool choices service-by-service (e.g., a siloed order service for compliance alongside a pooled ratings service) — maximum flexibility, a compelling middle path.
• Pod — groups a collection of tenants into a unit of deployment/operation, driven by scale limits, geography, or isolation.

Deployment is not isolation

Two more distinctions matter: RBAC ≠ isolation (RBAC scopes by a user’s role; isolation scopes exclusively by tenant context and is identical for all users in a tenant), and filtering by TenantId is not enough — true isolation must make it impossible for a query to reach another tenant’s data.

The three isolation categories

From coarse to fine:

1. Full-stack isolation — a dedicated stack per tenant (straightforward).
2. Resource-level isolation — shared compute, but an entire resource (database, bucket, queue) is dedicated per tenant.
3. Item-level isolation — inside a shared resource where tenants’ items are commingled — the hardest, because available constructs shrink (e.g., a DynamoDB shared table with an IAM Condition on dynamodb:LeadingKeys).

Deployment-time vs. runtime enforcement

• Deployment-time isolation (siloed compute) — inject tenant context into a templatized policy at deployment, with no dependency on application code; compliance shifts to provisioning.
• Runtime isolation (pooled compute) — code dynamically acquires tenant-scoped credentials per request via an isolation manager — e.g., STS assume_role() with a scoped policy. Optionally inject scoped credentials from outside the service (an API Gateway / Lambda authorizer).

sequenceDiagram
participant R as Request with tenant context
participant S as Service code
participant IM as Isolation manager
participant STS as STS assume_role
participant D as Shared resource
R->>S: invoke
S->>IM: acquire scoped credentials
IM->>STS: assume role with scoped policy
STS-->>IM: tenant-scoped credentials
IM-->>S: credentials
S->>D: access only this tenant data

See also

• Control plane vs. application plane — where isolation constructs live.
• Tiering, metering, and noisy neighbors — deployment-focused tiering uses these models.
• Tenant onboarding and identity — tenant context that isolation scopes by.

When to use it — and when not

Related topics