Cloud computing has moved well past the “lift and shift” era. In 2026, platform engineers and DevOps practitioners operate across multi-cloud landscapes, manage container orchestration at scale, and are expected to understand cost, security, and infrastructure as code from day one. Yet the fundamentals—service models, deployment patterns, and resource abstraction—remain the bedrock every decision sits on. This is a practical revisit of those basics, framed for people already working in the cloud who want a sharper mental model of what they are actually deploying.
Why Fundamentals Still Matter for Experienced Practitioners
There is a tendency in the industry to treat “basics” as something you outgrow. In reality, most production incidents trace back to a misunderstanding of a foundational concept: treating a stateful service like a stateless one, confusing shared responsibility boundaries, or misapplying a service model to a workload. Revisiting these concepts is not about going backward—it is about building more accurate mental models that prevent costly architectural mistakes. As cloud platforms add increasingly opinionated abstractions—AI services, managed Kubernetes, serverless workflows—knowing what happens beneath those abstractions becomes a competitive advantage, not an academic exercise.
Service Models: IaaS, PaaS, and SaaS in Practice
The NIST-defined service models—Infrastructure as a Service, Platform as a Service, and Software as a Service—are often presented as a neat pyramid. On the ground, the lines blur significantly. AWS EC2 is textbook IaaS, but when you attach an ALB, use Systems Manager for patching, and rely on IAM for authz, you are operating in a hybrid zone. Azure App Service is PaaS, yet you still configure networking, scaling rules, and deployment slots. Google Cloud Run is often categorized as PaaS or serverless, but it runs containers—you still build and package the artifact. The practical takeaway is not to categorize services rigidly, but to understand what operational responsibility each model shifts from your team to the provider. The more responsibility you hand off, the less control you have over runtime behavior, logging granularity, and debugging surface area.
Deployment Models: Public, Private, Hybrid, and Multi-Cloud
Public cloud dominates new workloads, but private and hybrid deployments are far from dead. Regulated industries—banking, healthcare, government—frequently run sensitive workloads on-premises or in dedicated cloud regions with enhanced compliance controls. Hybrid architectures, where on-premises clusters connect to cloud services via dedicated interconnects, remain common for data gravity workloads where moving terabytes of data is impractical. Multi-cloud, meanwhile, is less often a deliberate strategy and more often an emergent property of organizational complexity: one team built on AWS, another on GCP, and a third uses Azure because of an existing Microsoft enterprise agreement. Understanding these deployment models helps you ask the right questions during architecture reviews: Where does data sovereignty apply? What is the latency budget between regions? Which cross-cloud networking costs are acceptable?
Core Cloud Service Categories Across AWS, Azure, and GCP
Every major cloud provider organizes services into roughly the same categories, even if the naming and implementation differ. The table below maps the core categories practitioners interact with daily, along with representative services from each provider. This is not an exhaustive list—it is the operational surface area most engineers touch within their first year on a platform.
| Category | AWS | Azure | GCP |
|---|---|---|---|
| Compute (VMs) | EC2 | Virtual Machines | Compute Engine |
| Containers / Orchestration | EKS | AKS | GKE |
| Serverless Compute | Lambda | Functions | Cloud Functions / Cloud Run |
| Object Storage | S3 | Blob Storage | Cloud Storage |
| Block Storage | EBS | Managed Disks | Persistent Disk |
| Relational Database | RDS / Aurora | SQL Database / Cosmos DB | Cloud SQL / Spanner |
| Networking (VPC) | VPC | VNet | VPC |
| IAM | IAM | Entra ID (Azure AD) | IAM / Workload Identity |
| IaC / Config Management | CloudFormation / CDK | ARM / Bicep | Deployment Manager / Terraform |
Notice that while the categories are stable, the abstractions within them evolve. Serverless compute, for instance, has expanded from short-lived functions to include long-running containers on Cloud Run and Azure Container Apps. Understanding the category is more durable than memorizing individual service names.
