GAP·MAP

Cloud fundamentals

[ junior depth ]

Compute is a responsibility choice

AWS and Google Cloud both offer several ways to run application code. A virtual machine gives you a virtual server and control over its operating system. Amazon EC2 and Google Compute Engine are the direct examples. That control also leaves your team responsible for more server work, including the guest operating system and the processes running on it.

A container image packages an application with its runtime dependencies. A container is a running instance created from an image. A container service decides where containers run and may manage the cluster or server capacity. Amazon ECS can run tasks on EC2 capacity that you manage or on AWS Fargate capacity. GKE manages the Kubernetes control plane; Google also manages worker nodes in Autopilot mode, while you manage them in Standard mode. Cloud Run runs containers without requiring you to manage a server or cluster.

A function is code deployed behind a managed execution service. AWS Lambda runs code without provisioning servers. Cloud Run can deploy a function and runs it in a managed container environment. Functions still need correct code, permissions, configuration, and data handling.

Wrong "Serverless means no servers exist and operations disappear."

Right The provider operates the servers behind the service. Your responsibility moves upward to the application, its identities, its configuration, and its dependencies.

Object storage and block storage expose different interfaces

Object storage keeps objects in buckets. Amazon S3 and Google Cloud Storage both use this model. An application addresses an object by its bucket and object key. This fits uploaded media, exports, backups, and other data that should not depend on one compute instance.

Block storage is exposed to compute as a disk-like block device. Amazon EBS volumes attach to EC2 instances. Google Persistent Disk volumes attach to Compute Engine VMs as network block devices. These managed volumes can persist independently of a VM, but access remains device-oriented. The operating system can place a file system or a database's files on the device.

Wrong "Object storage is a remote hard drive, so an application can treat every object like a normal disk block."

Right Object storage has a bucket-and-object interface. Block storage presents a device that the operating system can format and mount. Pick according to the interface the workload expects.

Regions contain zones

A region is a geographic area. A zone is an isolated deployment location inside a region. AWS calls it an Availability Zone. Google Cloud calls it a zone.

Choosing a region places work near users or satisfies location requirements, but it does not by itself create redundancy. An application with all compute in one zone still depends on that zone. Both providers document multi-zone placement as a way to reduce exposure to a single-zone failure. A second region addresses a wider failure domain and requires a separate design for traffic and data.

The distinction to memorize is scope: region for geography and the larger failure domain, zone for placement inside that region.

[ middle depth ]

A VPC is a network boundary, not an internet switch

A Virtual Private Cloud gives cloud resources a virtual network. Its parts answer different questions:

  • A subnet assigns an IP address range and a placement scope. In AWS, a subnet resides in one Availability Zone. In Google Cloud, VPC networks are global resources and subnets are regional resources.
  • A route chooses a path for traffic leaving a resource or subnet.
  • A firewall rule or security group controls which traffic is allowed.
  • A gateway, NAT service, or private endpoint provides a path to another network or service.

A route to the internet does not make every resource publicly reachable. The resource also needs the relevant addressing and firewall configuration. The reverse is also true: a permissive firewall rule cannot create a network path that routing does not provide.

Wrong "It is in a private subnet, so it is authorized to read the production bucket."

Right Network reachability and IAM authorization are separate checks. A private path can carry a request that IAM still denies.

IAM binds identity, permission, and resource

Google Cloud describes IAM as controlling who can do what on which resources. AWS policies express the same core questions through principals, actions, resources, and optional conditions.

Least privilege gives a human or workload only the permissions needed for its task. A worker that reads one bucket should not receive account-wide administrator access. AWS recommends temporary credentials from roles for workloads. Google Cloud grants roles, which are collections of permissions, to principals on resources.

Broad permissions are operational debt. They enlarge the damage from a compromised workload and make it harder to tell which access is required. Split identities by workload, scope access to the required actions and resources, and remove permissions that are no longer used.

Wrong "One shared administrator identity is simpler and the VPC keeps it safe."

Right The VPC limits network paths. A workload identity limits authorized cloud API actions. Each service should receive its own narrow identity.

