A practical reference mapping equivalent cloud services across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) β covering compute, networking, storage, databases, containers, CDN, Front Door, and WAF.
Jump to:
βοΈ Compute
π Networking
ποΈ Storage
ποΈ Databases
π¦ Containers
π CDN
πͺ Front Door
π‘οΈ WAF & DDoS
π Secret Store
Note: Service names and branding evolve. Always verify against the official provider
documentation. Abbreviations shown in parentheses are the commonly used short names.
Compute
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Virtual Machine | EC2 Elastic Compute Cloud | Virtual Machine (VM) Azure Virtual Machines | Compute Engine GCE β Google Compute Engine |
| VM Image | AMI Amazon Machine Image | Managed Image / Compute Gallery Azure Marketplace | Custom Image Compute Engine Images |
| Serverless Functions | Lambda AWS Lambda | Azure Functions Event-driven compute | Cloud Functions 1st/2nd gen |
| Container-based Serverless | Fargate / App Runner Serverless containers | Container Apps / ACI Azure Container Instances | Cloud Run Managed serverless containers |
| VM Auto Scaling | Auto Scaling Group (ASG) EC2 Auto Scaling | VMSS Virtual Machine Scale Sets | MIG Managed Instance Group |
| Spot / Preemptible VMs | Spot Instances EC2 Spot | Azure Spot VMs Evictable low-cost VMs | Spot VMs / Preemptible VMs Short-lived discount VMs |
| Managed Batch Processing | AWS Batch Managed batch jobs | Azure Batch Managed batch compute | Cloud Batch Managed batch workloads |
| Platform-as-a-Service (PaaS) | Elastic Beanstalk App deployment PaaS | App Service Web app hosting PaaS | App Engine Managed app platform |
Networking
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Virtual Network | VPC Virtual Private Cloud | VNet Virtual Network | VPC Virtual Private Cloud (Global) |
| Network Security Rules | Security Groups / Network ACL Stateful SGs + stateless NACLs | NSG Network Security Group | VPC Firewall Rules Hierarchical / VPC firewall |
| VNet / VPC Peering | VPC Peering / Transit Gateway Hub-spoke via TGW | VNet Peering / Virtual WAN Global vWAN for hub-spoke | VPC Peering / Network Connectivity Center Hub-spoke via NCC |
| Public DNS | Route 53 Managed DNS + health checks | Azure DNS Public DNS zones | Cloud DNS Authoritative DNS service |
| Private DNS | Route 53 Private Hosted Zones VPC-scoped private DNS | Azure Private DNS Zones Private DNS resolution in VNets | Cloud DNS Private Zones VPC-scoped DNS resolution |
| VPN Gateway | AWS VPN / Site-to-Site VPN IPsec tunnels to on-prem | Azure VPN Gateway Site-to-site / P2S VPN | Cloud VPN HA VPN tunnels |
| Dedicated Private Connectivity | Direct Connect Dedicated network link | ExpressRoute Private circuit to Azure | Cloud Interconnect Dedicated / Partner Interconnect |
| NAT Gateway | NAT Gateway Outbound internet for private subnets | Azure NAT Gateway Outbound SNAT for subnets | Cloud NAT Outbound NAT for private VMs |
| Static Public IP | Elastic IP (EIP) Static IPv4 address | Public IP Address Static / Dynamic Public IP | External IP Address Static External IP |
| Private Service Endpoint | AWS PrivateLink Private access to services | Private Endpoint NIC-based private service access | Private Service Connect Private connectivity to services |
Storage
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Object Storage | S3 Simple Storage Service | Blob Storage Azure Blob Storage | Cloud Storage GCS β buckets & objects |
| Block Storage (VM Disks) | EBS Elastic Block Store | Managed Disks Standard / Premium SSD, Ultra | Persistent Disk Standard / Balanced / SSD PD |
| Shared File System (NFS) | EFS Elastic File System (NFS) | Azure Files SMB / NFS file shares | Filestore Managed NFS file server |
| Archive / Cold Storage | S3 Glacier / Glacier Deep Archive Long-term archive storage | Blob Archive Tier Lowest cost blob tier | Cloud Storage Archive Coldline / Archive storage class |
| High-Performance Windows File Share | FSx for Windows File Server Managed SMB shares | Azure Files Premium / Azure NetApp Files Enterprise NFS/SMB | Filestore Enterprise High-performance NFS |
| Data Transfer / Migration | DataSync / Snowball Online sync + physical transfer | Azure Data Box / AzCopy Offline + online transfer | Storage Transfer Service / Transfer Appliance Online + offline migration |
