Fossil/knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
knowledge-base/CLOUD.en.md
Stanislav Hubacek ef3c2f75b1 18.6.2026
2026-06-18 16:25:33 +02:00

25 KiB
Raw Permalink Blame History

☁️ Cloud Architecture

Providers

  • AWS — largest market share, broadest portfolio
  • Azure — strong integration with Microsoft ecosystem
  • GCP — Kubernetes (GKE), data & ML, network connectivity

Deployment Models

Model Description
Public cloud Shared provider infrastructure
Private cloud Dedicated infrastructure (on-prem or hosted)
Hybrid cloud Public + private interconnection
Multi-cloud Multiple public providers

Multi-cloud Strategy

Reasons for Multi-cloud

  • Vendor lock-in prevention — risk diversification
  • Regulatory requirements — data residency in specific regions
  • Best-of-breed — each provider has strengths (AWS networking, Azure enterprise, GCP data/ML)
  • Acquisition scenarios — merge & acquisition unification

Multi-cloud Connectivity

Method Latency Throughput Cost
Site-to-Site VPN Medium Limited Low
Private interconnect (Direct Connect / ExpressRoute / Dedicated Interconnect) Low High High
Cloud-to-cloud VPN Medium Medium Medium
SD-WAN Low High Medium

Challenges

  • Network complexity — different VPC/VNet concepts, security models
  • IAM federation — unified identities across clouds (SSO, SAML, OIDC)
  • Data gravity — moving data between clouds is expensive and slow
  • Monitoring — single pane of glass across clouds (Grafana, Datadog)

Cloud Adoption Frameworks (CAF)

Each major provider has its own Cloud Adoption Framework for a structured approach to cloud adoption:

Provider Framework Focus
AWS AWS CAF 6 perspectives: Business, People, Governance, Platform, Security, Operations
Azure Microsoft CAF 8 methodologies: Strategy, Plan, Ready, Migrate, Innovate, Govern, Manage, Secure
GCP Google CAF 4 pillars: Learn, Scale, Modernize, Operate

Multi-Cloud Administration Guide (Mulder, 2024) recommends combining CAF frameworks across providers for unified governance models, especially in:

  • Interoperability — standardization of APIs and IaC across clouds (Terraform, Pulumi)
  • Data governance — unified policy for data residency and lifecycle
  • Compliance automation — automated audits across clouds (AWS Config, Azure Policy, GCP Org Policies)
  • Access management — identity federation and centralized RBAC

Migration Strategies — 6 Rs

Strategy Description Difficulty Typical Scenario
Rehost (Lift & Shift) Move VM/as-is without changes Low Quick migration, datacenter exit, minimal risk
Replatform (Lift & Reshape) Migration with minor adjustments (e.g., RDS instead of self-managed DB) Medium Optimization without rewriting the application
Refactor (Re-architect) Rewrite application as cloud-native (microservices, serverless) High Maximize cloud benefit, long-term strategy
Repurchase Move to SaaS (e.g., Salesforce, Workday) Low Application is outdated, SaaS alternative exists
Retire Decommission unused applications Low Application no longer in use
Retain Keep on-prem None Regulatory reasons, too high migration risk

Decision Framework for 6 Rs

Start: Is the application needed?
  ├── No → Retire
  └── Yes → Does a SaaS alternative exist?
       ├── Yes → Repurchase
       └── No → Is refactoring worthwhile?
            ├── Yes → Refactor
            └── No → Is platform change sufficient?
                 ├── Yes → Replatform
                 └── No → Rehost

Well-Architected Framework (AWS)

  1. Operational Excellence — automation, monitoring, documentation
  2. Security — IAM, encryption, compliance
  3. Reliability — recovery, scaling, backup plans
  4. Performance Efficiency — right-sizing, choosing the right services
  5. Cost Optimization — FinOps, reserved instances, spot instances
  6. Sustainability (since 2022) — carbon footprint, energy efficiency

Analogues: Azure Well-Architected Framework, GCP Architecture Framework

Key Questions from Well-Architected Review (~60 questions)

Operational Excellence (12 questions)

  • How are changes managed and automated?
  • How are operations documented and shared within the team?
  • How are expected and unexpected events reflected in operations?
  • What runbooks exist for common operational scenarios?
  • How is incident management and postmortem process conducted?

Security (12 questions)

  • How is identity & access management implemented?
  • How is data protected at rest and in transit?
  • How is security incident detection ensured?
  • What are the procedures for patch management and vulnerability remediation?
  • How are infrastructure credentials and secrets managed?

Reliability (12 questions)

  • How is service availability ensured during a component failure?
  • How is backup and disaster recovery implemented?
  • How do service limits (quotas, throttling) affect reliability?
  • How does automatic scaling work under changing load?
  • What are the SLI/SLO metrics and how are they monitored?

Performance Efficiency (12 questions)

  • How is the correct type and size of compute/storage selected?
  • How is the database layer optimized (indexes, queries, caching)?
  • How is monitoring used to identify bottlenecks?
  • How is scaling implemented (vertical vs horizontal)?

Cost Optimization (12 questions)

  • How are costs allocated to teams/projects (chargeback/showback)?
  • What tools are used for cost analysis?
  • How are unused resources identified and eliminated?
  • How is licensing optimized (BYOL, hybrid benefit)?

Key Components

Compute Layer

  • VM / instances — EC2, Azure VMs, GCE
  • Container orchestration — EKS, AKS, GKE
  • Serverless — Lambda, Azure Functions, Cloud Functions
  • PaaS — App Engine, Elastic Beanstalk, Azure App Service

Compute Comparison Matrix (AWS EC2)

Family Type vCPU:Memory Use Case Example Pricing (on-demand, us-east-1)
General purpose M7g, m7i 1:4 Web servers, microservices, dev/test m7i.large ~$0.088/h
Compute optimized C7g, c7i 1:2 HPC, batch processing, CI/CD, gaming c7i.large ~$0.078/h
Memory optimized R7g, r7i, x2idn 1:8 to 1:32 In-memory DB (Redis), SAP HANA, real-time analytics r7i.large ~$0.118/h
Storage optimized I4i, im4gn 1:4 + NVMe Transactional DB, data warehousing, Kafka i4i.large ~$0.138/h
GPU / ML P5, g5, trn1 GPU attach AI training (P5), inference (g5), ML (trn1) g5.xlarge ~$1.006/h

See GPU.en.md for GPU model and configuration details.

Storage

  • Object storage — S3, Blob Storage, Cloud Storage
  • Block storage — EBS, managed disks, persistent disks
  • File storage — EFS, Azure Files, Filestore
  • CDN — CloudFront, Azure CDN, Cloud CDN

S3 Storage Classes

Class Availability Retrieval Time Price / GB / Month Use Case
S3 Standard 99.99 % milliseconds ~$0.023 Active data, frequent access
S3 Intelligent-Tiering 99.9 % milliseconds ~$0.023 + monitoring fee Unknown/variable access patterns
S3 Standard-IA 99.9 % milliseconds ~$0.0125 Less frequent but fast access
S3 One Zone-IA 99.5 % milliseconds ~$0.01 Reproducible data
S3 Glacier Instant 99.9 % milliseconds ~$0.004 Archive with occasional access
S3 Glacier Flexible 99.99 % 1-5 min (expedite) / 3-5 h (standard) ~$0.0036 Long-term archive
S3 Glacier Deep Archive 99.99 % 12 h (standard) / 48 h (bulk) ~$0.00099 Cheapest, compliance archives

Multi-AZ and Multi-Region Architecture

Region ┌──────────────────────────────┐
       │  AZ-1       AZ-2       AZ-3  │
       │  ┌───┐      ┌───┐      ┌───┐ │
       │  │APP│──────│APP│──────│APP│ │
       │  └─┬─┘      └─┬─┘      └─┬─┘ │
       │    │          │          │    │
       │  ┌─▼──────────▼──────────▼─┐ │
       │  │      Load Balancer      │ │
       │  └────────────┬────────────┘ │
       │               │              │
       │  ┌────────────▼────────────┐ │
       │  │  Database (Primary)     │ │
       │  │  + Read Replica         │ │
       │  └─────────────────────────┘ │
       └──────────────────────────────┘

Disaster Recovery Strategies

DR Strategies on AWS (from least to most prepared)

Strategy RTO RPO Cost Description
Backup & Restore hours 24 h Low Regular data backups to S3/Glacier, restore in DR region
Pilot Light tens of minutes minutes Medium Minimal running copy (DB, core services), scale on failover
Warm Standby minutes seconds High Reduced production copy running, scale on failover
Active-Active (Multi-Region) seconds < 1 s Very high Fully active in multiple regions, traffic routing (Route53, Global Accelerator)

Key books on the topic:

  • Engineering Resilient Systems on AWS (Schwarz, Moran, Bachmeier, 2024) — practical labs for resilience patterns: back off and retry, multi-Region failover, circuit breaker, chaos engineering using AWS Fault Injection Simulator
  • Building Resilient Architectures on AWS (2025) — data security, backup strategies, recovery plan automation

Chaos Engineering

Deliberate fault injection to verify system resilience:

  • AWS Fault Injection Simulator (FIS) — managed fault injection for EC2, ECS, EKS, RDS
  • Tools: Chaos Mesh (Kubernetes), Gremlin, Litmus
  • Process: define hypothesis → run experiment → measure impact → improve system
  • Safety: experiments in isolated environment, safety controls, automatic rollback

Cloud Design Patterns

Strangler Fig

Gradually replacing parts of a monolithic application with microservices.

  • Legacy functionality is progressively redirected to new services
  • Strangler Fig proxy (route headers, feature flags) controls traffic migration
  • Advantage: incremental value delivery without big-bang rewrite

Circuit Breaker

Prevents cascading failures when a dependent service fails.

  • Three states: Closed (normal operation), Open (requests immediately fail), Half-Open (test request after timeout)
  • Parameters: failure threshold, timeout (reset timeout), half-open max requests
  • Implementations: resilience4j, Hystrix (legacy), Istio (envoy), AWS App Mesh

Saga

Distributed transaction across microservices — a series of local transactions with compensating actions.

  • Choreography — each service publishes an event, the next service reacts (Kafka, EventBridge)
  • Orchestration — central orchestrator manages steps (Step Functions, Temporal, Camunda)

CQRS (Command Query Responsibility Segregation)

Separation of write (Command) and read (Query) models.

  • Command model: optimized for writes (normalized, transactional)
  • Query model: optimized for reads (denormalized, read-optimized views)
  • Eventual consistency between models (event bus propagates changes)
  • Use case: reporting, audit logs, high-throughput systems

Event Sourcing

Storing state as a sequence of events, not the current state.

  • Each change is an append-only event in an event store
  • Current state = fold of all events
  • Advantages: audit trail, time travel, CQRS compatibility
  • Implementations: EventStoreDB, Kafka (log), DynamoDB + CDC

Additional Cloud Patterns (Wilder — Cloud Architecture Patterns)

Pattern Category Description
Horizontally Scaling Compute Scalability Adding/removing instances based on load, elasticity
Queue-Centric Workflow Scalability Decoupling components via queues (SQS, RabbitMQ), async processing
Auto-Scaling Scalability Automatic scaling based on metrics (CPU, memory, request count)
MapReduce Big Data Distributed data processing (Hadoop, EMR, BigQuery)
Database Sharding Big Data Horizontal data partitioning across databases
Busy Signal Failure Handling Graceful degradation under overload (HTTP 503, throttling, backpressure)
Node Failure Failure Handling Detection and automatic recovery from compute node failure
Colocation Distributed Users Placing compute close to data to reduce latency
Valet Key Distributed Users Delegated storage access (SAS tokens, S3 presigned URLs)
Multi-Site Deployment Distributed Users Active deployment in multiple geographic locations

Evolutionary Architecture

Definition (Ford, Parsons, Kua, 2022): An evolutionary architecture supports guided, incremental change across multiple dimensions.