Managed databases remove tasks, not data decisions

Amazon RDS manages common administration tasks for relational databases. Google Cloud SQL provides managed features for backups, high availability and failover, maintenance, monitoring, and logging. The exact behavior depends on the engine and configuration you select.

Managed does not mean every resilience feature is active or every schema and query is sound. Your team still chooses an engine, capacity, network access, IAM, backup retention, and availability configuration. It also owns schema design, queries, migrations, and recovery objectives.

A managed queue handles message storage and delivery between producers and consumers. Amazon SQS is a hosted queue. Google Pub/Sub is an asynchronous messaging service that decouples publishers from subscribers. This lets an API accept work without waiting for a worker to finish it.

With Amazon SQS, receiving a message does not delete it. The message becomes temporarily invisible, and the consumer deletes it after processing. Standard SQS queues use at-least-once delivery. Google Pub/Sub also uses at-least-once delivery by default. Consumers therefore need behavior that is safe when a message appears again.

[ senior depth ]

Match compute to the control you need

VMs, managed containers, and functions differ in how much infrastructure the provider operates for you. They are not a quality ranking.

Choose a VM when the workload needs operating-system control or a server shape the higher-level service does not expose. A container platform keeps the application packaging explicit while delegating some scheduling or capacity work. A function delegates server provisioning and scaling around an event-driven unit of code. AWS also lets ECS run the same container model on customer-managed EC2 capacity or provider-managed Fargate capacity, which shows why "container" alone does not define the responsibility boundary.

Higher-level compute can constrain runtime shape, lifecycle, networking, or execution behavior. Those constraints come from the selected service contract, so they must be checked for the workload instead of inferred from the word serverless.

Design around failure domains

Multi-zone and multi-region designs solve different failures. Capacity spread across zones can continue serving when one zone is unavailable, provided traffic routing and every required dependency can use the surviving zone. Two subnets in one zone do not create that isolation.

A second region offers a higher degree of failure independence. It also creates data placement, replication, failover, and network-cost decisions. AWS does not automatically replicate regional EC2 resources to another region. Google Cloud distinguishes zonal, regional, and global resources, so the location scope must be checked per resource.

Wrong "The database is managed and the API uses two zones, so the whole system is highly available."

Right Trace every required dependency through the same failure. Compute redundancy does not help if the only database path, queue configuration, or network path still depends on the failed location.

Keep network and identity controls independent

A strong design narrows both reachability and authorization. Subnets, routes, gateways, and firewall controls determine which packets have a path. IAM determines whether an authenticated principal may perform an action on a resource.

This separation matters during incident analysis. A timeout can come from routing or firewall configuration. An authorization error can come from the principal's permissions or the resource policy. Making the network public to fix IAM, or granting administrator access to fix routing, changes the wrong control.

Least privilege is a lifecycle rather than a one-time small policy. AWS recommends reviewing and removing unused identities, permissions, policies, and credentials. Workloads should use temporary role credentials. Google Cloud roles bundle permissions, and basic roles are highly permissive, so resource-level predefined or custom roles need deliberate scope.

Managed services still expose correctness boundaries

Database high availability, backups, and application correctness cover different events. A managed failover option can address an infrastructure or instance failure. A backup supports recovery from failures that require restoring data. Neither validates a migration or prevents an authorized application from writing bad data.

Queue acknowledgment has a similar boundary. In SQS, a consumer can finish a database side effect and crash before deleting the message. The visibility timeout can expire and the message can be delivered again. Pub/Sub defaults to at-least-once delivery too.

Wrong "A managed queue makes the payment exactly once."

Right The queue manages message delivery according to its contract. Application correctness must account for redelivery: processing the same message again must not repeat the business effect.

Queue visibility, zonal redundancy, and IAM do not replace that correctness rule.

dig deeper

Primary sources behind these notes - the specs and official docs worth reading in full.

beta

The interviewer part is in the works.

The diagnostic, personal maps, and AI mock interviews are being finished right now. The notes stay free either way. Leave an email and you'll get the first-cohort invite, plus a month of Pro when it opens.

builds on

more Infrastructure & Ops

was this useful?