Service models, networking, identity, compute, storage, databases, and cost optimization — the building blocks of every cloud architecture.
01 / Service Models
IaaS, PaaS, SaaS & Serverless
Cloud service models define the boundary between what the provider manages and what you manage. Moving from IaaS to SaaS shifts more operational burden to the provider.
Model
You Manage
Provider Manages
Example
IaaS
OS, runtime, app, data
Hardware, networking, hypervisor
EC2, GCE
PaaS
App code, data
OS, runtime, scaling
Elastic Beanstalk, App Engine
SaaS
Configuration only
Everything
Gmail, Salesforce
FaaS / Serverless
Individual functions
Infra, scaling, invocation
Lambda, Cloud Functions
FaaS & Cold Starts
FaaS (Function-as-a-Service) runs your code in response to events. The provider provisions a container on demand, executes your function, then tears it down. This event-driven model means you pay only for actual execution time.
A cold start occurs when no warm container is available. The provider must: pull your deployment package, initialize the runtime, run your initialization code, then handle the request. Cold starts typically add 100ms-2s of latency depending on runtime (JVM-based languages are slowest) and package size.
Mitigating Cold Starts
Use provisioned concurrency (pre-warmed instances), keep deployment packages small, choose lightweight runtimes (Python/Node over Java), and minimize initialization-time imports.
02 / Regions, AZs & Networking
VPC, Subnets & Network Security
Regions & Availability Zones
A Region is a geographic area containing multiple isolated data centers called Availability Zones (AZs). Each AZ has independent power, cooling, and networking, connected via low-latency links.
High Availability vs Disaster Recovery
Multi-AZ
=
HA (survive AZ failure)
Multi-Region
=
DR (survive region failure)
VPC Architecture
A Virtual Private Cloud (VPC) is your isolated network in the cloud. You define its IP range using CIDR notation (e.g., 10.0.0.0/16 gives 65,536 IPs). The VPC is then divided into subnets across AZs.
Public Subnet
Has a route to an Internet Gateway (IGW). Resources get public IPs and can be reached from the internet.
Private Subnet
No direct internet access. Outbound traffic goes through a NAT Gateway in a public subnet.
Internet Gateway
Horizontally scaled, redundant gateway that allows VPC resources to communicate with the internet.
NAT Gateway
Allows private subnet resources to initiate outbound connections without exposing them to inbound traffic.
Security Groups vs NACLs
Property
Security Group
NACL
Level
Instance (ENI)
Subnet
State
Stateful (return traffic auto-allowed)
Stateless (must allow both directions)
Rules
Allow only
Allow and Deny
Evaluation
All rules evaluated together
Rules evaluated in order (lowest number first)
Default
Deny all inbound, allow all outbound
Allow all inbound and outbound
VPC Peering
Connects two VPCs privately using AWS backbone. CIDR ranges must not overlap. Peering is non-transitive: if VPC-A peers with VPC-B and VPC-B peers with VPC-C, VPC-A cannot reach VPC-C through VPC-B.
03 / Identity & Access Management
IAM: Users, Roles & Policies
IAM controls who (authentication) can do what (authorization) on which resources. Everything in the cloud starts with an API call, and IAM governs every single one.
IAM Entity Hierarchy
Users
∈
Groups
Roles
←
Assumed by users, services, or external accounts
Policies (JSON)
→
Attached to users, groups, or roles
Policy Evaluation Logic
When a request is made, IAM evaluates all applicable policies. The logic follows this order:
1. Explicit Deny in any policy → DENIED (always wins). 2. Explicit Allow → ALLOWED (if no deny). 3. No matching statement → implicit DENIED (default).
Principle of Least Privilege
Grant only the minimum permissions needed. Start with zero permissions and add as required. Use IAM Access Analyzer to identify unused permissions and tighten policies over time.
Cross-Account Access
Use IAM roles with trust policies for cross-account access. Account A creates a role with a trust policy allowing Account B to assume it. Account B's users call sts:AssumeRole to get temporary credentials scoped to that role. This avoids sharing long-lived credentials.
04 / Compute
VMs, Containers & Serverless
Virtual Machines (EC2)
EC2 instances come in families optimized for different workloads: general purpose (t3, m5), compute-optimized (c5), memory-optimized (r5), and GPU (p3, g4).
Pricing Model
Discount
Commitment
Best For
On-Demand
None (baseline)
None
Variable / unpredictable workloads
Reserved (1yr/3yr)
Up to 72%
Capacity reservation
Steady-state, predictable usage
Spot Instances
Up to 90%
None (can be reclaimed)
Fault-tolerant, batch, CI/CD
Savings Plans
Up to 72%
$/hr commitment
Flexible across instance types
Spot Instance Warning
Spot instances can be terminated with a 2-minute warning when AWS needs the capacity back. Design for interruption: use checkpointing, spread across multiple instance types/AZs, and handle the termination notice gracefully.
Containers: ECS & EKS
ECS (Elastic Container Service) is AWS's native container orchestrator. Launch types: EC2 (you manage instances) or Fargate (serverless containers — no instances to manage). EKS (Elastic Kubernetes Service) runs managed Kubernetes for teams already invested in the K8s ecosystem.
Serverless Compute
Lambda executes code without provisioning servers. You define a handler function, set memory (128MB-10GB), and configure triggers (API Gateway, S3 events, SQS, etc.). Max execution time is 15 minutes. For longer workloads, use Step Functions to orchestrate multiple Lambda invocations.
