Databases
Schema-based sharding and multi-tenancy alternatives
Crux Citus 12 schema-based sharding, database-per-tenant, application-level routing, and RLS are four valid multi-tenancy architectures — each with a specific tenant count and isolation-requirement range.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitA B2B SaaS with 200 enterprise customers needs contractual data isolation — each customer’s data must never be co-mingled in the same table. Row-based Citus sharding puts multiple tenants in the same physical shard. The product team asks: is there a stronger isolation model that Postgres can provide?
Four multi-tenancy architectures
| Architecture | Isolation unit | Tenant count | Operational cost |
|---|---|---|---|
| RLS on single Postgres | Row-level (policy enforcement) | Unlimited until single-PG saturates | Low; policy bugs silently expose data |
| Citus row-based sharding | Shard (multiple tenants per shard) | Thousands to tens of thousands | Medium; Citus handles routing |
| Citus schema-based (12+) | Schema (one per tenant) | Low thousands (ceiling) | Medium; schema is the deployment unit |
| Database-per-tenant | Full Postgres database | Dozens to ~500 | High; N backups, N upgrades, N pools |
Citus 12 schema-based sharding
Introduced in July 2023, Citus 12 added schema-based sharding: each tenant gets a dedicated Postgres schema, and Citus distributes schemas across workers.
-- Tenant onboarding: create a schema, Citus assigns it to a worker
CREATE SCHEMA acme;
CREATE TABLE acme.orders (id BIGINT, ...);
CREATE TABLE acme.users (id BIGINT, ...);
-- Application: scope connection to tenant's schema
SET search_path TO acme, public;
-- All subsequent table references resolve within acme's schema
-- Citus routes to acme's worker transparentlyBenefits over row-based sharding:
- No shared distribution key column required: any query within the schema runs on its worker — joins between any tables in the same schema are always local.
- Schema is the deployment unit:
CREATE SCHEMAfor onboarding,DROP SCHEMA CASCADEfor offboarding, move schema between workers for rebalancing. - Clean tenant isolation: table names are different per schema — one tenant cannot accidentally read another’s data.
- Per-tenant migrations:
ALTER TABLE acme.orders ADD COLUMN ...only touches that schema.
Limits:
- Tenant count ceiling: Citus recommends fewer than a few thousand schemas. Schema metadata is loaded into the planner on every query; thousands of schemas slow planning.
- Cross-tenant queries are still cross-shard: analytics across multiple tenants still require fan-out.
- Reference tables do not apply within schemas: lookup tables need to be in each schema or accessed from a shared schema.
Sweet spot: B2B SaaS with 50–2000 enterprise tenants where contractual or regulatory data isolation is required.
Application-level routing
Skip Citus entirely: your application code maintains a shard map (a table or service mapping tenant_id → connection_string) and routes queries explicitly.
// Example: routing layer reads tenant from request context
const shard = await shardMap.get(req.tenantId);
const db = connectionPool(shard.connectionString);
return db.query('SELECT * FROM orders WHERE ...', [req.tenantId]);Pros: explicit, no extra database product, maximum control, per-tenant routing logic (region, plan tier). Cons: every cross-shard concern becomes app code — joins, transactions, fan-out, rebalancing, failover. The routing layer is critical-tier-1 infrastructure that you now own.
Common when shard count is small (10–100) and queries are highly tenant-scoped. At 5000 tenants with complex queries, Citus is usually less engineering effort over a multi-year horizon.
Database-per-tenant
Each tenant gets a dedicated Postgres database (or instance). Maximum isolation: tenants literally cannot share any infrastructure at the database level.
Operational model:
- PgBouncer pool per
(tenant, database) - Backups per tenant database
- Postgres minor and major upgrades per tenant database
- Schema migrations deployed per tenant (or batched)
Practical ceiling: ~100–500 tenants before operational overhead dominates. Below that, database-per-tenant is often simpler than Citus for regulated industries (financial, healthcare) where contractual isolation is hard requirement.
Why this works
Why does Citus recommend fewer than a few thousand schemas for schema-based sharding? The planner loads schema metadata (pg_namespace, pg_class entries) into working memory at planning time. With 10 schemas this is negligible. With 10,000 schemas, every query plan includes processing thousands of namespace entries, adding 10–50ms to planning time — dominating OLTP query execution. This is why schema-based sharding has a ceiling and row-based sharding (which does not load per-tenant metadata into the planner) scales to tens of thousands of tenants.
Quiz
Completed
A B2B SaaS has 200 tenants, contractual data isolation per customer is required, and the engineering team has no Citus expertise. Which architecture fits best?
Heads-up Row-based sharding puts multiple tenants in the same shard, which does not meet contractual per-tenant isolation. And it requires Citus operational expertise the team does not have.
Heads-up RLS provides logical isolation through policy enforcement, not physical isolation. A policy bug silently exposes data across tenants, which typically fails contractual isolation requirements. And with 200 enterprise tenants, single-Postgres may be insufficient for capacity.
Heads-up Schema-based is excellent for isolation at this scale, but it requires Citus expertise. Database-per-tenant at 200 tenants is operationally feasible and simpler if the team lacks Citus experience.
Quiz
Completed
What is the main tenant-count ceiling of Citus schema-based sharding and why?
Heads-up Citus does not have a hard-coded schema count limit. The practical limit comes from planner performance degradation, not a configuration maximum.
Heads-up Row-based sharding does not load per-tenant metadata at planning time; schema-based does. They have very different scaling characteristics at high tenant counts.
Heads-up Database-per-tenant's ceiling is operational (~100–500 tenants). Schema-based sharding's ceiling is higher (low thousands) because tenants share workers and connection pools.
- 01What did Citus 12 (July 2023) add and what problem does it solve that row-based sharding does not?
- 02For a 5000-tenant B2B SaaS where the top 5% generate 80% of traffic and all queries carry tenant_id, which multi-tenancy architecture is most likely the right choice and why?
- 03When is application-level routing (custom shard map) the right choice over Citus?
Recap
Four multi-tenancy architectures exist on Postgres, each fitting a different tenant count and isolation requirement: RLS on single Postgres (unlimited tenants, logical isolation until capacity hits), Citus row-based sharding (thousands to tens of thousands, shard-level isolation), Citus schema-based sharding (low thousands, per-schema structural isolation, introduced Citus 12/July 2023), and database-per-tenant (dozens to ~500, maximum isolation, highest operational cost). Schema-based sharding eliminates the need for a shared distribution key and provides clean per-tenant table namespacing, but its planner overhead ceiling is a few thousand schemas. Application-level routing with a custom shard map is a viable alternative for small shard counts with simple routing needs. The choice must match tenant count, isolation requirement, and operational maturity.
Connected lessons
appears again in140
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- CLS: why layout shifts happen and how to stop themmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- The three-way handshakejunior
- Sequence numbers and connection statemiddle
- DNS: what it does and why it existsjunior
- The resolver walk: referrals, record types, and gluemiddle
- TTL, caching, and DNS propagationmiddle
- The 1-RTT handshake: key shares and ECDHEmiddle
- Session resumption and 0-RTTmiddle
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket frame format: opcodes, masking, fragmentationmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Health checks, connection draining, and slow startmiddle
- Session affinity, consistent hashing, and the right fixmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- Connection IDs and network migrationmiddle
- 0-RTT resumption and packet encryptionsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- PII redaction and log injectionsenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Error budget policy, latency SLOs, and composite journeysmiddle
- Production SLO failures, self-observability, security, and the big picturesenior
- The incident loop: from pager to postmortem to preventionmiddle
- Cache lines, struct layout, and false sharingmiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior