Multi-tenant SaaS control planes stop being simple admin dashboards once provisioning, quotas, upgrades, and compliance all need to work across thousands of tenants without operator heroics. A B2B SaaS company needs a control plane to provision tenants, manage plans and quotas, rotate secrets, orchestrate upgrades, and expose admin APIs across thousands of customer accounts and environments.
TL;DR: A dedicated control plane built on API Gateway, ECS, DynamoDB, Step Functions, EventBridge, and SQS gives you tenant lifecycle automation without coupling privileged workflows to the application data plane.
Why Naive Solutions Break
Teams often bolt tenant management onto the product application database and app code. That quickly creates tangled coupling, weak isolation, difficult billing logic, and brittle provisioning flows that operators must repair manually.
Architecture Overview
Build a dedicated control plane using API Gateway for admin APIs, ECS services for orchestration and policy engines, DynamoDB for tenant metadata and quotas, Step Functions for lifecycle workflows, EventBridge for tenant-domain events, and SQS for background provisioning and reconciliations.
Architecture Diagram
Service-by-Service Breakdown
API Gateway: External and internal control-plane APIs for tenant ops.ECS on Fargate: Runs provisioning coordinators, policy engines, and admin backends.DynamoDB: Stores tenant records, entitlements, feature flags, quotas, and provisioning state machines.Step Functions: Orchestrates tenant creation, environment bootstrap, plan upgrade, and teardown workflows.EventBridge: Emits tenant lifecycle events for billing, analytics, and product services.SQS: Buffers long-running setup and reconciliation jobs.Lambda: Small glue tasks for validation, notification, and event transformation.S3: Stores configuration bundles, audit exports, and large tenant manifests.CloudWatch and X-Ray: End-to-end tracing for operator actions and lifecycle failures.
Request Lifecycle and Data Flow
- An operator or self-service API requests tenant provisioning.
- The control-plane API validates entitlements and writes a tenant record in DynamoDB.
- Step Functions starts the provisioning workflow.
- Individual steps allocate namespaces, secrets, quotas, and integration resources.
- Long-running or retry-heavy work is sent to SQS-backed workers.
- Once complete, the system emits
TenantProvisionedon EventBridge. - Product services subscribe and create their own tenant-scoped resources.
Production Code Patterns
Tenant metadata model in DynamoDB
{
"pk": "TENANT#t_42",
"sk": "METADATA",
"plan": "enterprise",
"region": "us-east-1",
"status": "provisioning",
"featureFlags": ["audit_export", "sso"],
"quotas": { "projects": 500, "users": 10000 }
}
Provisioning workflow task handoff
resource "aws_sfn_state_machine" "tenant_provisioning" {
name = "tenant-provisioning"
role_arn = aws_iam_role.sfn.arn
definition = jsonencode({
StartAt = "AllocateTenantRecord"
States = {
AllocateTenantRecord = { Type = "Task", Resource = aws_lambda_function.allocate.arn, Next = "QueueBootstrap" }
QueueBootstrap = { Type = "Task", Resource = "arn:aws:states:::sqs:sendMessage", End = true }
}
})
}
Scaling Strategy
- Separate read-heavy admin listing APIs from write-heavy provisioning workflows.
- Store tenant metadata by tenant ID with GSIs for plan, state, or region lookup.
- Use asynchronous reconciliation loops for drift correction instead of blocking user requests.
- Scale ECS workers on queue depth and workflow backlog.
Cost Optimization Techniques
- Keep the control plane mostly event-driven so it scales to zero-ish outside peak ops windows.
- Archive audit history to S3 and query with Athena.
- Use Lambda for narrow tasks and ECS only where longer-lived processes or richer runtimes are justified.
- Apply TTL to ephemeral workflow state or temporary activation tokens.
Security Best Practices
- Enforce strong separation between control plane and data plane roles.
- Use IAM conditions to restrict tenant-scoped operations.
- Keep all secrets in Secrets Manager and avoid duplicating them in DynamoDB.
- Log every privileged action as an immutable audit event.
- Place private services behind internal load balancing in private subnets where appropriate.
Failure Handling and Resilience
- Design tenant provisioning as resumable workflows, not all-or-nothing shell scripts.
- Add compensating steps for partial setup failures.
- Periodically reconcile desired versus actual tenant state.
- Use DLQs and operator dashboards for stuck provisioning jobs.
- Replicate core metadata if the SaaS requires cross-Region recovery objectives.
Trade-offs and Alternatives
A dedicated control plane increases architecture complexity but dramatically improves tenant isolation and operational consistency. Smaller SaaS products may begin with a simpler monolith, but they usually pay back the migration cost later once enterprise requirements appear.
Real-World Use Case
A Datadog-style or Atlassian-style SaaS platform can use this model to manage tenant lifecycle, entitlements, and product-environment provisioning at scale.
Key Interview Insights
- Separate control plane from data plane early in the conversation.
- Emphasize idempotent provisioning and reconciliation loops.
- Show how tenant metadata modeling impacts quotas, billing, and isolation.
- Discuss blast radius and privileged access boundaries.
Recommended resources
Recommended Reading
→ Designing Data-Intensive Applications — The essential book for understanding distributed systems, databases, and the infrastructure behind architectures like these.
→ System Design Interview Vol. 2 — Covers many of the architectures in this post in interview format with trade-off analysis.
Affiliate links. We earn a small commission at no extra cost to you.
Discover more from CheatCoders
Subscribe to get the latest posts sent to your email.
