Community Blog ISV on Alibaba Cloud Architecture Whitepaper

ISV on Alibaba Cloud Architecture Whitepaper

You can utilize this whitepaper to configure the appropriate services and architectures when considering migrating SaaS to Alibaba Cloud.

ISV Introduction (SaaS)

The term ISV refers to expanding sales channels by moving a solution configured on-premises to the cloud. In other words, ISV on the Cloud is equivalent to creating SaaS.

Software as a Service (SaaS) is licensed and centrally hosted on a subscription basis, rather than the traditional all-in-one licensing method of selling solutions. This form can be a delivery model for many business applications, including ERP and messaging software, management software, virtualization, and more.

Early Internet-based software had features similar to on-premises applications, unlike SaaS applications. Since the software was originally built as a single-tenant application, it had limited data sharing capabilities. However, SaaS applications contain a number of features that make them competitive compared to on-premises applications, and they can all be configured as single-instance, multi-tenant architectures.

SaaS providers centrally host applications and data. Patches, extensions, and upgrades are operated transparently in the application environment, and business users do not feel any inconvenience when using them. This SaaS provider also provides an OpenAPI to allow business users to extend its functionality easily. Business users can customize SaaS functions to fit their business form through OpenAPI.

Advantages of SaaS Architecture

  • SaaS vendor manages all backend infrastructure for you, so you don't have to worry about operations.
  • SaaS is designed to store data on remote servers, so there is no data loss due to hardware failure in the local data center. Automatic data backup, Disaster Recovery (DR), is built into the SaaS architecture.
  • SaaS vendors release fully tested versions, so you don't have to worry about bugs, complex deployment procedures, or issues that cause service downtime.
  • SaaS architecture provides a flexible platform to scale computing resources on-demand. You don't have to buy more powerful hardware to serve more customers. SaaS architecture components are built with scalability in mind.
  • Most SaaS solutions provide compliance natively for the industry involved. This eliminates the need for additional resources to ensure compliance.
  • SaaS eliminates the need to build complex and expensive technology and tool stacks to support short-term projects. You can save time and money by using hosted applications.


First, it can be said that migrating existing on-premises applications to SaaS is the evolution of applications to cloud-native. The following considerations are necessary to use cloud services with many advantages properly.

1. Microservices vs. Monolithic Architecture

Many companies still use a monolithic architecture approach. Even monolithic applications can be built, patched, or changed without affecting the overall application by tiering them to a 3-tier, etc.

Unless you plan to create a large production environment, we recommend a monolithic approach that is easy to develop and manage. However, this architecture is difficult to change, so if scaling or a lot of change is expected, you should choose microservices architecture.

Microservices architecture breaks down services into units to create independent and isolated processes and architectures; each service can be developed, deployed, tested, and patched independently.

You can also focus each microservice on a single business offering. Streaming services are the most successful microservices architecture. Netflix uses various microservices for billing, analyzing your watch history for movie recommendations, identifying devices to optimize your viewing experience, and adding copyright notices to all your files. Netflix has even made their process open-source, explaining how they develop and operate, making it easy for other companies to run microservices.

Microservices allow multiple teams to manage independent services coded in different languages and deployed on different infrastructures. For this reason, microservices architecture allows for scalability, CI/CD operations, and troubleshooting without disrupting the entire service to change or troubleshoot the application.

2. Self-Service and Customizing

Enterprise users running SaaS solutions can manage these applications themselves and do not need to hire experts. It should also allow operators to customize the SaaS solution according to their needs without writing any code.

SaaS provides an easy-to-use API in its architecture to give users more flexibility in customizing the platform. Also, you must provide a manual to use this API. You can get more value from your SaaS architecture by integrating third-party tools you already use or want to use.

3. Multi-Tenant Implementation

Multi-tenant architecture allows efficient use of resources when multiple users run the application.

  • Using an application with multiple databases ensures that every user entering the environment accesses the other database at the same time. As a result, applications can scale faster, provide more resources to users at the same time, and become more responsive. However, this approach is expensive because it requires allocating more resources.
  • Using an application with one database allows all users to access one database until it is filled before redirecting to a new database. Although this method is fast and inexpensive to deploy, it can cause problems with SPOF and performance degradation due to a single connection section.

If you have heavy users whose workloads take up most of their resources, these users can degrade the user experience of other tenants in a multi-tenant environment.

Monitoring and logging systems must be configured so resources can be controlled in the SaaS environment before such a situation occurs.

4. Data Security

Most enterprises choose an on-premises architecture because they are concerned about the security of their data. Data security is one of the most expensive areas for businesses to invest in with a number of recent incidents. We must provide a tight service to protect this data.

Making role-based access control (RBAC) a key component of your SaaS architecture can help increase data security. RBAC can be used as a feature to prevent other users from accessing and changing data that is not directly related to their role in the organization.

5. SaaS Configuration Compliance with Country Regulations

If you're delivering applications for a specific industry, you need to build SaaS applications with out-of-the-box compliance. Compliance varies by industry, but policies, such as the General Data Protection Regulation (GDPR), apply across the board.

When we configure our applications, we must choose an infrastructure that considers compliance, including GDPR.

6. Start Developing with SaaS Architecture That Considers Scalability

If business applications are innovated with SaaS, our business channels can become closer to customer contact points compared to the existing single offline channels. We need to be able to scale the environment of SaaS as applications grow in popularity.

This requires designing SaaS architecture to auto scale easily and handle increasing loads without compromising performance. You can achieve this by ensuring that your SaaS architecture supports seamless horizontal and vertical scaling.

7. Guaranteed Minimal Downtime

We need to configure a SaaS solution with high availability. SaaS users have very little tolerance for service downtime. We need to know that prolonged service outages reduce customer satisfaction, resulting in loss of customers, business, and competitive advantage.

We need to have a multiplexed configuration at the network, instance, and database levels to achieve this high availability.

8. Monitoring the Cost of SaaS Applications

Transforming applications to SaaS means changing our business model to subscription or pay-as-you-go.

We need to drill down into monitoring and logging systems for our resources to understand how much our customers are using our applications. In addition, if you anticipate the time when customer access will increase rapidly and prepare for expansion in advance, you can enhance the quality of service.

9. Enhanced Network Quality between Regions and Centers

Since applications configured in the existing on-premises environment communicate data through a private network, there is no need to worry about network quality.

However, many factors will increase network latency when the service is configured in the cloud environment, such as communication with the main server, communication with the DR server, and the connection of overseas users.

We must consider accelerating network communication to improve the quality of service.

Alibaba Cloud provides various services to satisfy the SaaS architecture requirements above.

  • Function Compute: Services for running workloads in a serverless environment
  • ACK: A Kubernetes service that is an orchestrator for managing containers
  • ECS: Provides various types of instances, such as CPU, GPU, FPGA (Alibaba Cloud GPU), and High Memory as a basic virtualization server
  • NAT: A gateway service that provides a function to communicate with the public network in an environment where the network is blocked
  • SLB: Provides both L4/L7 layer load balancing as an LB service for load balancing of instance traffic
  • PolarDB: Alibaba Cloud provides efficient and stable database services with its engineered DBMS.
  • RDS: Alibaba Cloud's DBMS redesigned open-source databases
  • OSS: As a service that provides Object Storage, you can use high-performance storage cost-effectively.
  • NAS: A network-based storage service primarily used to configure shared file systems
  • Global Accelerator: Network communication acceleration solutions to eliminate network latency issues across borders, especially in Mainland China and beyond.
  • API Gateway: Services that control and route API communications
  • VPN: A protected network service that provides secure access to an isolated network environment (VPC)
  • DCDN: A CDN service that can accelerate static and dynamic content
  • Express Connect: A network service that provides a fast and reliable dedicated line between a local data center and a VPC
  • CEN: A network service that can be connected as a private network between VPCs in Alibaba Cloud
  • Anti-DDoS: A security service to defend against DDoS attacks
  • WAF: It is a service that protects against application layer attacks and detects and defends against attacks intelligently by embedding AI bots.
  • Cloud Firewall: A security service that defends against network layer attacks
  • Security Center: A centralized security management system that dynamically analyzes and protects security threats to cloud resources and servers
  • SSL Certificates: A service that manages certificates for SSL communication
  • RAM: A security service for RBAC-based user and role management
  • Cloud Monitor: An integrated monitoring service that can monitor all services and workloads configured in an AlibabaCcloud environment
  • SLS: A service that manages application and infrastructure logs generated by each cloud service
  • ARMS: An APM service that controls application performance

Reference Architecture

The Alibaba Cloud services described in the section above enable you to transform your on-premises applications to SaaS cost-effectively, securely, and easily. An example architecture is shown below:



The service logic expressed in the architecture above is divided into a total of five. You can refer to the explanation of why the service is arranged in the form below.

1. ISV Application

The first thing to consider when migrating an on-premises application to the cloud is the migration of the application itself. In the cloud environment, we already have everything of an environment where a company loses, and we can select a service according to the type of service.

1) Public Subnet (NAT and SLB)

Most enterprise environments are configured in closed-network environments. Subnets can be divided so that a closed network can be maintained even in a cloud environment. In this environment, you need a module that requires an Internet connection or a service that acts as an ingress router that allows customers to connect to the server.

In such a limited network environment, we can configure an architecture that can satisfy scalability and security by using NAT and SLB services to help connect to the public network.

2) Function Compute

Sometimes, when we configure microservices, we run services (login, logout, etc.) that do not need to maintain the server 24/7 among modules. In such a case, you can consider implementing a Serverless service.

We can implement Serverless easily using Function Compute (FC). This service can increase customer scalability and cost-effectiveness.

3) ACK and ASK

Among the many applications implemented recently, most of the modules that value scalability are implemented as a container environment. Alibaba Cloud ACK provides a Kubernetes environment that can manage containers efficiently. We can configure ACK using various types of instances, such as CPU, GPU, and High Memory.

4) ECS

If the application has the most suitable architecture for a legacy environment that is not a Serverless or container environment, you can consider moving to the instance environment as is.

