The Three Major Cloud Providers at a Glance
Service Name Equivalents
Each cloud provider offers the same core service categories but under different names. Knowing the equivalent services across providers is frequently tested on cloud certification exams and useful for multi-cloud job roles.
| Service Category | AWS | Azure | GCP |
|---|---|---|---|
| Virtual Machines (IaaS) | EC2 | Azure VMs | Compute Engine |
| Serverless Functions | Lambda | Azure Functions | Cloud Functions |
| Managed Kubernetes | EKS | AKS | GKE |
| Object Storage | S3 | Blob Storage | Cloud Storage |
| Block Storage | EBS | Managed Disks | Persistent Disk |
| Managed Relational DB | RDS | Azure SQL Database | Cloud SQL |
| NoSQL / Document DB | DynamoDB | Cosmos DB | Firestore / Bigtable |
| Data Warehouse | Redshift | Synapse Analytics | BigQuery |
| Content Delivery (CDN) | CloudFront | Azure CDN | Cloud CDN |
| DNS | Route 53 | Azure DNS | Cloud DNS |
| Identity & Access | IAM | Azure AD / Entra ID | Cloud IAM |
| Virtual Private Network | VPC | Virtual Network (VNet) | VPC |
| Container Registry | ECR | ACR | Artifact Registry |
| Monitoring / Logging | CloudWatch | Azure Monitor | Cloud Monitoring |
Where Each Provider Excels
AWS has the broadest service catalog — over 200 services — and the most global regions (30+). It has been the market leader since 2006 and has the deepest ecosystem of third-party tools, partner integrations, and community knowledge. AWS tends to be the default choice for startups and new cloud-native projects because the hiring market and talent pool are largest. AWS is the top choice when you have no existing vendor dependencies and want maximum flexibility.
Azure dominates enterprises that are already invested in Microsoft's ecosystem. If an organisation runs Active Directory on-premises, uses Office 365, has Windows Server workloads, or develops with .NET, Azure's native integrations make it the obvious choice. Azure Active Directory (now rebranded as Microsoft Entra ID) ties directly into enterprise identity management in a way AWS and GCP cannot match without significant additional configuration. Azure is also the leader in hybrid cloud deployments through Azure Arc, which extends Azure management to on-premises and other cloud environments.
GCP is strongest in data analytics, machine learning, and Kubernetes. Google invented Kubernetes (and donated it to open source), so GKE (Google Kubernetes Engine) is widely considered the most mature managed Kubernetes offering. BigQuery, Google's serverless data warehouse, is beloved by data engineers for its speed and ease of use on massive datasets. GCP's global network — the same private fiber backbone Google uses for Search and YouTube — gives it a performance advantage for latency-sensitive global applications.
Most large organisations use more than one cloud provider. They might run production workloads on AWS, use Azure for Active Directory integration and Office 365 tooling, and use GCP for BigQuery analytics. Multi-cloud reduces vendor lock-in and lets organisations use each provider's best services. This is also why cloud skills transfer — the concepts of IaaS, PaaS, VPCs, object storage, IAM, and Kubernetes are the same across providers; only the service names differ.
Cloud Certifications — Where to Start
Each major cloud provider has a tiered certification track. Entry-level foundational certs require no prerequisites and test cloud concepts broadly. Associate-level certs go deeper into architecture and implementation. Professional and specialty certs require significant hands-on experience.
For maximum job opportunities: AWS Cloud Practitioner → AWS Solutions Architect Associate.
If your employer uses Microsoft: AZ-900 → AZ-104 (Administrator) or AZ-204 (Developer).
For data/ML/Kubernetes: Google Cloud Digital Leader → Associate Cloud Engineer or Professional Data Engineer.
CompTIA also offers CompTIA Cloud+ as a vendor-neutral cloud certification that covers concepts applicable to all three providers.
Pricing Models — Pay-As-You-Go
All three cloud providers follow the same fundamental pricing model: pay only for what you use, when you use it. This replaces the traditional CapEx model of buying servers upfront with an OpEx model of monthly operational costs that scale with usage. There are no upfront commitments for on-demand pricing.
