For the longest time I would have said that the right way to design a cloud application or service is as multi-tenant. But yesterday I was having a conversation with Peter Soderling from NY-based Stratus Security, which provides a secure managed API proxy (in closed beta). Peter said they had chosen to architect their service from day one as a multi-instance solution for added security and performance.
If you are unfamiliar with the terms, a multi-tenant architecture commingles the data and processing for multiple clients in a single application instance. A multi-instance architecture by contrast uses one application instance per client. With multi-tenant investment needs to be made into application code preventing exposure of data from one client to another. With multi-instance investment needs to be made into the efficient creation and management of multiple application instances.
The reason I am beginning to change my view here is that with horizontal scaling there is significant investment required in any case in the creation and management of (virtual) machines. Layering management of multiple application instances on top of that — if done right — can turn out to be less effort than maintaining proper separation between clients at the application level. It is certainly a lot easier to secure a multi-instance solution as separation occurs at the perimeter only and can be entirely application agnostic. In addition to security, there are also performance considerations. Here too a multi-instance architecture has clearer separation between client loads. Most modern applications have queues inside of them. If the queues are commingled then one client’s onslaught may in fact cause much higher latency for other clients.
One area where this is likely to matter a lot is in cloud databases. For instance, as 10gen is working on a cloud version of mongodb, I am now thinking that a multi-instance solution is preferable over a multi-tenant solution. I believe multi-instance will allow for tighter performance SLAs and stronger security assertions than multi-tenant.