Many copilot envs in one account

[terah]

Hi,

I would like to validate an idea.

Let's say I'm creating a SAAS product where each tenant gets their own load-balanced app, bucket and DB completely isolated from each other.

Then, I create 1 copilot application and a new env for each client which should create a separate set of resources for each client.

While it might counter to design goals of the env feature in copilot, should this work? Or, is it a bad idea?

And, going by the below quotas doc, it appears I'd be capped to 100 envs at most (100VPCs). Is it common for customers to cap out the VPC quotas?
https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html

[efekarakus]

Hi @terah !

This document might help for the model that you are describing: https://d1.awsstatic.com/whitepapers/saas-tenant-isolation-strategies.pdf

Let's say I'm creating a SAAS product where each tenant gets their own load-balanced app, bucket and DB completely isolated from each other.

It sounds like you're looking at a "Silo Isolation" model and like you're asking there are different options. It is okay if you want to opt-in to the separate VPC model but you can hit both limits in terms of number of VPCs and it's possible that you also reach regional service limits that can impact multiple clients although they're in separate VPCs (for example, number of concurrent Lambda concurrent invocations).

If possible, the safest option would be creating a separate AWS account per customer. AWS Organizations might be an interesting product to investigate to simplify this workflow: https://aws.amazon.com/blogs/security/announcing-aws-organizations-centrally-manage-multiple-aws-accounts/, then Copilot can be used separately for each customer account.

Hope this helps!