Cloud
Cloud Storage and Networking¶
Almost everything you build in the cloud sits on two foundations: where your data lives (storage) and how things connect (networking). Get these two right and the rest of the platform makes sense. This page is concept-first but names the real services on AWS, Azure, and GCP as it goes.
Applies to
Storage and networking concepts shared across public clouds. Examples reference AWS, Azure, and GCP. The networking section builds on the Networking track; the service mappings extend AWS, Azure & GCP: The Big Three.
Part 1 — Storage¶
The first question for any data is what shape is it? That determines which of the three storage types you reach for.
Object vs block vs file¶
| Type | What it is | Accessed by | Good for | Not good for |
|---|---|---|---|---|
| Object | Whole files ("objects") plus metadata, in a flat namespace called a bucket, reached over HTTP(S) APIs | API / URL (no filesystem) | Backups, images, video, logs, static websites, data lakes | Anything needing in-place edits or a mounted filesystem |
| Block | Raw disk volumes split into fixed blocks; you put a filesystem on top | Attached to one VM as a disk | Boot disks, databases, anything that wants a real disk | Sharing one volume across many machines |
| File | A managed shared filesystem you mount over NFS or SMB | Mounted by many VMs at once | Shared application data, lift-and-shift apps expecting a file share | Massive web-scale object workloads |
The provider names for each:
| Type | AWS | Azure | GCP |
|---|---|---|---|
| Object | S3 | Blob Storage | Cloud Storage |
| Block | EBS (Elastic Block Store) | Managed Disks | Persistent Disk |
| File | EFS / FSx | Azure Files | Filestore |
Object storage is not a disk
A common beginner confusion: you cannot "mount" S3 like a hard drive and edit a file in place. Objects are written and read whole through an API. Block storage (EBS/Managed Disk/Persistent Disk) is the thing that behaves like a disk attached to one machine.
Durability and availability¶
These two words sound alike but mean different things, and clouds advertise both:
- Durability = the chance your data is not lost. Object stores replicate copies across multiple devices/zones and quote extremely high durability (commonly described as "eleven nines", 99.999999999%, for services like S3 and GCS). Losing an object is exceedingly rare.
- Availability = the chance you can reach the data right now. This is lower than durability (e.g. ~99.9%–99.99% depending on tier) because access can be interrupted even when the data is perfectly safe.
Durability is not backup
High durability means the provider is very unlikely to lose your bytes. It does not protect you from your own mistakes — an accidental delete or a bad overwrite is faithfully replicated. Keep versioning and separate backups for that. See snapshots below.
Storage tiers: hot, cool, archive¶
Object storage lets you trade access speed and retrieval cost against storage price. Cooler tiers are cheaper to store but slower and pricier to read.
| Tier | Meaning | AWS (S3) | Azure (Blob) | GCP (Cloud Storage) |
|---|---|---|---|---|
| Hot | Frequent access, lowest latency | Standard | Hot | Standard |
| Cool / infrequent | Accessed occasionally, cheaper storage | Standard-IA / One Zone-IA | Cool / Cold | Nearline / Coldline |
| Archive | Rarely accessed, lowest cost, retrieval takes minutes to hours | Glacier / Glacier Deep Archive | Archive | Archive |
Lifecycle policies move data automatically
You rarely move objects by hand. A lifecycle rule says, for example: keep logs in the hot tier for 30 days, move them to cool for 90 days, then to archive, and delete after a year. All three providers support these rules on buckets.
Snapshots and backups¶
A snapshot is a point-in-time copy of a block volume, stored cheaply (typically in object storage) and usually incremental — only changed blocks are saved after the first one.
| Purpose | Mechanism |
|---|---|
| Recover a VM disk to an earlier state | Volume snapshot (EBS Snapshots, Azure Disk Snapshots, Persistent Disk Snapshots) |
| Protect against accidental object deletion/overwrite | Versioning on the bucket; keep older versions |
| Coordinated, scheduled, retained backups | Managed backup services (AWS Backup, Azure Backup, GCP Backup and DR) |
Snapshots in the same account are not a full DR plan
Snapshots protect against disk failure and mistakes, but if they live only in the same region/account, a regional outage or account compromise can take them with everything else. Real disaster recovery copies backups to a separate region (and often a separate account/project).
Part 2 — Networking¶
Cloud networking is the same IP networking you already know, expressed as software you define with API calls instead of cables and switches. If subnets and CIDR are fuzzy, review IP Addressing and Subnetting first.
The virtual private cloud (VPC / VNet)¶
A VPC (Virtual Private Cloud) — called a VNet on Azure — is your own isolated, private network inside the provider's cloud. You give it an IP address range in CIDR notation (typically an RFC 1918 private range like 10.0.0.0/16) and then carve it into subnets.
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| The private network | VPC | VNet | VPC |
| A subdivision of it | Subnet | Subnet | Subnet |
GCP VPCs are global; AWS/Azure are regional
A subtle but real difference: an AWS VPC and an Azure VNet live in a single region, while a GCP VPC is a global resource whose subnets are regional. The concept of a private, isolated, CIDR-addressed network is identical.
