<!doctype html>
Innate Azure Reference Architecture – Shared Control Plane + Per‑Tenant Data Plane
Goal: minimise per‑tenant baseline while preserving isolation and scale. Use shared, pay‑as‑you‑go edge/services; keep per‑tenant units serverless (scale‑to‑zero) with auto‑pause databases. Avoid per‑tenant fixed charges.
End Users / Clients Azure Front Door (Shared) Shared cost; 1 per platform API Management (Consumption / Shared) Per‑call billing; central Entra External ID (B2C) Shared; MAU‑based Log Analytics ££ hotspot Cap / sample App Insights Key Vault (Shared) Container Apps Environment (Shared) Tenant‑scoped apps; min‑replica 0 for idle Tenant A APIs scale‑to‑zero Tenant B APIs scale‑to‑zero Tenant C APIs scale‑to‑zero Shared Services (e.g., email, PDF) Per‑Tenant Resource Groups (isolation at data + workload level): Tenant A (RG‑A) Functions consumption Container Apps scale‑to‑zero DB (SQL Serverless or Postgres B‑Series) ££ if provisioned Blob Storage per tenant Tenant B (RG‑B) Functions consumption Container Apps scale‑to‑zero DB (SQL Serverless or Postgres B‑Series) ££ if provisioned Blob Storage per tenant Tenant C (RG‑C) Functions consumption Container Apps scale‑to‑zero DB (SQL Serverless or Postgres B‑Series) ££ if provisioned Blob Storage per tenant Cost hotspots to avoid (per‑tenant): Dedicated APIM / Front Door per tenant → use shared or consumption. Always‑on App Service Plans → use Container Apps / Functions with min‑replica 0. Provisioned databases → use SQL serverless (auto‑pause) or Postgres B‑series. Uncapped Log ingestion → set sampling, quotas, short retention. Per‑tenant WAF/NAT/AppGW → centralise at edge; add only for regulated tenants. Indicative incremental cost / tenant (light usage) DB £15–£35 · Compute £5–£20 · Logs £2–£10 · Storage+egress £1–£5 · Identity £0 (low MAU) → ~£25–£70 typical baselineArrows omitted for clarity inside tenant blocks; traffic flows: Client → Front Door → APIM → Tenant‑scoped APIs (via claims/route) → DB/Storage. Shared services (B2C, Key Vault, App Insights/Logs) support all tenants centrally.
Design levers to stay < £100/tenant
- Shared edge: single Front Door + APIM (consumption/shared) for all tenants.
- Serverless compute: Container Apps / Functions with min‑replica 0.
- Auto‑pause DB: SQL serverless or Postgres B‑series; 1 DB per tenant.
- Observability discipline: 5–10% sampling, per‑tenant quotas, short retention.
- Data isolation: separate RGs, storage containers, and DB per tenant.
When might ~£500/tenant be real?
- Dedicated APIM or Front Door per tenant.
- App Service Plans (P*v3) or AKS node pools per tenant.
- Provisioned SQL tiers (S/GP/MI) that never pause.
- Verbose logs (no caps) + long retention.
- Per‑tenant NAT/WAF/AppGW regardless of need.
This one‑pager is opinionated for cost‑efficiency; adjust for regulated tenants (e.g., private endpoints, dedicated WAF) only where requirements justify added fixed cost.
Manage Consent
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
