Healthcare ISV migrates to a multitenant architecture on Azure for increased scalability, lower maintenance costs and improved security

Leading Healthcare ISV integrates electronic patient data from any source (claims, clinical, community-based) and applies sophisticated analytics to identify provider-specific patterns and guide patient care interventions; serves over 5.2 million patients, 25,000+ providers, and more than 4,400 regional and national payers with a typical client implementation of 6-8 weeks. CloudIQ helped them move to a modern hybrid multitenant architecture on Azure for faster client onboarding, lower maintenance costs and improved security.

Customer Challenges

Healthcare ISV’s health management platform comprising care management and analytics, is designed to elevate quality of care and patient experience. While they achieved this by overcoming healthcare industry’s toughest data challenges for their clients, they had their own challenges in terms of infrastructure provisioning for new clients, deployment of customized code as per the client needs and the efficiency of their reporting application.

Onboarding a new client to platform was time intensive with higher infrastructure cost and a lot more to be desired on the user experience. To address these challenges, they wanted an optimized multitenant architecture in Cloud that would gradually replace the existing on-premises data center.

Some of the key considerations for the migration were

• Accelerate the application modernization with the latest SQL Server capabilities in Cloud
• Preserve, secure, and encrypt clients’ sensitive data
• Operations of one client should not impact another client
• Move to a single code base from the current setup of maintaining separate code base for each client as per their customization needs, eliminate the challenge of maintaining several code base and free developers from having to modify code in several places for a simple code change.
• Speed up deployment by moving a distributed model and branching strategy

Ultimately, they wanted to realize the benefits of cloud and provide a better user experience for their clients.

Our Solution

The CloudIQ team worked together with them to build a future-ready & highly scalable multitenant architecture on Microsoft’s Azure platform. The team started with a detailed analysis to understand the existing infrastructure and application architecture, followed by Network Infrastructure Design, Application Architecture in Azure and Data Migration planning. Application dependencies were studied and mapped during the process.

Containerize App and Deploy to AKS

The goal was to containerize four applications and deploy them to AKS cluster. Two applications developed in ASP.NET 4.5 framework were dockerized and deployed in Windows VMSS of AKS. The third .NET application developed in .NET core was dockerized and deployed in Linux VMSS of AKS. The JAVA application, a combination of angular JS and J2EE applications, were deployed in Wildfly containers. The application configuration settings and secrets were moved to Azure Key Vault to secure the application. Terraform was used to create, manage, and update infrastructure resources including low-level components such as compute instances, storage, and networking, as well as high-level components such as DNS entries and SaaS features.

Further the manual deployment process was automated using CI/CD pipeline for continuous deployment using Azure Devops. The branching strategy for each environment was designed using GIT. A separate branch for developers for development and unit testing, a separate one for UAT and a release branch for production. This enables the developers to allow for easier integration of changes and releases. Best practices of DevOps such as Pull request and approval for each UAT and production release were followed.

Multitenant Architecture using SQL Managed Instance

After careful consideration of their large data volumes, slightly different database schema and different release management cycles for each one of their clients, the best suited approach was to use a multitenant architecture with single database per tenant.

While this approach meant the database schema updates had to be done across all databases, the resulting scalability made this viable. With the tenant isolation different schema could be enabled for different tenants and the operations for specific tenant didn’t impact other tenants.

This architecture used the catalog database which is also called the master configuration database. With the catalog database, different versions of application and database can be maintained. In case of multiple versions of application to be maintained, catalog database can be used to identify the version and redirect the requests accordingly.

To isolate the log in module, user authentication and user-tenant mapping information is kept in a separate database. Once logging into the application, the database for each client will be identified through user-tenant and tenant-database mapping. The session will be updated with the tenant information and the connection will be established to the specific database.

For advanced security and compliance, automated backups, and a scalable cloud database service, SQL Managed Instance was proposed. SQL Managed Instance allows to lift and shift on-premises applications to the cloud with minimal application and database changes. SQL Managed Instance has all PaaS capabilities like automatic patching and version updates, and hence the reduced management overhead.

Automate Data Loading with Azure Data Factory

The existing process of manually loading the data were automated using Azure Data Factory pipeline. Azure Data Factory was used for data loading as it supports aggregations, derived columns, fuzzy lookups, and other visually designed data transformations, that allow developers to build ETL in a code free manner. From a data velocity perspective, Azure Data Factory supports event-based and tumbling window triggers in addition to scheduled batch triggers and thereby making it the best solution for data loading. The Different ADT (Admission Discharge Time), Payer Loads that were received from their clients were stored in Blob Storage using SFTP or Intel SOE and processed through Azure Data Factory.

Azure blob storage was preferred since large volume of data had to be stored and accessed from anywhere. Azure blob storage allows unstructured data to be stored and accessed at a massive scale in block blobs. This is suitable in places where application must support streaming.

Customer Benefits

The customer now has a modern hybrid multitenant architecture on Azure AKS that improves security and the user experience. By using Azure Data Factory, the company has reduced manual data loading; automating deployment and maintaining a single codebase for all clients that includes the customization of each client has made the onboarding process faster. The migration to Azure also has freed developers from modifying code in several places to execute simple code changes. In addition, the platform benefits from Azure’s high scalability and security.

• The migration from its on-premises environment to Azure has enabled them to achieve lower maintenance costs by rightsizing its apps, streamlining reservations, and leveraging managed instances.
• Continuous deployment using Azure DevOps has made client customizations easier. By employing a single codebase for both its on-premises and Azure environments, they now have a faster client onboarding process.
• Alerts provide visibility and monitoring of Azure AKS, network infrastructure, storage, database, and more. Continuous support enables proactive identification and faster resolution of any issues.

MS Products / Services used:

Microsoft Azure, AKS, Microsoft ExpressRoute, Azure Site-to-Site VPN, Azure Security Center with Defender, Azure Sentinel, Microsoft SQL Server, Azure Blob Storage, Azure File Share, SQL Managed Instances, Azure Reservations, Azure Data Factory, Replication, Application insights, Log Analytics, NSG, Azure Policies, Integration with Active Directory