Contact Us

nGAGE: Powering the Platform with Container Orchestration and Smart Scalability

Air-Gapped Infrastructure Case Study

Industry HR Technology, Employee Engagement, SaaS
Solution Multi-Tenant SaaS Architecture, Serverless Microservices, Tenant Isolation, API Security
Partner Amazon Web Services (AWS)

The Client

nGAGE at Work is a cloud-based employee engagement platform that helps organizations boost productivity, retention, and workplace culture. The platform replaces traditional annual appraisals with continuous engagement through real-time feedback, performance management, recognition and rewards, people analytics, and development planning.

As a multi-tenant SaaS platform serving enterprises across various industries, nGAGE relies on scalable, secure architecture that can support rapid customer onboarding while maintaining strict data isolation between tenants. For that, the client needs serverless capabilities to optimize costs and enable elastic scaling based on tenant activity.

Business Requirements & Challenges

As nGAGE expanded its customer base and platform capabilities, the company partnered with DPL to architect a modern multi-tenant SaaS solution. Key business challenges included:

1. Multi-Tenant Architecture with Tenant Isolation
The platform needed flexible tenant models supporting both pooled (shared infrastructure) and siloed (isolated) deployments based on customer requirements. A critical requirement was implementing row-level security to ensure complete data isolation between tenants while maintaining operational efficiency and cost optimization through resource sharing.

2. Serverless Architecture for Cost Optimization
With variable tenant usage patterns and unpredictable growth, the platform required a pay-as-you-use model that aligned infrastructure costs directly with tenant consumption. The architecture needed to eliminate idle capacity costs while maintaining performance during traffic spikes. This meant switching to serverless compute and database solutions that could scale to zero when not in use.

3. Frictionless Tenant Onboarding and Provisioning
SaaS growth required automated, repeatable tenant onboarding processes that could provision new customers in minutes rather than days. The system needed infrastructure-as-code capabilities to create tenant-specific resources, configure access controls, and initialize data partitions through a single, self-service workflow without manual intervention.

4. API Security with Custom Authorization
The multi-tenant API layer required sophisticated authentication and authorization mechanisms that could validate tenant identity, enforce tenant-scoped access controls, and prevent cross-tenant data leakage. The security model needed custom authorization logic that went beyond simple authentication to include tenant context validation and row-level security enforcement.

5. Operational Visibility and Tenant Metrics
Managing a multi-tenant platform required granular observability into per-tenant consumption, performance, and costs. Therefore, the existing platform needed tenant-aware monitoring that could track individual tenant activity, identify noisy neighbor issues, support tiered pricing models, and provide insights for capacity planning and cost allocation across hundreds of tenants.

Solution Overview Top Right Icon Bottom Left Icon

Business Impact and Considerations

Addressing these multi-tenant SaaS challenges was critical for nGAGE’s business model and competitive positioning, especially as:

  • Inability to support flexible tenant models could limit the addressable market to only pooled or siloed customers
  • Manual tenant onboarding may create to sales friction and limiting growth velocity
  • Fixed infrastructure costs could reduce margins as tenant count scaled
  • Insufficient tenant isolation may create security risks and compliance concerns
  • Lack of per-tenant metrics prevented data-driven pricing and optimization decisions

 

AWS Serverless Multi-Tenant Architecture

DPL designed a comprehensive serverless multi-tenant SaaS architecture that leverages AWS managed services to achieve tenant isolation, cost optimization, and operational efficiency. The solution implements industry best practices for SaaS architecture, including tenant partitioning, identity management, and consumption-based billing.

