Architecture

Cell-Based Architectures for the Rest of Us

Ravinder··8 min read
ArchitectureCell-Based ArchitectureReliabilityMulti-Tenancy
Share:
Cell-Based Architectures for the Rest of Us

The Problem With Global

Most systems start as a single deployment. That is fine. Then they grow. You add multi-tenancy. A noisy tenant chokes the database connection pool and takes everyone down. You add a second region. A bad deploy propagates to both simultaneously. An engineer changes a shared config value at 2 PM on a Tuesday and half your customers see errors.

These are blast-radius problems. And the answer the industry keeps reaching for — cell-based architecture — is both more obvious and more expensive than most teams realise.

This post is not a sales pitch for cellular. It is an honest accounting of where the pattern pays off, where it does not, and what the cheapest version that still works actually looks like.

What a Cell Actually Is

A cell is a self-contained deployment unit. It has its own compute, its own data store, its own queue, its own observability pipeline. No cell depends on another cell at runtime. Traffic is routed to a cell at the edge; once inside, the request never leaves.

Cell A                Cell B                Cell C
┌───────────────┐    ┌───────────────┐    ┌───────────────┐
│  API servers  │    │  API servers  │    │  API servers  │
│  Workers      │    │  Workers      │    │  Workers      │
│  DB (primary) │    │  DB (primary) │    │  DB (primary) │
│  DB (replica) │    │  DB (replica) │    │  DB (replica) │
│  Cache        │    │  Cache        │    │  Cache        │
└───────────────┘    └───────────────┘    └───────────────┘
        ▲                    ▲                    ▲
        └──────────── Cell Router ───────────────┘

                       Edge / DNS

The router does one job: decide which cell owns this request. That decision is usually based on tenant ID, user ID, or account ID — something stable and cheap to hash.

Blast Radius Math

The appeal is straightforward. If you have N cells and a failure is cell-scoped, your blast radius is 1/N of your customers.

Three cells: a bad deploy at most affects 33% of users. Six cells: 17%. Ten cells: 10%.

But this assumes failures are actually cell-scoped. The moment you add a cross-cell dependency — a shared auth service, a global feature flag store, a centralised metrics pipeline — you reintroduce global blast radius through the back door. The router itself is a global dependency. If it goes down, everything does.

Real isolation requires discipline. Every cross-cell integration point is a liability you need to explicitly decide to accept.

The Routing Layer

The router is the hardest part to get right, and it is the one component you cannot afford to get wrong.

flowchart TD A[Incoming request] --> B{Router} B --> C{Tenant lookup} C -->|cache hit| D[Route to cell] C -->|cache miss| E[Lookup service] E --> F[Cell mapping store] F --> G[Cache result] G --> D D --> H[Cell A] D --> I[Cell B] D --> J[Cell C] B -->|no tenant| K[Default cell]

The lookup must be fast — P99 under 5ms, ideally under 1ms. A few patterns that work:

Consistent hashing in the router process. No network hop. The mapping is baked into the router config. Works well when tenant-to-cell assignment is static or changes infrequently.

Local cache with short TTL. The router caches tenant-to-cell mappings with a 30–60 second TTL. Accepts occasional stale routing in exchange for near-zero lookup latency.

Sticky sessions at the load balancer. Crude but effective. Put the cell ID in a cookie or a request header after the first routing decision. The load balancer uses it on subsequent requests.

Whatever you choose, the router must degrade gracefully. If the lookup store is unavailable, the router should fail to a sensible default — not crash.

Monolith-Per-Cell vs Microservices-Per-Cell

Here is where most cellular architecture writeups skip the hard part.

If your services inside a cell are themselves microservices, you have multiplied your operational complexity by N. Every cell needs its own service mesh, its own inter-service tracing, its own retry budget configuration. A team of 8 engineers running 3 cells with 12 microservices each is managing 36 deployable units. That is not a reliability improvement. That is a different class of failure mode.

The underrated alternative: monolith-per-cell.

One deployable per cell. One database schema per cell. One process that handles everything for the tenants assigned to it.

Microservices-per-cell (3 cells × 8 services = 24 deployments)
──────────────────────────────────────────────────────────────
Cell A: auth-svc, user-svc, billing-svc, notification-svc,
        search-svc, export-svc, webhook-svc, api-gw
 
Cell B: auth-svc, user-svc, billing-svc, ...  (identical)
 
Cell C: auth-svc, user-svc, billing-svc, ...  (identical)
 
 
Monolith-per-cell (3 cells × 1 service = 3 deployments)
────────────────────────────────────────────────────────
Cell A: platform-monolith
Cell B: platform-monolith
Cell C: platform-monolith

The monolith-per-cell approach gives you blast radius isolation without the microservices tax. You can still split services out of the monolith later — but you add that complexity only when a specific service needs independent scaling, not as a default.