Fitness Functions

Automated checks of architectural characteristics — analogous to tests for architecture:

Type Description Example
Atomic Checks a single metric Cyclomatic complexity < 10
Holistic Checks the overall system End-to-end latency < 200 ms
Triggered Triggered by event (CI/CD commit, deployment) API contract verification
Continuous Runs continuously in production Monitoring dependency freshness
Static Code analysis without execution SonarQube, ESLint
Dynamic Runtime analysis Load tests, chaos experiments

Principles of Evolutionary Architecture

  1. Incremental change — small, safe changes thanks to CI/CD, deployment pipelines, mature DevOps
  2. Fitness functions — automated protection of architectural characteristics (scalability, performance, security)
  3. Coupling management — conscious work with component connections (affinity, volatility, cycles)
  4. Evolutionary data — database migrations as first-class citizens (evolutionary schemas, expand-contract pattern)

Antipatterns

  • Big Design Up Front (BDUF) — trying to design everything upfront, ignoring change
  • No Design at All — absence of architectural thinking, purely emergent design
  • Premature Standardization — introducing standards before the domain is understood

Hybrid Cloud Connectivity

See also: NETWORKING.en.md — network architecture (VPN, BGP, VPC design).

  • Site-to-Site VPN — IPSec tunnel over the internet
  • Direct Connect / ExpressRoute / Dedicated Interconnect — private physical connection
  • Cloud VPN / Transit Gateway — hub-and-spoke topology

Cost Optimization Detail

Savings Plans vs Reserved Instances

Property Compute Savings Plan EC2 Instance Savings Plan Reserved Instances
Flexibility Instance family, region, OS Instance family + region Specific instance
Term 1 or 3 years 1 or 3 years 1 or 3 years
Discount (typical) ~30-50 % ~40-60 % ~40-60 %
Change instance Yes (any) Yes (within family) No
Change region Yes No No
Payment options All Upfront / Partial / No Upfront All Upfront / Partial / No Upfront All Upfront / Partial / No Upfront

Spot Instance Best Practices

  • Diversification — use a mix of instance types (spot fleet) for higher availability
  • Graceful handling — application must handle termination notice (2 minute warning)
  • Checkpointing — regular state saving for restart after spot interruption
  • Spot block (AWS) — protection for 1-6 h (limited availability)
  • Use cases: batch processing, CI/CD runners, stateless microservices, ML training
  • Avoid: stateful workloads, databases (without special design)

Organization and Governance

AWS Organizations

Root OU
├── Security OU
│   ├── Audit Account (CloudTrail, Config)
│   └── Security Tooling Account (GuardDuty, Security Hub)
├── Infrastructure OU
│   ├── Network Account (Transit Gateway, VPN)
│   ├── Shared Services Account (AD, SSO)
│   └── Log Archive Account
├── Workloads OU
│   ├── Dev OU → individual dev accounts
│   ├── Staging OU → staging accounts
│   └── Prod OU → production accounts
└── Sandbox OU → isolated experimental accounts
  • SCP (Service Control Policies) — whitelist/blacklist services at OU level
  • Tag policies — enforce tagging across accounts
  • AI services opt-out — control data usage in AWS AI services

Azure Management Groups

Tenant Root Group
├── Platform MG
│   ├── Connectivity (hub VNet, ExpressRoute)
│   ├── Management (Log Analytics, Automation)
│   └── Identity (AD DS, PIM)
├── Application MG
│   ├── DEV (dev subscriptions)
│   ├── TEST (test subscriptions)
│   └── PROD (production subscriptions)
└── Sandbox MG
  • Azure Policy — built-in and custom policies (similar to SCP)
  • Management Group hierarchy — up to 6 levels deep
  • Subscription limits — max 10,000 subscriptions per tenant