Alibaba Cloud provides the fastest and highest SLA virtual machine in the ECS instance environment to perform cost-effective instance migration.

2. Data Area

The most difficult part of moving legacy applications to the cloud is data migration. Alibaba Cloud provides a variety of DBMS and storage services for each data type. This way, migration can be performed more easily without major data changes.

1) Polar DB / RDS

A relational database is the most common database for managing data of service applications provided by enterprises. The same relational database has a different data structure depending on the type of vendor/open-source project. For this reason, the migration of databases is considered the most difficult migration process.

Alibaba Cloud provides a variety of commonly used RDBMS-based services and a migration service that helps you perform data migration easier and faster.

We can perform the data transfer without issues using these services.

2) OSS / NAS

Enterprise SaaS applications need to consider the process of storing data efficiently. In addition, a storage configuration suitable for the form, such as a data lake or shared storage, is required based on the properties in which data is stored.

In this case, we can use OSS and NAS as a representative of Alibaba Cloud's various storage services. OSS provides object storage, allowing you to store and utilize various data cost-effectively, such as object storage and file system. In addition, if you need shared storage, you can use NAS with network and storage optimization to store and utilize data faster.

3. Network

We only need to consider the North-South bound network when configuring our application in the legacy environment. However, when an application moves to a cloud environment, all internal communication (East-West bound) must be taken into account.

We can solve network issues that occur in various types of channels by using the following network services of Alibaba Cloud:


If the service provided mainly provides large-capacity content (photos, pictures, and videos), network delays for customers will be fatal to the business. The most needed service in these cases is the CDN.

Alibaba Cloud CDN is cost-effective and has the advantage of DCDN, which can handle static and dynamic content. Alibaba Cloud also has the most CDN PoPs in Asia, allowing large content delivery to customers faster.

2) Global Accelerator

Cross-border data communication must be considered when customers with overseas offices use our SaaS. In particular, public networks between China and South Korea can incur a lot of latency and jitter. In this case, data communication can be performed faster and more reliably using Alibaba Cloud Global Accelerator.

3) API Gateway

We discussed the need to provide an API for customer-specific customization of SaaS in the steps above. Management is required for this open API.

We can use the API Gateway service to manage our APIs. API Gateway can manage versions and permissions for APIs and monitor all traffic.

4) VPN

If an enterprise wants to access a secure protected environment (VPC), it is necessary to use a protected network rather than a public network. In addition, the isolated private network must decide whether to access or not according to the role of the operator.

We can connect these cases with a VPN service. A VPN service allows you to connect to a more secure VPC, increasing the security of your operations.

5) Express Connect

In some ISV applications, only the clients are deployed to the cloud, and the main servers are kept in the local IDC. From this point of view, reliable and fast communication is essential for client-server data communication.

We can use Express Connect in these cases. If you use Express Connect, you can construct a stable and fast network using the dedicated line provided by Alibaba Cloud without building an expensive dedicated line.

6) CEN

There are various ways to configure DR in the enterprise, such as hot, warm, and cold forms. In particular, DR in the cloud environment consists of logic that synchronizes data and service sinks by connecting the production VPC and the DR VPC through a private network.

You can use the CEN service to configure a network between different VPCs as a private network.

4. Security

One of the easiest benefits of moving our applications to the cloud is the integration of security-related services. Security is the area where we spend the most money in an on-premises environment. The initial investment can be reduced significantly by replacing this large-scale security with cloud services.

1) Anti-DDoS, WAF, and Cloud Firewall

When our applications are moved to the cloud, the first security consideration to consider is network-related security enhancements.

Anti-DDoS, Alibaba Cloud's network security service, defends against DDoS attacks from around the world effectively. Security attacks at the application layer can be defended using bots in WAF, and attacks at the network layer can be defended using Cloud Firewall. We can use these three services to keep our SaaS safe.

2) Security Center

Security Center is a centralized security management system that dynamically identifies and analyzes security threats and generates alerts when threats are detected. Security Center provides several features to ensure the security of cloud resources and servers in your data center. Features include ransomware protection, antivirus, web tamper protection, container image scanning, and compliance scanning. This enables you to automate security operations, response and threat tracking, and meet compliance requirements.

3) SSL Certification

If it is a service that provides web-based SaaS, it is necessary to configure the HTTPS protocol. The HTTPS protocol must be managed by SSL Certificate. You can use Alibaba Cloud's SSL Certification service to manage these SSL certificates.

4) RAM

RAM allows you to create and manage accounts and grant different privileges to a single account or group. This way, you can grant different identity access to different Alibaba Cloud resources. This service allows us to perform RBAC-based user account and service management.


This article discussed the services and architecture of Alibaba Cloud that can help you create a legacy application ISV on the cloud, such as configuring SaaS.

These services enable us to transform our business cost-effectively, quickly, and safely when migrating our applications to the cloud.

If you have any questions about this architecture or would like any consulting, please send an e-mail to cloudkorea@list.alibaba-inc.com.

0 0 0
Share on

JJ Lim

21 posts | 4 followers

You may also like