When to Actually Use Cellular

Cellular architecture earns its cost at a specific scale and risk profile. The conditions:

You have multi-tenant risk. One tenant's behaviour can impact others — through resource consumption, query patterns, or data volume. This is the original forcing function.

A global deploy risk is unacceptable. Your release cadence is high enough that a bad deploy reaching all users simultaneously is a serious business event.

You can afford the routing layer. The router must be more reliable than any cell. That means dedicated teams, rigorous testing, and a separate deploy pipeline.

Your cells can be truly independent. If your schema requires a global sequence or a global lock, you do not have cells — you have segregated frontends sharing a monolithic backend. Fix the backend first.

If none of these conditions apply, you probably want deployment rings (progressive rollouts) rather than a full cellular architecture. Rings get you 70% of the blast radius benefit at 10% of the cost.

AWS's Cellular Approach as a Reference

AWS has written about their shuffle sharding and cell-based patterns publicly. The key insight from their writing: cells are most valuable at the extremes of the reliability envelope, not the middle.

Their smallest cell is sized for a meaningful fraction of a region's traffic. They do not create cells to solve microservice complexity — they create cells to limit the impact of correlated failures in large-scale distributed systems.

A B2B SaaS with 200 enterprise customers doing $500M ARR has legitimate cell-based needs. A startup with 5,000 users does not. The pattern scales down worse than it scales up.

graph LR A[Startup\n<1k tenants] -->|deployment rings| B[Acceptable risk] C[Growth\n1k-10k tenants] -->|rings + tenant tiers| D[Acceptable risk] E[Scale\n10k+ tenants\nor high-value SLAs] -->|cellular| F[Required isolation]

Ops Cost Honest Assessment

Every cell is a copy of your infrastructure. At minimum, that means:

  • N times the compute baseline
  • N times the database licensing or cloud cost
  • N times the patching surface
  • N times the backup and restore testing burden
  • N deploy pipelines (or one pipeline that runs N times)
  • Monitoring that can drill from "cell X is degraded" to the specific cause

The monitoring model matters. You need per-cell dashboards and the ability to aggregate across cells. A tenant reporting an issue tells you their tenant ID, not their cell. Your on-call tooling needs to resolve from tenant to cell instantly.

# Minimal tenant-to-cell lookup — keep this path fast
class CellRouter:
    def __init__(self, mapping: dict[str, str], default: str):
        self._map = mapping       # tenant_id -> cell_id, loaded from config
        self._default = default
 
    def route(self, tenant_id: str) -> str:
        return self._map.get(tenant_id, self._default)
 
    def migrate_tenant(self, tenant_id: str, target_cell: str) -> None:
        # Migration requires data copy + atomic router update
        # Never flip the router before data is consistent
        self._map[tenant_id] = target_cell

Tenant migration between cells is a full data migration — not a config change. Build that tooling before you need it for an urgent case.

A Minimal Starting Point

If you want the blast radius benefit without full cellular complexity, start here:

  1. Add a tenant ID to every request and every log line. This is free and you need it for everything downstream.
  2. Build deployment rings: canary (1%), early adopters (10%), general availability. Gate on error rate and latency at each ring.
  3. For your highest-value tenants, provision dedicated database connection pools. This is cheap isolation for expensive customers.
  4. Add circuit breakers at the database layer. A slow tenant query should not hold connections that block other tenants.

Do this for a year. If you still have multi-tenant interference problems that rings and connection isolation do not solve — then you need cells.

Key Takeaways

  • A cell is a self-contained deployment unit: compute, data, and queue all scoped to the cell with no cross-cell runtime dependencies.
  • Blast radius with N cells is at most 1/N — but only if you have no global dependencies. Cross-cell integrations reintroduce global blast radius.
  • Monolith-per-cell is almost always the right starting point. Microservices-per-cell multiplies your operational surface by N.
  • The routing layer is your highest-reliability component. If it fails, everything fails.
  • Cellular architecture earns its cost at scale or with extreme SLA requirements. Below that threshold, deployment rings give 70% of the benefit at 10% of the cost.
  • Tenant migration between cells is a data migration. Build that tooling proactively.
Share: