/SERVICES

The Challenge

Phronesys had built a successful SaaS product with a strong and talented development team. Their CakePHP application was well-architected, feature-rich, and serving a growing customer base. But as the platform scaled to hundreds of tenants, the team recognized that their traditional VM-based hosting at Hetzner wouldn't carry them to the next level.

They weren't looking for someone to "fix" their platform, they were looking for a cloud infrastructure partner to help them bring their application to enterprise-grade standards:

• Scaling needed to become automatic. Their growth trajectory demanded infrastructure that could keep pace without manual intervention.
• Tenant provisioning needed to be instant. With hundreds of customers and new ones signing up regularly, the technical onboarding process needed to become more efficient.
• Heavy workloads needed isolation. PDF generation, Excel exports, email sending, and integration syncs running in the web process worked, but separating them would dramatically improve user experience.
• Infrastructure needed to be codified. To support their growth and enable their developers to understand the full stack, everything needed to be version-controlled and reproducible, not only the application itself.
• Security needed to match enterprise expectations. Their customers increasingly required WAF protection, encryption, threat detection, and compliance documentation.

Phronesys chose us as the partner to architect and build this next-generation platform, combining our cloud-native & devops expertise with their deep application knowledge.

The Solution

We designed and implemented a complete cloud-native platform on AWS from the ground up , no lift-and-shift, no shortcuts. Every component was purpose-built for Phronesys's multi-tenant SaaS model.

The entire AWS infrastructure is defined in Terraform and managed through protected pipelines.

We deployed Amazon EKS as the compute layer, running each of the hundreds of tenants in isolated Kubernetes namespaces. Key design choices:

• Pool model multi-tenancy: Shared infrastructure (cluster, database instance, cache cluster) with fully isolated data per tenant
• Dedicated namespace and resources per tenant with its own deployment, service, ingress, HPA, PDB, network policies and secret management
• T-shirt sizing for right-sizing resources per customer
• Pod Identity for fine-grained AWS access without long-lived credentials

Deployments are fully automated through a GitOps workflow:

1. Developers push code → GitHub Actions builds container images
2. Helm charts are packaged and committed to the GitOps repository
3. ArgoCD detects changes and reconciles the cluster state
4. Each tenant has its own ArgoCD Application with layered values (environment → size → tenant-specific)

This gives developers full visibility into what's deployed, easy rollbacks, and self-service access to deployment status.

One of the most impactful architectural decisions: offloading heavy workloads from web pods to AWS Lambda. We built a sophisticated event-driven pipeline that can be triggered individually by each tenant from it's own environment.

Offloaded workloads include:

• Email sending via SES
• PDF document generation
• Excel report exports
• Third-party integration syncs
• Mobile push notifications
• AI-powered queries
• Cron job execution
• And many more

The system supports version routing, each tenant's pods invoke the Lambda version matching their deployed image tag, enabling zero-downtime deployments and safe rollbacks.

Tenant provisioning went from a partly manual process to a fully automated workflow:

• Onboarding: A single API call triggers a Step Function that provisions Terraform resources, creates the ArgoCD application, sets up DNS, and configures monitoring all in minutes.
• Offboarding: Gracefully removes all resources, archives data to Glacier Deep Archive with a 10-year retention policy, and auto-cleans after a configurable safety period.

Event-driven workflows handle ongoing changes: DynamoDB Streams trigger Step Functions when tenant configuration changes: automatically updating WAF rules, DNS aliases, or CloudFront caches without manual intervention.

We eliminated the traditional "exposed server" model entirely:

• CloudFront with VPC Origins the only public facing entrance. All load balancers are internal, accessible only through CloudFront's private connectivity.
• Per-tenant CloudFront distribution tenants with dedicated ACM certificates.
• Tiered WAF protection: AWS Managed Rule Groups (core, SQL injection, known bad inputs) plus custom rate limiting and tenant domain validation
• DNSSEC: for DNS integrity
• GuardDuty: for continuous threat monitoring
• S3 malware scanning: on every file upload

This was a true partnership from day one. The Phronesys development team brought exceptional application expertise, we brought cloud-native and infrastructure knowledge. Together, we elevated the full stack:

• Cloud-native development practices: container-first thinking, stateless application design
• Kubernetes operations: pod debugging, log analysis, understanding deployments and rollouts
• Infrastructure as Code literacy: reading Terraform, understanding resource relationships, contributing changes
• GitOps workflows: how ArgoCD works, triggering deployments, rolling back with confidence
• Offloading patterns: the development team now independently adds new Lambda-offloaded task types using documented patterns we established together

The result: a development team that maintained their deep application expertise while gaining the cloud-native skills to confidently operate, evolve, and extend the platform independently.

Dit is al een ijzersterke, inhoudelijke tekst! Het vertelt heel duidelijk waarom bepaalde keuzes zijn gemaakt en wat het resultaat is. We kunnen de tekst nog net wat actiever, strakker en professioneler maken (en de resterende em-dashes vervangen door Markdown-opmaak).

Hier is een gepolijste versie die perfect aansluit bij de rest van de case study:

Observability & Monitoring

With hundreds of tenants spanning web applications, infrastructure, and mobile apps, Phronesys needed an observability solution that covered the full stack without becoming an operational maintenance burden.

The traditional Prometheus and Grafana stack was not the right fit for this architecture. Managed Prometheus drove costs up significantly while delivering limited value for application-level insights, and a self-hosted alternative meant yet another system to maintain, scale, and monitor. For a multi-tenant SaaS platform with diverse web, infrastructure, and mobile observability needs, IBM Instana was the clear choice.

Leveraging our deep Instana expertise, we integrated observability directly into the infrastructure automation. When a new tenant is onboarded, their application perspectives, synthetic tests, website monitoring, and alert configurations are automatically provisioned through Terraform. This means no manual setup, no tickets, and no delays: every tenant is completely observable from minute one.

This level of automation impressed even the IBM Instana team themselves during our demo, proving that with the right integration approach, observability scales just as effortlessly as the infrastructure it monitors.

The Results:

• Zero-config service discovery: Every pod, database query, and external call is traced automatically without manual instrumentation.

• End-to-end distributed tracing: Complete visibility across the entire request flow, routing seamlessly from CloudFront to Kubernetes, the database, and AWS Lambda.

• Tenant-specific Real User Monitoring (RUM): Deep frontend performance insights tailored to individual tenants.

• Cross-platform mobile monitoring: Native support for both iOS and Android applications.

• Automated synthetic monitoring: Continuous uptime checks provisioned instantly at onboarding.

• Smart incident management: Custom alerting integrated directly with PagerDuty for reliable on-call workflows.

One platform covering web, infrastructure, serverless, and mobile: fully automated, fully integrated, and with zero operational overhead.

Conclusion

This project demonstrates what's possible when strong application teams partner with cloud-native infrastructure specialists. We didn't replace Phronesys's expertise, we amplified it. Together, we transformed a proven product into an enterprise-grade cloud platform.

The platform now handles hundreds of tenants with room to grow, delivers sub-second response times free from background task interference, and provides the enterprise security posture their customers demand. New tenants are technically onboarded very fast. New features can ship multiple times a day if necessary. And the team operates with full confidence knowing the infrastructure is self-healing, well-documented, and built on solid foundations.

Interested in a similar transformation for your SaaS platform? [Get in touch.]

/INSIGHTS

Your trusted partner for Cloud Neutral Platform Managed Services