Virtualization and the Abstraction Layers Beneath the Console
When you click “Launch Instance” in any cloud console, you are interacting with layers of virtualization that are worth understanding at least at a conceptual level. At the base, hypervisors like AWS Nitro, Azure’s underlying Hyper-V stack, or KVM on GCP abstract physical hardware into virtual machines. Network virtualization—VPCs, subnets, route tables—creates isolated L3 domains that behave like physical networks but are implemented in software. Storage virtualization decouples logical volumes from physical disks, enabling snapshots, cloning, and tiering without touching hardware. These abstractions are what make cloud elastic, but they also introduce failure modes that do not exist on bare metal: noisy neighbors on shared tenancy, virtual network latency spikes during control plane events, and storage I/O bottlenecks when multiple VMs contend for the same underlying disk subsystem. Knowing these layers exist helps you interpret weird performance behavior instead of blaming the application blindly.
Cloud Networking Fundamentals Every DevOps Engineer Needs
Networking is where cloud fundamentals hurt the most when misunderstood. Every cloud VPC is an isolated L3 domain—you get RFC 1918 address space, subnets, route tables, and security boundaries. But the specifics matter enormously. AWS VPCs require an Internet Gateway for outbound internet access and a NAT Gateway for private subnets. Azure VNets use Network Security Groups at both the subnet and NIC level, and outbound internet access via a default public IP is implicit unless you explicitly use a NAT Gateway. GCP VPCs are global by default—a single VPC spans all regions, which is a significant architectural difference from AWS and Azure where VPCs are regional. DNS resolution within VPCs, cross-VPC peering limits, service endpoints for private access to managed services, and transit gateway architectures are all topics that separate engineers who can troubleshoot connectivity issues from those who restart pods and hope for the best. If you work with Kubernetes, understanding how CNI plugins interact with VPC networking is non-negotiable for debugging pod-to-pod or pod-to-service communication failures.
Identity, Access Management, and the Shared Responsibility Model
IAM is the single most important subsystem in any cloud platform, and it is also the most commonly misconfigured. The shared responsibility model is clear in theory: the provider secures the cloud infrastructure, and you secure what you put in it. In practice, the boundary is nuanced. The provider manages hypervisor security, physical data center access, and the integrity of the IAM service itself. You manage access policies, encryption keys, network security groups, and application-level auth. The majority of cloud security incidents in recent years stem from overly permissive IAM policies—roles with wildcard actions attached to EC2 instance profiles, storage buckets with public read access, or service principals with more privileges than the workload requires. The principle of least privilege is straightforward to state and painful to enforce at scale, which is why tools like AWS SCPs, Azure Policy, and GCP Organization Policies exist. For Kubernetes practitioners, the IAM story gets more complex: AWS IRSA, Azure Workload Identity, and GCP Workload Identity all bridge cloud IAM to Kubernetes service accounts, and getting that mapping wrong is a common source of silent failures.
Containers and Kubernetes as the De Facto Cloud Runtime
Kubernetes has become the standard abstraction layer for running workloads across all three major clouds. EKS, AKS, and GKE each wrap upstream Kubernetes with provider-specific integrations: IAM roles, managed node groups, autoscaling, and add-on marketplaces. But the fundamentals of Kubernetes—pods, services, deployments, ingress, and persistent volume claims—are consistent across providers. What changes is the operational model: GKE Autopilot abstracts away nodes entirely, AKS has multiple operational modes including serverless pods, and EKS gives you the most raw control at the cost of more operational overhead. Understanding Kubernetes basics means understanding that a pod is the atomic scheduling unit (not a container), that services provide stable networking endpoints over ephemeral pods, and that controllers like Deployments maintain desired state through reconciliation loops. These concepts are platform-agnostic. The cloud-specific parts—how you attach an EBS volume to a pod, how you map a GCP service account to a Kubernetes service account, how you expose an AKS cluster via Azure Front Door—are layered on top of those fundamentals.