Subnets: public vs private¶
You slice the VPC's address range into subnets, each living in one availability zone. The crucial distinction is whether a subnet can reach the internet directly:
| Subnet type | Definition | Typical contents |
|---|---|---|
| Public | Has a route to an internet gateway; resources can have public IPs | Load balancers, bastion/jump hosts, public web servers |
| Private | No direct route to the internet; reaches out only via a NAT gateway | Databases, application servers, internal services |
This public/private split is a security cornerstone: keep databases and app servers in private subnets so they are never directly reachable from the internet, and expose only a load balancer in the public subnet.
Security groups vs network ACLs (stateful vs stateless)¶
Two layers of filtering control traffic, and the difference between them trips up beginners:
| Control | Attaches to | State | Rules | Provider names |
|---|---|---|---|---|
| Security group | An instance / network interface | Stateful — return traffic for an allowed connection is automatically permitted | Allow rules only | AWS Security Groups; Azure Network Security Groups (NSGs); GCP VPC firewall rules |
| Network ACL | A whole subnet | Stateless — you must allow both inbound and outbound for each flow | Allow and deny rules, evaluated in order | AWS Network ACLs; (Azure NSGs cover both layers; GCP uses firewall rules + hierarchical policies) |
Stateful vs stateless in one sentence
A stateful security group remembers that you allowed an outbound (or inbound) connection and lets the reply back automatically; a stateless network ACL has no memory, so you must explicitly permit the return traffic too. Stateful filtering is what you reach for most of the time.
Gateways: getting in and out¶
| Gateway | Direction | What it does |
|---|---|---|
| Internet Gateway | In and out | Lets resources in a public subnet send to and receive from the internet |
| NAT Gateway | Out only | Lets resources in a private subnet initiate outbound connections (e.g. software updates) without being reachable from outside |
NAT here is the same Network Address Translation concept from on-prem networking — see Routing and NAT. It lets many private instances share outbound access while staying hidden behind it.
Load balancers¶
A load balancer spreads incoming traffic across several backend instances, so no single server is a bottleneck or a single point of failure, and unhealthy instances are automatically removed from rotation.
| Layer | What it balances | AWS | Azure | GCP |
|---|---|---|---|---|
| Layer 4 (TCP/UDP) | Connections by IP/port | Network Load Balancer | Azure Load Balancer | Network Load Balancer |
| Layer 7 (HTTP/S) | Requests by URL/host/path | Application Load Balancer | Application Gateway | Application Load Balancer |
The layer numbers refer to the OSI model: Layer 4 routes by address and port, Layer 7 can route by hostname or URL path.
DNS in the cloud¶
The cloud needs the same DNS that maps names to IP addresses everywhere else — review DNS and DHCP for the fundamentals. Each provider offers a managed authoritative DNS service:
| Provider | Managed DNS service |
|---|---|
| AWS | Route 53 |
| Azure | Azure DNS |
| GCP | Cloud DNS |
Cloud DNS often does more than plain name resolution — for example, Route 53 can do health checks and route traffic by latency, geography, or weighting (useful for sending users to the nearest region), and it integrates with the cloud's load balancers via alias records.
Verify your work¶
Check your grasp of both pillars — no account required.
- Name the three storage types and one good use for each, plus the AWS/Azure/GCP name for object storage.
- Explain why a database server belongs in a private subnet and what gateway lets it still fetch OS updates.
- State the difference between a stateful security group and a stateless network ACL in your own words.
- Describe the job of a load balancer and the difference between a Layer 4 and a Layer 7 one.
With an account, you can sanity-check a deployed setup:
# AWS: list your VPCs and their CIDR ranges
aws ec2 describe-vpcs --query "Vpcs[].{Id:VpcId,Cidr:CidrBlock}" --output table
# AWS: list S3 buckets (object storage)
aws s3 ls
Azure : az network vnet list -o table # VNets and address space
az storage account list -o table # storage accounts (Blob/File)
GCP : gcloud compute networks list # VPCs
gcloud storage buckets list # Cloud Storage buckets
Summary¶
- Three storage types: object (S3 / Blob / Cloud Storage) for whole files via API, block (EBS / Managed Disks / Persistent Disk) for disks attached to one VM, and file (EFS / Azure Files / Filestore) for shared mounted filesystems.
- Durability (data not lost — often "eleven nines") differs from availability (reachable now); neither replaces your own backups and versioning.
- Use hot / cool / archive tiers and lifecycle rules to balance access speed against storage cost; snapshots capture point-in-time block volumes, and real DR copies them to another region.
- A VPC/VNet is your private CIDR-addressed network, divided into public subnets (route to an internet gateway) and private subnets (outbound via a NAT gateway).
- Security groups are stateful (return traffic auto-allowed) and attach to instances; network ACLs are stateless (allow both directions) and attach to subnets.
- Load balancers distribute traffic (Layer 4 by IP/port, Layer 7 by URL/host), and managed cloud DNS (Route 53 / Azure DNS / Cloud DNS) resolves names and can steer traffic by health and location.
Related reading: What Is the Cloud · Virtualization and Hypervisors · Containers and Kubernetes · OpenStack Private Cloud · AWS, Azure & GCP: The Big Three · IP Addressing and Subnetting · Routing and NAT · DNS and DHCP · OSI and TCP/IP · Certifications