In an era defined by digital transformation, the convergence of Software-as-a-Service (SaaS) and public cloud technologies has emerged as a cornerstone of organizational agility, innovation and cost efficiency. This blog explores the strategic significance of adopting SaaS solutions in the public cloud environment, elucidating key benefits, considerations and best practices for successful implementation. 

Concerns while adopting SaaS in public cloud 

1. Every client (ISVs and ISV clients) – separate priority and objectives – no one solution that works for everyone
2. Data sovereignty: Data handling and protection
3. Quick turnaround time for onboarding multiple tenants
4. Security: Enable access for only authorized and authenticated users
5. Chargeback: Billing and metering

How HCLTech helps deploy SaaS framework

HCLTech serves over 500 ISV and Hi-Tech clients globally. With a deep understanding of the industry’s goals, we leverage our engineering heritage and act as a trusted partner for semiconductor, Hi-Tech, ISV and other SaaS companies. As a recognized leader in the Hi-Tech and SaaS industries by Avasant, we’ve utilized our experience to implement the SaaS framework using 27 Google Cloud services. We are one of the preferred partners onboarded to the SaaS accelerator program at Google Cloud, specifically designed for ISV and SaaS service producers.

We can onboard any client leveraging a SaaS acceleration framework, ensuring multi-tenancy, adherence to security standards and visibility into performance and cost management through looker dashboards. Recognizing the need for both business and technical expertise, we can provide comprehensive support to clients throughout their journeys. This includes establishing a foundation on Google Cloud Platform (GCP), onboarding their SaaS Tenants (client) using the SaaS portal and offering ongoing expert services.

SaaS framework – unique features

• A proven framework to accelerate onboarding multiple clients faster and securely on the cloud
• Automated frictionless faster onboarding via a GUI-based SaaS control plane for single-tenancy or multi-tenancy models
• Enables repeatable model for parallel execution across multiple ISVs — flexible and customizable strategy and engagement model
• No ‘one-size-fits-all’ approach

Through a joint investment with Google, HCLTech has developed a one-click deployment solution for our SaaS framework. This allows ISVs to seamlessly transform their applications into SaaS offerings using our prebuilt, ready-to-deploy templates and proven best practices.

Multi-tenant onboarding – Freemium and enterprise with intuitive user interface

Unlock seamless chargeback management - Metering solution empowers tenant billing, fostering transparency and building long-lasting relationships

Maintain security with confidence - Employs robust security protocols to shield data from potential threats, preserving its integrity and confidentiality across tenants

The SaaS Accelerator Framework is leveraged to automate SaaS infrastructure builds using Google’s SaaS Multi-Tenant Reference Architecture. It covers these services:

• Resource hierarchy, organization policy, network, GKE enterprise cluster, identity platform (integration with multiple identity providers), security, management, apigee, NGINX reverse proxy
• Support in deploying customer application to GKE enterprise clusters
• Support in deploying SaaS admin console for tenant onboarding

Solution highlights: 

• Resource hierarchy: Nested folder structure within the top-level folder in an existing organization 
• Provisioned multiple projects for providing a standard platform on which tenants can be onboarded as freemium or enterprise categories
• Separate projects, one as host project with shared VPC hosting foundation and network services, and one as service project for tenant workload deployment on GKE enterprise private clusters
• IAM: Service accounts with assigned IAM roles and service identities for Anthos Fleet service projects
• Secure Application Endpoint using identity aware proxy that renders options for integrating with multiple identity providers using Google Cloud identity platform 
• Network: One VPC and multiple subnets for regional GKE enterprise private clusters in each of the GCP regions and apigee
• Cloud DNS: Automated provisioning of records mapped with domain name leveraging GCP Cloud DNS configured for public and private DNS zones
• Extending the capabilities of Global Load Balancer hosted in host project (http to https redirection) to distribute the traffic to Anthos Service Mesh through NGINX Reverse Proxy deployed in service Project
• Security: Cloud armor for security controls at the edge, tag-based firewall rules for denying egress and allowing ingress traffic based on source and destination
• Network policies leveraged to ensure multi-tenant isolation between tenants deployed into individual namespaces in the freemium project GKE cluster and separate projects for enterprise tenant GKE clusters
• Google-managed certificates, artifact registry, cloud source repository provisioned within host project along with Anthos config management deployed in service projects
• Management: Apigee is used for exposing internal services (inside ASM) as APIs to external consumers and securing backend services
• Google cloud operations suite enabled for GKE workloads and infrastructure
• GKE metering enabled to understand the resource usage that outputs data to BQ Datasets and visualized through data studio
• The admin console application is rendered through cloud run using the admin container image to onboard new tenants
• Provide single pane of glass for dedicated monitoring and visualization of workloads across clusters

Typical use case architecture for any SaaS-based clients (no one size fits all). 

Freemium: 

1. Admin tenant project for onboarding multiple tenants via GUI interface
2. Hosting multiple tenants isolated by namespaces within a single project and single GKE enterprise cluster and traffic protection via network polices
3. Metering and chargeback capabilities

Enterprise: 

1. Admin Tenant Project for onboarding multiple tenants via GUI interface.
2. Hosting dedicated tenant isolated within a single Project and single GKE enterprise cluster
3. Metering and chargeback capabilities

Enterprise tenant onboarding:

1. SaaS framework was leveraged to execute the SAAS Terraform scripts (cloud foundation tool kit) for creation of multi-tenant SaaS environment
2. Creation of project in an automated fashion — e.g., seed, host, service projects, GKE enterprise hub project for the three enterprise tenants
3. Creating GKE enterprise clusters, onboarding of the freemium and enterprise tenants
4. Big query and data source in looker studio to show the actual resource utilization for each tenant
5. GCS bucket in each tenant project is provisioned to upload and download the tenant data to the Jupyter hub notes
6. Filestore for providing shared storage mapped with GKE enterprise clusters
7. Cloud Nat was leveraged for providing outbound restricted and secure access to enterprise clusters

Benefits delivered: 

• SaaS architecture provides a flexible framework for hosting and managing the client's application
• Supports the free tiers in the most cost-effective way, self-service onboarding for the tenants
• Maintain data sovereignty for enterprise clients – tenant isolation
• Efficient metering and chargeback

35% reduction in time to deploy using HCLTech accelerators

Please reach out to Apoorva.ramchandran@hcltech.com in case you are interested in taking SaaS journey for our product/solution.