05 / Storage & Databases
Block, Object, File & Managed DBs
Storage Types
EBS (Block)
Network-attached block storage for EC2. Persistent, single-AZ. Types: gp3 (general), io2 (high IOPS), st1 (throughput). Snapshots for backup.
S3 (Object)
Unlimited object storage. 11 nines durability. Accessed via HTTP APIs. Supports versioning, lifecycle rules, and presigned URLs for temporary access.
EFS (File)
Managed NFS file system. Multi-AZ, shared across instances. Elastic capacity. Good for shared config, CMS, or ML training data.
S3 Storage Classes
Class
Use Case
Retrieval
Cost
S3 Standard
Frequently accessed
Instant
Highest storage, no retrieval fee
S3 Infrequent Access
Accessed monthly
Instant
Lower storage, per-GB retrieval fee
S3 Glacier Instant
Archived, rare access
Milliseconds
Very low storage
S3 Glacier Deep Archive
Compliance/long-term
12-48 hours
Lowest cost
S3 Lifecycle Rules
Automate transitions between storage classes. Example: move objects to IA after 30 days, to Glacier after 90 days, delete after 365 days. Combine with versioning to manage old versions separately.
Database Services
Service
Type
Key Feature
Use Case
RDS
Relational (MySQL, Postgres, etc.)
Managed backups, Multi-AZ failover
Traditional OLTP workloads
Aurora
Relational (MySQL/Postgres compatible)
5x throughput, 6-way replication
High-performance relational
DynamoDB
Key-value / document (NoSQL)
Single-digit ms latency at any scale
High-throughput, flexible schema
ElastiCache
In-memory (Redis / Memcached)
Microsecond reads
Caching, session store, leaderboards
06 / Cost Optimization
Spending Less Without Breaking Things
Cloud costs grow fast without discipline. The key levers are right-sizing, pricing models, automation, and understanding data transfer charges.
Right-Sizing
Monitor CPU/memory utilization. Downsize over-provisioned instances. Use AWS Compute Optimizer or similar tools for recommendations.
Reserved / Savings Plans
Commit to 1-3 year usage for up to 72% discount on steady-state workloads. Savings Plans offer more flexibility than Reserved Instances.
Spot Instances
Up to 90% discount for fault-tolerant workloads. Use Spot Fleet to diversify across instance types and AZs for better availability.
Auto-Scaling
Scale in during low-traffic periods. Use target tracking policies (e.g., keep CPU at 60%). Scheduled scaling for predictable patterns.
Data Transfer Costs
Inbound traffic is free. Outbound to the internet is charged per GB. Cross-AZ traffic costs ~$0.01/GB each way. Cross-region is more expensive. Use VPC endpoints for AWS service traffic to avoid NAT Gateway data processing charges. Keep traffic within AZs where possible.
Cost Optimization Checklist
Tag all resources for cost allocation. Set up billing alerts and budgets. Review unused EBS volumes, unattached Elastic IPs, and idle load balancers monthly. Use S3 lifecycle policies aggressively. Consider Graviton (ARM) instances for ~20% cost savings.
Test Yourself
Score: 0 / 10
Question 01
In which service model does the provider manage the OS, runtime, and scaling, while you only manage your application code and data?
PaaS (Platform-as-a-Service) manages the infrastructure, OS, and runtime. You deploy your application code and data. In FaaS you manage individual functions, not full applications.
Question 02
What is the primary purpose of deploying across multiple Availability Zones?
Multi-AZ deployments provide high availability by distributing resources across isolated data centers within a region. Multi-region is needed for disaster recovery and global latency reduction.
Question 03
Which statement about Security Groups vs NACLs is correct?
Security Groups are stateful (return traffic is automatically allowed). NACLs are stateless (you must explicitly allow both inbound and outbound). Security Groups only support allow rules; NACLs support both allow and deny.
Question 04
In IAM policy evaluation, what happens when one policy explicitly allows an action and another explicitly denies it?
An explicit deny in any policy always overrides any allow. This is a fundamental IAM rule: Deny > Allow > implicit Deny.
Question 05
Which EC2 pricing model offers up to 90% savings but can reclaim your instance with a 2-minute warning?
Spot Instances use spare EC2 capacity at up to 90% discount but can be interrupted with a 2-minute notice when AWS needs the capacity. They are ideal for fault-tolerant and batch workloads.
Question 06
What is the key difference between EBS and S3?
EBS provides block-level storage volumes attached to EC2 instances (single AZ). S3 is object storage accessed over HTTP with virtually unlimited capacity and 11 nines of durability, replicated across multiple AZs automatically.
Question 07
A private subnet needs to download software updates from the internet. Which component enables this without exposing instances to inbound internet traffic?
A NAT Gateway sits in a public subnet and allows private subnet instances to initiate outbound connections (e.g., software updates) while preventing unsolicited inbound connections from the internet.
Question 08
Which database service provides single-digit millisecond latency at any scale with a flexible key-value/document model?
DynamoDB is a fully managed NoSQL database that delivers consistent single-digit millisecond performance at any scale. ElastiCache provides microsecond latency but is an in-memory cache, not a primary database.
Question 09
What is the main cause of a Lambda cold start?
A cold start happens when there is no pre-warmed container to handle a request. The provider must provision a new container, load the deployment package, initialize the runtime, and run your init code before handling the actual request.
Question 10
Which S3 feature allows you to grant time-limited access to a private object without changing its permissions?
Presigned URLs are generated with your credentials and grant temporary access (GET or PUT) to a specific S3 object for a limited time. The object's actual permissions remain unchanged.