Multi-region CIAM
Some applications run multi-region, where a region is an area where one or more data centers are. A critical application might run multi-region in the USA and Europe.
Multi-region architecture helps with resilience, since if a region is region is experiencing a natural disaster affecting the application instances running there, user can be directed to a different region. It also helps with performance, since the user is routed to an application running close to them.
This is different than splitting users by region, so that all US customers go to one region and all European customers go to another. True multi-region active-active means that wherever your customers are, they can login and interact wit your application and they won’t know the difference between being served by the USA region or the European region. They might experience a bit more lag, but the data is exactly the same.
There aren’t many CIAM systems that support multi-region deployments, but if the front door of your application is down, it doesn’t matter to a user trying to login if the rest of the application works during an incident.
Of the components that go into a CIAM system, compute is easy to scale across regions because it is stateless. Data storage, however, is not. Active-active databases are rare, even if you lean on managed services from the hyperscaler clouds. You have DynamoDB, CosmosDB, and Google Spanner, but not all of these fully support relational database semantics. There is also CockroachDB, which has a multi-region database with a PostgreSQL interface.
This post walks through how the folks at Ory build a globally distributed, multi-region identity and access platform using CockroachDB. It discusses several components of such a solution, including:
data homing
data store selection
latency concerns
They spend a lot of time talking about the strengths and limits of CockroachDB. The authors also discuss making their CIAM system multi-region, including rollout steps.
It’s a great article about the tradeoffs and benefits of a multi-region approach.
Dan