 

1. Serverless API Layer: API Gateway & Custom Authorizers

  • Amazon API Gateway to provide fully managed REST APIs with automatic scaling and throttling
  • Lambda custom authorizers for implementing tenant-aware authorization logic and access control
  • Request validation and transformation at API Gateway layer to prevent invalid tenant requests
  • Usage plans and API keys for tenant-specific rate limiting and throttling policies
  • CloudWatch API metrics to provide tenant-level request tracking and performance monitoring

 

2. Tenant Identity and Authentication: Amazon Cognito

  • Amazon Cognito User Pools for managing user authentication with JWT token generation
  • Custom user attributes for storing tenant context (tenantId) in authentication tokens
  • Pre-authentication Lambda triggers to validate tenant status and enforce tenant-specific policies
  • Multi-factor authentication (MFA) support for enterprise tenant security requirements
  • Identity federation for supporting SSO integration with tenant identity providers

 

3. Row-Level Security: DynamoDB with Tenant Partitioning

  • Amazon DynamoDB for providing serverless NoSQL database with single-digit millisecond latency
  • Tenant ID as partition key to ensure physical data isolation and preventing cross-tenant queries
  • Composite keys (tenantId#entityId) to implement row-level security at database layer
  • On-demand capacity mode for aligning database costs with actual tenant usage patterns
  • DynamoDB Streams for enabling real-time tenant activity tracking and audit logging
  • Global secondary indexes (GSI) to optimize common tenant query patterns

 

4. Fine-Grained Access Control: AWS STS & IAM

  • AWS STS (Security Token Service) for generating temporary, tenant-scoped credentials
  • IAM policy variables to inject tenant context into resource access policies dynamically
  • Cognito identity pools to map authenticated users to IAM roles with tenant-specific permissions
  • Session policies for limiting STS credentials to tenant-owned S3 prefixes and DynamoDB items
  • Lambda execution roles with least-privilege access for enforcing tenant boundaries

 

Serverless Microservices: AWS Lambda

  • AWS Lambda functions for implementing business logic with automatic scaling to zero
  • Tenant context propagated through Lambda event payloads and environment variables
  • Lambda layers for sharing common multi-tenant code across microservices
  • Canary deployments to gradually roll out changes with tenant-specific routing
  • X-Ray tracing to deliver tenant-aware distributed tracing across microservices
  • Reserved concurrency for preventing noisy neighbor issues between high-volume tenants

 

6. Tenant Onboarding and Provisioning Automation

  • AWS Step Functions for orchestrating multi-step tenant provisioning workflows
  • CodePipeline to automate tenant-specific infrastructure deployment using CloudFormation
  • Lambda functions to create Cognito user pools, DynamoDB tables, and S3 buckets per tenant
  • Parameter Store for storing tenant-specific configuration and connection strings
  • Automated tenant registration for creating entries in tenant registry DynamoDB table

 

7. Tenant-Aware Observability: CloudWatch

  • CloudWatch custom metrics for tracking per-tenant API calls, Lambda invocations, and database operations
  • CloudWatch Logs Insights for querying tenant-specific logs with tenantId dimension filtering
  • Tenant activity dashboards to vidualize consumption patterns, costs, and performance by tenant
  • CloudWatch alarms to detect tenant-specific anomalies and threshold violations
  • Cost allocation tags to enable chargeback reporting and per-tenant cost attribution

 

Container Orchestration
logo
logo
logo
logo
Authentication
logo
logo
logo
Database
logo
logo
logo
logo
logo
logo
Storage
logo
Orchestration
logo
logo
logo
logo
CI/CD
logo
logo
logo
Monitoring
logo
logo
logo
Infrastructure
logo
logo
logo

Business Outcomes and Benefits

< 5 minutes (from 2 days)
Tenant Onboarding Time
68% (via serverless)
Infrastructure Cost Reduction
Row-level security (100% isolated)
Tenant Isolation Model
< 200ms (P95)
API Response Time
Multiple daily releases
Deployment Frequency
< 200ms (P95)
Multiple daily releases
Auto-scales to zero/unlimited
Scalability
Real-time per-tenant metrics
Tenant Visibility

Innovation as a Service

DPL delivers end-to-end cloud and DevOps services, helping organizations modernize their infrastructure, automate deployment pipelines, and accelerate software delivery with greater reliability, speed, and efficiency.

20+ Years
Delivering Innovation since 2003
500+
Projects Completed
Top 1%
Sourcing the Best Talent
Up to $20M USD
Projects Delivering Capability

Let's work on something new

Contact Us Arrow
×