Cloud and Obnoxious - Cloud Terminology

Cloud terminology has become very confusing, partly because the lines are getting blurred between on-prem and cloud. Hopefully, this will help to explain some of the terms and the history behind them.

First let’s explain the various degrees of “cloudiness.”

This means a company takes the full responsibility for all computing locally: hardware, patching, software installation/updates, networking, backups, physical security, environmental, power, etc.

Some computing resources are housed by a third party that provides physical security, environmental, power, and maybe backups. The hardware, patching, software installation/updates, etc. are still the responsibility of the company.

With Infrastructure as a Service, the provider takes on more responsibility - most notably, the hardware. The company is still expected to do their own patching, software installation/updates. (Although Azure is now providing OS patching for free and sometimes without rebooting.) This is usually the most expensive cloud option.

Platform as a Service and Functions as a Service (also called serverless), takes the operating system responsibiltiy away from the company. The company writes an application or service and the cloud provider manages everything below it. Examples of PaaS: SalesForce Apex, Azure WebApps and PowerApps, and AWS Amplify.

With Software as a Service, the provider is responsible for everything except running the software. The company configures and runs the software. The provider performs updates, maintains hardware, power, etc.

So those are the responsibility models. Here are the types of clouds:

Private Cloud
If you run web applications (which Epicor is) on dedicated hardware for just your company on your own network then congratulations - you are a private cloud provider! Someone else can run your web applications on dedicated hardware on a privately connected network, that too is a private cloud. The distinction is that it is for a single dedicated entity and not shared with any other entities.

Public Cloud
In the public cloud, the company shares compute, disc storage, etc. with other companies. Your VMs, applications, etc. are run on the same physical hardware and/or VMs with other companies. This is what makes scalability possible and reduces the costs to the company.

Hybrid Cloud
Most companies are in the hybrid cloud. Some applications run in the cloud (email, payroll, collaboration tools like Teams/Slack) while other applications run on premises.

Edge Computing
With edge computing, the hardware is located on the company’s premises but is managed by the cloud provider. Like I said, it gets blurry real quickly. Azure Stack is an example of this but many IoT solutions are as well. This works well for compute that is often disconnected from the cloud.

This refers to companies uses more than one external cloud provider for redundancy or specialized workloads.

Government Cloud
Government clouds are restricted to various local, state/provincial, federal agencies and their partners. They are environments designed to satisfy compliance requirements, like data sovereignty, right out-of-the-box. You must be a government agency or “invited” by one in order to use a government cloud. This provides an extra layer of segregation from the rest of the public cloud users. There are even levels of Government cloud like Top Secret where there is even more segreation.

OK, once in a cloud, here are the types of tenancy.

Single Tenant
If my family rents an entire house, we are the single tenant that uses the entire house. In the case of Epicor, being single tenant means only my company uses the VMs. Epicor’s single tenant users have been hosted at providers like RackSpace or CyrusOne. In the Epicor model, the customer is responsible for upgrading the software they purchased and they are the only customer in the SQL Server instance.

Like an apartment building, multiple tenants occupy the same application. Epicor’s first example of this was called Epicor Express. It was created for smaller companies with little or no IT staff. To simplify management, Epicor put multiple companies into the same DATABASE, not instance. Eventually, this morphed into the Multi-tenant product. The problem with MT was having multiple companies in a single database created a bit of a coding mess. This is why MT users cannot use Custom Code. DbContext does not respect company or plant security! Epicor has not sold the MT product for many years now.

Dedicated Tenant
To address the weakness of MT, Epicor created the concept of Dedicated Tenancy. We are still sharing a VM and a SQL Server instance but each company gets its own dedicated database. So now, all the issues that plagued MT have gone away. Unfortunately, as long as Epicor maintains MT users, it has to carry the stigma of the issues that come with it. IMHO, MT has damaged Epicor’s ability to sell the cloud to many companies and continues to be an anchor dragging them down.

Epicor moved both the Mutli-tenant and Dedicated tenant users away from providers like CyrusOne and RackSpace to Azure’s public cloud. This is why the Dedicated Tenancy product is now called Epicor Public Cloud.

Hope that all makes sense. Please post improvements and corrections to my understanding.


Merry Christmas indeed!

Thank you for parsing out Responsibility vs Cloud vs Tenancy – it makes much more sense now.