Databases
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Managed Relational DB | RDS Relational Database Service | Azure SQL Database / Azure Database Managed SQL / open-source DBs | Cloud SQL Managed MySQL / PostgreSQL / SQL Server |
| Managed PostgreSQL | RDS for PostgreSQL / Aurora PostgreSQL Aurora is 5x faster PG-compat | Azure Database for PostgreSQL Flexible Server (recommended) | Cloud SQL for PostgreSQL / AlloyDB AlloyDB for high-performance PG |
| Managed MySQL | RDS for MySQL / Aurora MySQL MySQL-compatible Aurora | Azure Database for MySQL Flexible Server | Cloud SQL for MySQL Managed MySQL |
| Managed SQL Server | RDS for SQL Server Managed MSSQL | Azure SQL Database / SQL Managed Instance PaaS or near-full SQL Server compat | Cloud SQL for SQL Server Managed SQL Server |
| NoSQL / Document DB | DynamoDB / DocumentDB Key-value + MongoDB-compat | Cosmos DB Multi-model NoSQL (multiple APIs) | Firestore / Datastore Native Mode Firestore recommended |
| In-Memory Cache | ElastiCache Redis / Memcached managed | Azure Cache for Redis Managed Redis | Memorystore Managed Redis / Valkey |
| Data Warehouse / Analytics | Redshift Columnar data warehouse | Azure Synapse Analytics Unified analytics platform | BigQuery Serverless analytics warehouse |
| Wide-Column / HBase | DynamoDB / Keyspaces (Cassandra) Managed Cassandra-compat | Cosmos DB (Cassandra API) Cassandra-compatible API | Cloud Bigtable HBase-compatible wide-column store |
| DB Migration Service | DMS Database Migration Service | Azure Database Migration Service Managed DB migrations | Database Migration Service Homogeneous + heterogeneous migrations |
Containers
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Managed Kubernetes | EKS Elastic Kubernetes Service | AKS Azure Kubernetes Service | GKE Google Kubernetes Engine |
| Container Registry | ECR Elastic Container Registry | ACR Azure Container Registry | Artifact Registry Replaced legacy GCR |
| Serverless Containers | Fargate / App Runner No node management needed | Azure Container Apps KEDA-based serverless containers | Cloud Run Fully managed container platform |
| Container Instance (one-off) | ECS Task / Fargate Task On-demand container run | ACI Azure Container Instances | Cloud Run Jobs One-off container jobs |
| Container Orchestration (non-K8s) | ECS Elastic Container Service | Service Fabric Microservices orchestration | GKE Autopilot Fully managed K8s (no node ops) |
| Container Build Service | CodeBuild Managed build for images | ACR Tasks Build tasks in ACR | Cloud Build Managed CI/CD build service |
| GitOps / CD for K8s | CodePipeline + Flux / ArgoCD No native GitOps; use OSS | Flux (GitOps) in AKS Azure Arc + Flux extension | Config Sync / Cloud Deploy Anthos Config Management |
| Service Mesh | AWS App Mesh Envoy-based service mesh | Istio Service Mesh on AKS Managed Istio add-on | Cloud Service Mesh Formerly Anthos Service Mesh (Istio) |
CDN (Content Delivery Network)
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Content Delivery Network | CloudFront 400+ PoPs globally | Azure CDN Powered by Akamai / Verizon / Microsoft | Cloud CDN Integrated with Cloud Load Balancing |
| Media / Streaming CDN | CloudFront + AWS Elemental MediaPackage / MediaConvert | Azure CDN + Azure Media Services Live + on-demand streaming | Media CDN High-throughput media delivery |
| Edge Compute (CDN-layer functions) | Lambda@Edge / CloudFront Functions Run logic at edge PoPs | Azure Front Door Rules Engine Edge traffic manipulation rules | Cloud CDN + Serverless NEG Edge rules via LB + Cloud Run |
| Cache Invalidation | CloudFront Invalidation Purge cached objects by path | Azure CDN Cache Purge Purge by URL or wildcard | Cloud CDN Cache Invalidation Invalidate by path / prefix |
Front Door & Global Traffic Management
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Global HTTP(S) Anycast Load Balancer | AWS Global Accelerator Anycast acceleration (TCP/UDP) | Azure Front Door Global HTTP(S) LB + CDN + WAF | Cloud Load Balancing (Global) Anycast external HTTP(S) LB |
| DNS-based Global Traffic Routing | Route 53 Traffic Policies Latency / Geo / Weighted / Failover | Azure Traffic Manager DNS-level global routing | Cloud DNS + Cross-region LB GeoDNS + multi-region backend |
