IBM Cloud Docs
Learning about IBM Cloudant architecture and workload isolation

Learning about IBM Cloudant architecture and workload isolation

Review the following sample architecture for IBM® Cloudant® for IBM Cloud®, and learn more about different isolation levels. After that, you can choose the solution that best meets the requirements of the workloads that you want to run in the cloud.

IBM Cloudant isolation models and architecture

IBM Cloudant is a multi-tenant-capable database system with mechanisms in place to distribute any shared resources like CPU or I/O fairly among the active tenants. IBM Cloudant implements isolation in the database layer itself, and not by relying on containers. Instances are isolated from each other for access control, meaning that it is not possible to read or write data in one instance from another.

Workload isolation is an important consideration for many customers. To select the best IBM Cloudant plan choice for your workload isolation requirements, see the following architectural information:

  1. Standard and Lite plans on Multi-Tenant Hardware, which offer excellent isolation.

  2. Standard plan provisioned on a Dedicated Hardware plan instance, which offers improved isolation over Standard on Multi-Tenant Hardware.

Standard and Lite

Standard and Lite plans are provisioned onto large, shared IBM Cloudant database deployments where customers share compute and storage resource. Standard and Lite plans apply provisioned throughput rate-limiting, along with other resource and access isolation mechanisms within the database layer itself. Together, these provide strong security guarantees alongside robust resource separation within the shared environment.

Diagram about how to isolate data with the IBM Cloudant Standard plan for two customers.
Data isolation on IBM Cloudant Standard plan

Disk encryption is used to provide encryption at rest by using an IBM owned and managed encryption key. Customer data resides in different files on disk.

Standard on Dedicated Hardware

A Dedicated Hardware instance offers improved storage and compute isolation for your most valuable data, including use of BYOK. After a Dedicated Hardware instance is provisioned, you can provision many Standard plan instances onto this Dedicated Hardware instance to store your data. While these Standard plan instances share the Dedicated Hardware's compute and storage, the instances do not share Dedicated Hardware's compute and storage with other customers.

Diagram about how to isolate data with the IBM Cloudant Dedicated Hardware plan for one customer.
Data isolation on IBM Cloudant Dedicated Hardware plan

Disk encryption is used to provide encryption at rest. In the Dedicated Hardware plan, customers can use their own keys by using IBM Cloud® Key Protect's BYOK to further secure their data.

Dedicated Hardware instances provide IP allowlisting and private network utilization to secure network access.

Data and resource isolation between the Standard plan instances on a Dedicated Hardware instance is provided by using the same robust mechanisms that are used within the multi-tenant deployment option.