GCP Projects

Organization Node
├── Folder: Platform
│   ├── Project: Shared Networking (VPC, Cloud NAT, VPN)
│   ├── Project: Security (Cloud KMS, Secret Manager, Chronicle)
│   └── Project: Monitoring (Cloud Monitoring, Logging)
├── Folder: Workloads
│   ├── Folder: Dev
│   │   └── Project: [app]-dev
│   ├── Folder: Staging
│   │   └── Project: [app]-staging
│   └── Folder: Prod
│       └── Project: [app]-prod
└── Folder: Sandbox
    └── Project: [user]-sandbox
  • Organization policies — constraints at organization/folder level
  • Resource Manager — hierarchy: Organization → Folder → Project → Resources
  • Project limits — max 30 projects (can be increased), 10k resources per project

12-Factor App Methodology

Methodology for building cloud-native applications (Heroku, 2011), expanded by the book Multi-Cloud Handbook for Developers (Natarajan, Jacob, 2024).

# Factor Description Cloud Implementation
1 Codebase One repo, many deployments Git + CI/CD pipeline
2 Dependencies Explicit dependency declaration package.json, requirements.txt, Docker image
3 Config Configuration in environment variables Secrets Manager, Parameter Store, env vars
4 Backing services Dependent services as attached resources RDS, S3, Redis — connection via connection string
5 Build, release, run Strict separation of build stages CI/CD pipeline (GitHub Actions, GitLab CI)
6 Processes Application as stateless processes Horizontal scaling, session in Redis
7 Port binding Service exports port, not embedded in server Express, FastAPI, Spring Boot on own port
8 Concurrency Scaling via process model Horizontal Pod Autoscaler (K8s), EC2 Auto Scaling
9 Disposability Fast startup and graceful shutdown Health checks, SIGTERM handling, preStop hooks
10 Dev/Prod parity Minimal difference between environments Docker, IaC (Terraform), same backing services
11 Logs Logs as event streams stdout/stderr → CloudWatch, ELK, Datadog
12 Admin processes Admin tasks as one-off processes DB migrations, data backfill — run in isolation

Multi-cloud Extensions (Multi-Cloud Handbook for Developers)

  • API-first design — consistent API interfaces across clouds (REST, gRPC)
  • Domain-Driven Design (DDD) — bounded contexts mapped to cloud services
  • Service Mesh — Istio, Linkerd for observability, traffic management and security across clouds
  • GitOps — declarative deployment with ArgoCD/Flux across Kubernetes clusters in different clouds

Azure Cloud Native Architecture (Map Book)

Based on The Azure Cloud Native Architecture Mapbook (2nd ed.) (Eyskens, 2025) — 40+ architectural maps across domains:

Domains of Architectural Maps

Domain Key Azure Services Architectural Patterns
Infrastructure VNet, Azure Firewall, ExpressRoute, VPN Gateway Hub-and-spoke, Virtual WAN, Private Link
Applications App Service, API Management, Service Bus, Functions Event-driven, Strangler Fig, Backend for Frontend
Data Cosmos DB, SQL Database, Synapse, Data Lake CQRS, Event Sourcing, Polyglot Persistence
Container Orchestrators AKS, Azure Container Apps, ACA Sidecar, Ambassador, Adapter (service mesh)
AI Azure OpenAI, Cognitive Services, ML Studio RAG, model fine-tuning, MLOps
Security Entra ID, Defender for Cloud, Key Vault, Sentinel Zero Trust, Defense in depth, JIT Access

Cloud Adoption Framework on Azure

  • Strategy — business case, application catalog, portfolio rationalization
  • Plan — landing zone design, governance baseline, subscription taxonomy
  • Ready — landing zone implementation (ALZ), Azure Policy, Networking, Identity
  • Migrate — assessment (Azure Migrate), rehost/replatform, test and cutover
  • Govern — cost management, policy enforcement, compliance monitoring