Infrastructure as Code and Configuration Management
No serious cloud operation runs through the console manually. Infrastructure as Code (IaC) is the practice of defining cloud resources in declarative configuration files and applying them through automated pipelines. Terraform remains the dominant multi-cloud IaC tool, but each provider also offers native options: CloudFormation and CDK on AWS, ARM templates and Bicep on Azure, and Deployment Manager on GCP. The choice between multi-cloud and native tools involves trade-offs. Terraform gives you a consistent workflow and state management across providers but lags behind native tools when new services launch. Native tools integrate more deeply with provider-specific features—CDK lets you define infrastructure in TypeScript, Python, or Java with full type safety, while Bicep offers first-class Azure integration with shorter feedback loops. Regardless of the tool, the fundamental concepts are the same: declarative desired state, idempotent applies, drift detection, and state files that map logical resources to physical ones. Understanding these concepts lets you switch tools without starting from zero.
Cost Fundamentals and FinOps Awareness
Cloud costs are not an afterthought for engineers anymore—FinOps has become an operational discipline that intersects with architecture decisions. The basics of cloud pricing are straightforward: compute is billed per second or per hour, storage by capacity and access patterns, and data transfer by volume and direction (egress is almost always charged, ingress is usually free). But the practical complexity is significant. Reserved Instances, Savings Plans, Committed Use Discounts, and Spot/Preemptible VMs all offer lower prices in exchange for commitment or flexibility trade-offs. Right-sizing instances, choosing the correct storage tier (S3 Intelligent-Tiering, Azure Cool/Archive, GCP Nearline/Coldline), and managing idle resources are where most waste lives. For Kubernetes workloads, cluster autoscaler and Karpenter (on EKS) or GKE Autopilot directly impact cost by adjusting node count to match workload demand. Engineers who understand pricing models make better architecture decisions—not because they optimize for cost at the expense of reliability, but because they can accurately weigh the trade-offs.
FAQ
What is the fastest way to get hands-on with cloud fundamentals?
Start with a single provider’s free tier and deploy a simple multi-tier application: a VM or container for compute, a managed database, object storage for static assets, and a load balancer in front. Courses that cover AWS, Azure, and GCP simultaneously can also help you see the patterns that transcend individual platforms.
Do I need to learn all three major clouds to be effective?
No. Most engineers specialize in one or two providers. What matters more is understanding the fundamental concepts—compute, networking, storage, IAM, IaC—that transfer across platforms. Once you are proficient in one cloud, picking up a second is primarily a vocabulary exercise.
How do cloud fundamentals relate to Kubernetes?
Kubernetes runs on top of cloud infrastructure and depends on it for networking, storage, and compute. Understanding VPCs, load balancers, block/object storage, and IAM is essential for operating Kubernetes clusters effectively. Without that foundation, you will struggle to diagnose issues that originate outside the cluster.
Is serverless computing replacing traditional VM-based deployments?
Serverless is expanding into more use cases—longer runtimes, container support, event-driven orchestration—but it is not replacing VMs or Kubernetes. Workloads with strict latency requirements, complex state management, or need for fine-grained resource control still benefit from VM-based or container-based deployments. The question is workload fit, not generational replacement.
What should I prioritize learning first: cloud fundamentals or DevOps tools?
Cloud fundamentals first. Tools like Terraform, Docker, and CI/CD pipelines operate on top of cloud resources. If you do not understand what a VPC, an IAM role, or a managed database actually does, automating their creation will not make you more effective—it will just make your mistakes deploy faster.
Sources
[1] 11 Best Cloud Computing Courses to Learn in 2026 – DEV Community
[2] Top 5 Udemy Courses to Learn Cloud Computing in 2026 – Javarevisited
[5] Best Cloud Courses & Training in 2026 – KodeKloud
[6] Cloud Computing Syllabus 2026: AWS, Azure, GCP Topics Explained – Scaler