All three providers also offer reserved/committed use discounts — if you commit to using a service for 1 or 3 years, you get significant discounts (often 30–60%) compared to on-demand pricing. AWS calls these Reserved Instances; Azure calls them Reserved VM Instances or Azure Savings Plans; GCP calls them Committed Use Discounts. For predictable, steady-state workloads, committed pricing dramatically reduces cost.
Spot/Preemptible pricing is another option: all three providers offer deeply discounted compute (70–90% cheaper) for workloads that can tolerate interruption. AWS calls these Spot Instances; Azure calls them Spot VMs; GCP calls them Preemptible VMs (now Spot VMs). These are ideal for batch processing, data analysis, and fault-tolerant distributed workloads.
AWS, Azure, and GCP all offer free tiers that let you explore their services at no cost. AWS Free Tier includes 750 hours/month of t2.micro EC2, 5 GB of S3 storage, and many other services for 12 months. Azure Free Account gives $200 credit for 30 days plus 12 months of popular services free. GCP Free Tier provides $300 in credits for 90 days plus always-free limits on many services. All three are excellent ways to get hands-on experience before taking a certification exam.
Key Scenarios
Key Cloud Networking Concepts
Cloud networking terminology appears frequently in cloud certification exams and increasingly in CompTIA Network+ and Security+ scenarios as cloud becomes the default deployment model.
A VPC (Virtual Private Cloud) is the fundamental networking construct in AWS and GCP — a logically isolated network within the cloud provider's infrastructure where you deploy your resources. Azure calls the equivalent a Virtual Network (VNet). A VPC/VNet is your private network in the cloud: you define the IP address range (CIDR block), create subnets, configure route tables, and control traffic with security groups (firewall rules). Resources within a VPC communicate privately; traffic to the internet requires an internet gateway or NAT gateway.
Security Groups (AWS) and Network Security Groups (NSG) (Azure) are stateful virtual firewalls applied at the resource or subnet level. They control inbound and outbound traffic based on protocol, port, and source/destination IP. Because they're stateful, return traffic for allowed connections is automatically permitted — you only need to write rules for the initial direction. For exam scenarios: security groups are the cloud equivalent of ACLs or host firewalls — if a cloud instance can't be reached on a specific port, checking the security group is always step one.
VPC Peering connects two VPCs so resources in each can communicate using private IP addresses — without traffic traversing the internet. Peering is non-transitive: if VPC A is peered with VPC B and VPC B is peered with VPC C, A cannot communicate with C through B without a direct peering. VPN Gateway and Direct Connect/ExpressRoute/Cloud Interconnect provide private connectivity from on-premises networks to cloud VPCs, essential for hybrid cloud architectures. Understanding these connectivity options is part of cloud networking fundamentals tested on cloud certifications.
Cloud Shared Responsibility Model
The shared responsibility model is a critical concept for CompTIA Security+ and any cloud certification — it defines exactly what security you are responsible for versus what the cloud provider handles. Misunderstanding this model is a leading cause of cloud security breaches.
The cloud provider ("security OF the cloud") is responsible for the physical infrastructure — data center facilities, hardware, networking equipment, and the hypervisor layer. AWS, Azure, and GCP all invest massively in physical security (multi-factor physical access, 24/7 guards, redundant power and cooling, hardware disposal). They also secure the underlying network infrastructure and the virtualization layer that keeps customers isolated from each other.
The customer ("security IN the cloud") is responsible for everything above the provider's managed layer. In IaaS (virtual machines), the customer is responsible for the OS, patches, applications, data, network security groups (firewall rules), and identity and access management. In PaaS (managed databases, app platforms), the customer is responsible for the application code, data, and IAM — the provider manages the OS and runtime. In SaaS (Office 365, Salesforce), the customer is primarily responsible for data and user access management.
