Single-tenant vs. multi-tenant architecture with Grafana Cloud: A guide to choosing the right approach

Grafana Cloud’s flexibility is one of its greatest strengths, but the breadth of choices can sometimes be overwhelming. We see this a lot when it comes to selecting the right architectural approach, with organizations unsure of how many stacks they need to host their environment.

Grafana Cloud provides robust features for managing tenancy, enabling organizations to effectively handle diverse teams and projects. In this blog, we’ll explore the advantages and disadvantages of managing Grafana Cloud tenants through multiple stacks for data isolation and permission control. We’ll also look at the pros and cons of maintaining a single stack and managing permissions via role-based access control (RBAC) and labeling.

And while we recommend using a single-stack approach in most cases, this should help you and your organization come to an informed decision about the architectural approach that best fits your specific needs.

The pros and cons of maintaining a single-stack architecture with Grafana Cloud

Role-based access control, or RBAC, paired with a single-stack approach provides a standardized way of granting, changing, and revoking access when it comes to viewing and modifying Grafana Cloud resources such as dashboards, reports, and administrative settings. RBAC also provides the ability to create custom roles that go beyond “Admin,” “Editor,” and “Viewer” to control who can access which resources d on a more granular level.

Taking that a step further, you can use label-based access control, or LBAC, to create access policies so users can only query the metrics or logs data that meet specific label requirements. LBAC is useful if you want to separate access to the telemetry backends within a single stack. Instead of giving someone access to all of the metrics or logs within a stack, you only give them access to a specific label set of the metrics or logs in that stack. 

The LBAC feature allows you to associate multiple sets of Prometheus label selectors with a policy. As a result, queries only return data that match at least one of the provided selectors.

Advantages 

• Organized configuration: LBAC rules can easily be attached to Cloud Access Policies
• Centralized management: Managing users, roles, and permissions in one place is easier than configuring and maintaining multiple instances. This reduces administrative overhead.
• Simplified maintenance: Updates, backups, and maintenance tasks are simplified with a single instance. You can apply changes across all dashboards without having to replicate efforts across multiple stacks.
• Easier integration: Integrating with other tools and systems (like authentication providers) is more straightforward in a single stack, reducing complexity in the overall architecture.

Disadvantages

• Risks of misconfiguration: If LBAC is misconfigured, it could lead to potential data leaks.
• Limited granularity: Different teams and departments may have unique requirements for their dashboards, and labels and RBAC don’t provide the level of granularity around managing permissions that having multiple stacks does. 

The advantages and disadvantages of a multi-tenant architecture with Grafana Cloud

With a multi-tenant architecture approach, you create a stack with a distinct UI frontend for every team that needs one. Each team logs into the same Grafana Cloud instance, accessing their distinct stack backends as data sources. 

Multiple production stacks are recommended when the goal is complete isolation among departments or teams and you don’t expect any need to combine data or resources from different stacks. This is typically used by resellers and managed service providers that have customers who shouldn’t have access to one another’s data.

Advantages 

• Performance: This approach ensures better query performance and limits the impact of teams, departments, or clients on one another.
• Cost attribution: When you’re using multiple stacks and each stack belongs to a team, it’s easy to attribute costs to each team, client, or department.
• Centralized billing: Each Grafana Cloud instance of each stack includes a grafanacloud-usage data source that powers the included billing dashboard. On the central billing dashboard it’s easy to see the usage of each telemetry signal per stack.
• Data segregation: Each team, department, or client can have its own stack, ensuring sensitive data isn’t accessible to unauthorized users from other teams.
• Compliance: Isolating data can help meet regulatory requirements. It’s easier to control data access and ensure compliance within distinct environments.
• Customizability: Teams can customize their own stack settings, plugins, and dashboards without impacting others, allowing for tailored solutions.
• Easier dashboard sharing: You have several options to share dashboards. If all stacks are in the same region, you can leverage multi-stack querying, so you can centralize visibility across environments without duplicating data.

Disadvantages 

• Cross-tenant querying: Querying all tenants together by the admin team requires additional configurations, and the admin team may need to log into each Grafana Cloud instance or consolidate metrics tenants into one stack.
• Correlation challenges: Grafana Labs recommends customers use a single stack as their production observability environment because cross-stack correlation won’t function properly.
• Consistency and best practices: Ensuring consistent practices and standards across multiple stacks can be challenging, potentially leading to varying levels of quality and performance.

Make the choice that’s right for your organization

Choosing the right architectural approach in Grafana Cloud ultimately depends on your organization’s priorities around isolation, collaboration, compliance, and administrative overhead. 

Multiple stacks provide strong boundaries, cost attribution, and customization, making them well-suited for scenarios where complete isolation is non-negotiable, such as with managed service providers or highly regulated environments. 

On the other hand, a single-stack architecture with RBAC and LBAC offers simplicity, centralized management, and easier integrations, which often aligns better with organizations seeking operational efficiency and cross-team visibility. This approach is recommended for most Grafana Cloud customers, since they are managing their own stacks and aren’t under strict regulatory requirements.

There’s no one-size-fits-all answer, but by weighing the trade-offs outlined here, you can select the model that best balances your technical requirements with your business goals.

Grafana Cloud is the easiest way to get started with metrics, logs, traces, dashboards, and more. We have a generous forever-free tier and plans for every use case. Sign up for free now!