So, ignoring the legacy MT product and special one-offs, is it correct to say that the current “Kinetic in the Cloud” product is:

  • Responsibility = SaaS
  • Cloud = choice between Public Cloud or Gov Cloud (both using Azure)
  • Tenancy = Dedicated Tenant
  • “client connectivity” = Internet

And then, what we are seeing many of the Epicor Partners and other companies do is offer Epicor customers “hosting solutions” that typically look like this?:

  • Responsibility = mix of IaaS and SaaS
  • Cloud = Public Cloud (mostly Azure, with some RackSpace/CyrusOne)
  • Tenancy = Single Tenant
  • client connectivity = mostly stays on same network using vpns, etc., but sometimes goes over the Internet

Bonus points for listing any and all technical limitations compared to On Prem (e.g. if custom code is restricted in certain areas, etc.).


  • Have to purchase software and pay annual maintenance
  • Must plan for growth when upgrading hardware
  • Must upgrade Windows/SQL Versions
  • Easy to customize in a way that leads to more difficult upgrades and falling out of support
  • Harder to implement Zero Trust Segmentation
  • Single Point of Failure unless paying for hot site backup

Private Cloud in Azure

  • Same as On-prem except possibly Zero Trust segmentation
  • Cloud providers can and do go down

Epicor SaaS

  • No access to Windows Event Logs
  • Need a ticket to restart AppServer or System Agents, upload Electronic Interface files, or Rebuild Data Model for new UD Fields
  • No Direct Access to Database (some access to optional replicated database)
  • No access to some Ice tables via BAQ (MT holdover?)
  • Must download SSRS RDL files and use Report Builder (although I do this on-prem…)
  • No access to SSRS Report Tables_{guid} (Can change output to XML for testing though…)

I’m not sure if 3rd party companies can do SaaS… In Epicor SaaS, you don’t buy the software, there is no maintenance to pay, they do the upgrades for no extra $$. A 3rd party can do all the services but I think (could be wrong) but you still have to buy the seats and pay the maintenance. They could manage your Azure installation too I imagine. But right now, it’s all IaaS. It should be possible for 3rd party to do Dedicated tenancy though.

Separately, one of the key characteristics of Cloud computing is being able to scale up/down, in/out and having the flexibility to “pay as you go” and Epicor isn’t there yet. They still sell everything by the seat, which is the old on-prem model. Imagine being able to have all modules and only pay for what you use? You know, like many Azure services… :thinking: You’d be able to try any module and stop paying for it if you don’t like it - immediately. It could lead to improvement in the core functionality over changes in technology like the tech stack or the UI. :man_shrugging:

Right. Not true SaaS, but they will offer a range of “sysadmin services” to make it closer to the SaaS experience for the customer.

1 Like

We also factored in our justification for the cloud:
Keeping a test server and client available.
The cost of maintaining backups for on premise equipment.
Virus Software Licensing, UPS cost and rack space.
IT hours for maintenance, patching and monitoring.
So far our down time for being in the cloud is less than when we hosted on premise.

1 Like

Here are also some of my notes from someone on some Epicor terms.

ST - pretty much you hire us to do anything for a data center. I don’t know the specifics but I think if the customer wanted, the EMS might cook breakfast for you as well. You get full control of everything

MT - Shared everything. The E10 app is used to isolate tenants from each other. That’s why you see limits placed on things like no C# in server widgets and limits around UD fields - least common denominator customization for a discounted price. For plenty of customers, this is all they need.

DT - New kid on the block and fastest growing. Isolated DBs on a shared DB Server. IIS Apps are also isolated to each Tenant with separate App Pools per tenant. Multiple Tenant are on the same app server but in separate Application in IIS. Each tenant has a separate Windows Identity stamped on the App Pool and granted access to SQL via that identity (Windows Auth access to their DB and their slice of the file system). So the Windows OS is used to provide isolation between tenancies. SaaS Ops can balance the hardware and moves tenancies around as needed to ensure performance. More customization abilities since the OS is keeping the different tenancies isolated at a process level.


Quick word about connectivity. While you can set up Private Links to cloud providers, sometimes we feel “safer” because we use a VPN and are protecting from outside actors. However, in a Zero Trust model, we should never assume our own network is safe. The best explanation I’ve heard is you’re sitting at dinner with your family and some man walks into the kitchen, grabs a beer from the refrigerator, and heads to the living room. The wife asks, “Do we know him?” and the legacy network admin husband replies, “Well, he’s in the house - so he must be safe.”

I have seen companies set up a VPN to Azure and when they were hit with malware, the Epicor servers were hit too. Use the cloud as a way to protect your business system from your LAN. I am not aware of a single Epicor SaaS customer whose Epicor system was hit by malware.

1 Like

If you have any additions or edits let me know. Here is the LinkedIn version for “professionals” who want to read this awesome article. :smiley:

I made you a beautiful banner, its worth it.