A common cloud security failure is the assumption that "it's in the cloud so it's secure." A misconfigured S3 bucket that is publicly accessible is the customer's responsibility — AWS fulfilled their obligation by providing a bucket with private-by-default settings. The customer misconfigured it to be public. All three cloud providers provide tools to detect and alert on misconfigurations (AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center), but ultimately configuration security rests with the customer.
Cloud Deployment Models
Cloud services can be deployed in three fundamental models, and the distinction is tested on CompTIA Cloud+, Security+, and cloud vendor certifications.
Public cloud is the standard model — compute, storage, and services are hosted by the cloud provider on their infrastructure and shared (in a multi-tenant, isolated manner) across many customers. AWS, Azure, and GCP are all public clouds. Public cloud offers the highest scalability, lowest upfront cost, and maximum managed service availability. Data is hosted on the provider's infrastructure, which some highly regulated industries (certain government agencies, defense contractors) are restricted from using for sensitive data without additional controls.
Private cloud provides cloud-like self-service and automation on infrastructure operated exclusively for one organization — either on-premises in the organization's own data center, or in a hosted private cloud facility. Technologies like VMware vSphere, Microsoft Azure Stack HCI, and OpenStack enable private cloud. The organization maintains full control over where data resides and how infrastructure is configured, at the cost of managing the underlying hardware and losing the economies of scale of public cloud.
Hybrid cloud connects on-premises (or private cloud) infrastructure to public cloud, allowing workloads to move between them and enabling scenarios like cloud bursting (using public cloud for peak demand while running normal workloads on-premises), disaster recovery to cloud, and gradual migration. AWS Direct Connect, Azure ExpressRoute, and Google Cloud Interconnect provide dedicated private network connections from on-premises to cloud, bypassing the public internet for better performance and security. Azure Arc and AWS Outposts are technologies that extend cloud management planes to on-premises environments.
Identity and Access Management — IAM in the Cloud
All three cloud providers implement their own IAM systems for controlling who can access cloud resources and what they can do. IAM concepts are foundational for any cloud certification and directly map to Security+ domain coverage on access control.
The core IAM components are similar across all three providers: users (individual identities), groups (collections of users sharing policies), roles (identities assumed by services or workloads — not tied to a specific user), and policies (documents that define permissions). In AWS, policies are JSON documents specifying allowed or denied actions on specific resources. Azure uses a role-based access control (RBAC) model with built-in roles (Owner, Contributor, Reader) and custom roles. GCP uses both IAM policies and resource-level policies.
The principle of least privilege is particularly critical in cloud IAM. A misconfigured IAM role that grants excessive permissions can allow a compromised workload to access all data in an account. AWS recommends using IAM Access Analyzer to identify overly permissive policies; Azure provides Privileged Identity Management (PIM) for just-in-time elevated access to critical resources. All three providers support multi-factor authentication for user accounts, and for the most sensitive operations, all require MFA even for administrative users.
Cloud Storage Concepts
Cloud storage comes in several types that map to different use cases. Understanding these distinctions is important for both cloud certifications and for Security+ scenarios about data at rest protection.
Object storage (AWS S3, Azure Blob, GCP Cloud Storage) is for unstructured data — files, images, videos, backups, logs. It's accessed via HTTP APIs, not mounted like a traditional file system. Ideal for large-scale storage because it scales limitlessly without management. Encryption at rest and access policies are critical security controls — the most common misconfiguration is making objects public unintentionally.
Block storage (AWS EBS, Azure Managed Disks, GCP Persistent Disk) is the virtual hard disk attached to cloud VMs. It works exactly like a physical disk — you can format it with any file system and attach it to VMs. Block storage is used for OS volumes and database data files. Snapshots provide point-in-time backups that are critical for recovery and data protection.
File storage (AWS EFS, Azure Files, GCP Filestore) provides managed NFS or SMB file shares that multiple VMs can mount simultaneously. Used for shared application data, content management systems, and lift-and-shift migrations of applications that require shared file system access.
Ready to Get Cloud Certified?
Check out the best study resources to prepare for AWS, Azure, or CompTIA cloud exams.