Multi-Tenant Instance Segregation

Overview

Some environments—like Managed Service Providers (MSPs) or large enterprises with multiple business units**—require complete segregation of database visibility, access control, and monitoring jobs. dbWatch Control Center supports this via domain-based isolation, using **separate Domain Certificate Authorities (Domain CAs) for each tenant.

Each tenant operates within its own cryptographic and operational domain, with dedicated server infrastructure.

Recommended Architecture (with Cloud Router)

Although it’s possible to have direct Monitor or CCC communication with each tenant’s dbWatch Server, the recommended architecture — especially for MSPs — is to route all traffic through a central Cloud Router node.

This setup ensures:

• No inbound firewall openings are needed on tenant networks.
• All instance-hubs and Domain CAs initiate outbound-only traffic (typically TCP 7100).
• A single point of management for clients, scripting nodes (CCC), and Monitor tools.

Key Components per Tenant

Each tenant must have a dedicated dbWatch Server node with:

• Domain CA role — to issue identities and control trust boundaries.
• Instance Hub role — to manage jobs, monitoring, and database connections.

Each of these dbWatch Servers will:

• Manage the database instances within the tenant network.
• Connect outbound to a central Cloud Router node for secure routing.
• Operate independently from other tenants.

Architecture Illustration

Legend:

• Green or red lines = outbound-only TCP 7100 connections visualizing different security contexts
• Center = shared Cloud Router (in the MSP or datacenter)
• Clients / CCC scripting nodes = connect only to the Cloud Router

Benefits

• 🔐 Complete tenant isolation via separate domains and certificates
• 🔄 Single connection path using outbound TCP (e.g. port 7100)
• ☁️ Central routing using dbWatch Cloud Router or self-hosted routing node
• 📈 Per-tenant monitoring, audit logs, and job definitions
• 🧩 Modular expansion — add more tenants/domains without rearchitecting the whole environment

Use Cases

• MSP hosting environments for multiple external clients in segregated networks
• Enterprises managing business-critical departments (e.g. Finance vs. R&D)
• Hybrid environments combining cloud and on-premise segments

Licensing Requirements

Each tenant’s Domain CA requires its own license key. Monitor clients or CCC scripts must authenticate into the correct domain using signed certificates.

For evaluations or production licensing, please visit our Pricing & Licensing page or email sales@dbwatch.com.

Related Documentation

• Certificate Infrastructure
• Domain Configuration and Privileges
• Control Center Commandline
• Internal Control Center Firewall
• Node to Node Communication
• Remote Support

Need Help Designing Your Setup?

Our team can assist you in building your multi-tenant or MSP layout with the right mix of instance hubs, firewalls, and cloud routing. Contact us at support@dbwatch.com.