|
Multi-tenant purposes typically require strict isolation when processing tenant-specific code or information. Examples embrace software-as-a-service (SaaS) platforms for workflow automation or code execution the place prospects want to make sure that execution environments used for particular person tenants or finish customers stay utterly separate from each other. Historically, builders have addressed these necessities by deploying separate Lambda features for every tenant or implementing customized isolation logic inside shared features which elevated architectural and operational complexity.
Right now, AWS Lambda introduces a brand new tenant isolation mode that extends the prevailing isolation capabilities in Lambda. Lambda already gives isolation on the perform stage, and this new mode extends isolation to the person tenant or end-user stage inside a single perform. This built-in functionality processes perform invocations in separate execution environments for every tenant, enabling you to satisfy strict isolation necessities with out further implementation effort to handle tenant-specific assets inside perform code.
Right here’s how one can allow tenant isolation mode within the AWS Lambda console:
When utilizing the brand new tenant isolation functionality, Lambda associates perform execution environments with customer-specified tenant identifiers. Which means that execution environments for a selected tenant aren’t used to serve invocation requests from different tenants invoking the identical Lambda perform.
The characteristic addresses strict safety necessities for SaaS suppliers processing delicate information or working untrusted tenant code. You keep the pay-per-use and efficiency traits of AWS Lambda whereas gaining execution setting isolation. Moreover, this strategy delivers the safety advantages of per-tenant infrastructure with out the operational overhead of managing devoted Lambda features for particular person tenants, which might shortly develop as prospects undertake your utility.
Getting began with AWS Lambda tenant isolation
Let me stroll you thru easy methods to configure and use tenant isolation for a multi-tenant utility.
First, on the Create perform web page within the AWS Lambda console, I select Writer from scratch choice.
Then, below Further configurations, I choose Allow below Tenant isolation mode. Notice that, tenant isolation mode can solely be set throughout perform creation and might’t be modified for present Lambda features.
Subsequent, I write Python code to reveal this functionality. I can entry the tenant identifier in my perform code by the context object. Right here’s the total Python code:
import json
import os
from datetime import datetime
def lambda_handler(occasion, context):
tenant_id = context.tenant_id
file_path="/tmp/tenant_data.json"
# Learn present information or initialize
if os.path.exists(file_path):
with open(file_path, 'r') as f:
information = json.load(f)
else:
information = {
'tenant_id': tenant_id,
'request_count': 0,
'first_request': datetime.utcnow().isoformat(),
'requests': []
}
# Increment counter and add request information
information['request_count'] += 1
information['requests'].append({
'request_number': information['request_count'],
'timestamp': datetime.utcnow().isoformat()
})
# Write up to date information again to file
with open(file_path, 'w') as f:
json.dump(information, f, indent=2)
# Return file contents to point out isolation
return {
'statusCode': 200,
'physique': json.dumps({
'message': f'File contents for {tenant_id} (remoted per tenant)',
'file_data': information
})
}
Once I’m completed, I select Deploy. Now, I would like to check this functionality by selecting Check. I can see on the Create new take a look at occasion panel that there’s a brand new setting known as Tenant ID.
If I attempt to invoke this perform with out a tenant ID, I’ll get the next error “Add a legitimate tenant ID in your request and check out once more.”
Let me attempt to take a look at this perform with a tenant ID known as tenant-A.
I can see the perform ran efficiently and returned request_count: 1. I’ll invoke this perform once more to get request_count: 2.
Now, let me attempt to take a look at this perform with a tenant ID known as tenant-B.
The final invocation returned request_count: 1 as a result of I by no means invoked this perform with tenant-B. Every tenant’s invocations will use separate execution environments, isolating the cached information, world variables, and any information saved in /tmp.
This functionality transforms how I strategy multi-tenant serverless structure. As a substitute of wrestling with complicated isolation patterns or managing a whole lot of tenant-specific Lambda features, I let AWS Lambda mechanically deal with the isolation. This retains tenant information remoted throughout tenants, giving me confidence within the safety and separation of my multi-tenant utility.
Further issues to know
Right here’s a listing of further issues it’s essential know:
- Efficiency — Identical-tenant invocations can nonetheless profit from heat execution setting reuse for optimum efficiency.
- Pricing — You’re charged when Lambda creates a brand new tenant-aware execution setting, with the value relying on the quantity of reminiscence you allocate to your perform and the CPU structure you employ. For extra particulars, view AWS Lambda pricing.
- Availability — Obtainable now in all industrial AWS Areas besides Asia Pacific (New Zealand), AWS GovCloud (US), and China Areas.
This launch simplifies constructing multi-tenant purposes on AWS Lambda, resembling SaaS platforms for workflow automation or code execution. Be taught extra about easy methods to configure tenant isolation on your subsequent multi-tenant Lambda perform within the AWS Lambda Developer Information.
Blissful constructing!
— Donnie