Cloud Provider Comparison

Based on Cloud Computing: AWS, Azure, Google Cloud (Sario, 2025):

Area AWS Azure GCP
Compute EC2, Lambda, ECS/EKS VMs, Functions, AKS GCE, Cloud Functions, GKE
Storage S3, EBS, EFS Blob, Disk, Files Cloud Storage, Persistent Disk, Filestore
Relational DB RDS (MySQL, PG, SQL Server, Oracle, MariaDB) SQL Database, MySQL/PostgreSQL Cloud SQL (MySQL, PG, SQL Server)
NoSQL DB DynamoDB, ElastiCache Cosmos DB, Redis Cache Firestore, Bigtable, Memorystore
Message queue SQS, SNS Service Bus, Queue Storage Pub/Sub, Tasks
Observability CloudWatch, X-Ray Monitor, Application Insights Cloud Monitoring, Cloud Trace
AI/ML SageMaker, Bedrock Azure ML, OpenAI Vertex AI, AutoML
Pricing (compute) On-demand, Reserved, Spot, Savings Plan Pay-as-you-go, Reserved, Spot On-demand, Committed Use, Spot

OpenStack as Private Cloud

OpenStack is the dominant open-source platform for building private clouds (IaaS). It provides compute (Nova), networking (Neutron), and storage services (Cinder/Swift/Manila) with a unified API.

Advantages over Commercial Solutions

  • Vendor-neutral API — avoids lock-in (VMware, Hyper-V)
  • Multi-tenancy — Keystone identity, RBAC, projects, quotas
  • Hybrid cloud ready — federation with AWS/Azure/GCP, Terraform provisioning
  • Ecosystem — hundreds of services (Heat orchestration, Magnum containers, Designate DNS)

Suitable Scenarios

Scenario Key Services
Data center with multi-tenancy and self-service Nova, Neutron, Cinder, Horizon
Telco / NFVI / MEC Neutron (DPDK, SR-IOV), Nova (NUMA pinning)
Science and HPC Cyborg (GPU), Manila (NAS), Ironic (bare metal)
Academic clouds Keystone federation, Trove (DBaaS)

Challenges

  • Significant deployment and operations complexity
  • Frequent API breaking changes between releases (cycle per year)
  • Limited enterprise support outside commercial distributions (Red Hat, Canonical, Mirantis)

Best Practices

  • Use infrastructure as code (Terraform, Pulumi, CDK)
  • Design for failure — every component can fail
  • Implement defense in depth — security at every layer
  • Monitor costs — tagging, budget alerts, anomaly detection
  • Use managed services where it makes sense (less operations)
  • Least privilege for all IAM roles and policies

Resources

Links, books and standards: sources/cloud/sources.en.md

  • Cost tagging — assign tags for chargeback/showback (Environment, Team, Cost Center, Application)
  • Automated compliance — AWS Config, Azure Policy, GCP Org Policies for guardrails
  • Multi-account strategy — AWS Control Tower, Azure Landing Zones, GCP Resource Hierarchy

Recommended Reading

Book Authors ISBN Description
The AI Cloud Infrastructure Blueprint Thummarakoti, Vududala, Madupati, Kaushik 978-1-041-16642-9 End-to-end guide to designing, deploying, and managing AI systems on cloud platforms. Covers public/private/hybrid/multi-cloud models for AI, infrastructure for ML training and inference, MLOps. Target audience: architects, data scientists, DevOps.
AWS for Solutions Architects (3rd ed.) Shrivastava, Srivastav, Thakur 978-1-83664-193-3 Practical guide to AWS architecture — compute (EC2, Lambda), storage (S3, EBS), databases (RDS, DynamoDB), networking, security, Well-Architected Framework, migration, cost optimization. Suitable for AWS Solutions Architect certification preparation.

Last revised: 2026-06-03

Reference in New Issue View Git Blame Copy Permalink