| Regional HTTP(S) Load Balancer | ALB Application Load Balancer (L7) | Application Gateway Regional L7 load balancer + WAF | Regional External HTTP(S) LB Regional L7 load balancer |
| Network Load Balancer (L4) | NLB Network Load Balancer (TCP/UDP) | Azure Load Balancer Regional L4 load balancer | TCP/UDP Load Balancing External / internal passthrough NLB |
| Internal Load Balancer | Internal ALB / NLB Private VPC-facing LB | Internal Load Balancer / App Gateway (private) Internal L4/L7 LBs | Internal HTTP(S) / TCP/UDP LB Private VPC-facing load balancing |
| API Gateway | Amazon API Gateway REST / HTTP / WebSocket APIs | Azure API Management (APIM) Full API lifecycle management | Apigee / Cloud Endpoints Apigee for enterprise; Endpoints for lightweight |
| SSL / TLS Certificate Management | ACM AWS Certificate Manager | App Service Certificates / Key Vault Cert provisioning + storage | Certificate Manager Managed SSL for Google-fronted LBs |
WAF & DDoS Protection
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Web Application Firewall | AWS WAF Attaches to CloudFront, ALB, API GW | Azure WAF On Application Gateway or Front Door | Cloud Armor Attached to Cloud Load Balancing |
| DDoS Protection | AWS Shield Standard (free) / Advanced (paid SLA) | Azure DDoS Protection Basic (free) / Network / IP plan | Cloud Armor DDoS Protection Adaptive protection + volumetric defence |
| OWASP Managed Rule Sets | AWS Managed Rules for WAF OWASP Top 10 + vendor rule groups | OWASP Core Rule Set (CRS) OWASP ModSecurity CRS on Azure WAF | Cloud Armor Preconfigured Rules OWASP CRS tunable rule sets |
| Bot Detection & Management | AWS WAF Bot Control Managed rule group for bots | Azure WAF Bot Protection Built-in bot ruleset | Cloud Armor Bot Management reCAPTCHA + bot scoring |
| Rate Limiting | WAF Rate-based Rules Per IP / custom key rate limits | WAF Rate Limit Rules Custom rate limit per client IP | Cloud Armor Rate Limiting Throttle / ban per IP or region |
| IP Allow / Deny Lists | WAF IP Sets IPv4/IPv6 allow/block lists | WAF Custom Rules (IP Match) IP-based custom allow/block rules | Cloud Armor Security Policies IP / CIDR / geo-based rules |
| Geo-blocking | CloudFront Geo Restriction + WAF Geo Match Block/allow by country | Azure WAF Geo Filter Country-level allow/block on Front Door | Cloud Armor Geo-based Rules Block by country / region |
| Threat Intelligence / IP Reputation | WAF + GuardDuty findings Threat intel feed integration | Microsoft Threat Intelligence (Defender) Integrated with Defender for Cloud | Cloud Armor Threat Intelligence Tor / proxy / scanner IP lists |
Secret Store & Key Management
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Secrets Manager | AWS Secrets Manager Managed secrets + auto rotation | Azure Key Vault (Secrets) Secrets stored in Key Vault | Secret Manager Versioned secret storage |
| Encryption Key Management (KMS) | AWS KMS Key Management Service | Azure Key Vault (Keys) Software or HSM-backed keys | Cloud KMS Cloud Key Management Service |
| Hardware Security Module (HSM) | AWS CloudHSM Dedicated FIPS 140-2 Level 3 HSM | Azure Dedicated HSM / Managed HSM Dedicated or managed HSM tier | Cloud HSM HSM-backed keys via Cloud KMS |
| Certificate Management | ACM (AWS Certificate Manager) Provision, manage & deploy TLS certs | Azure Key Vault (Certificates) Cert lifecycle management in Key Vault | Certificate Manager Managed TLS certs for GCP LBs |
| Secret Rotation | Secrets Manager (built-in rotation) Lambda-driven automatic rotation | Key Vault + Event Grid / Azure Functions Event-driven rotation via Functions | Secret Manager + Cloud Functions Rotation via Pub/Sub + Functions |
| Secrets in Kubernetes (CSI Driver) | Secrets Store CSI Driver + ASM AWS Secrets Manager provider for EKS | Azure Key Vault Provider for CSI Driver Mount KV secrets as K8s volumes | Secret Manager CSI Driver Mount secrets as volumes in GKE |
| Workload Identity / Secretless Auth | IAM Roles for Service Accounts (IRSA) Pods assume IAM role β no static creds | Azure Workload Identity (Federated) OIDC federation for AKS pods | Workload Identity Federation K8s SA β GCP SA binding in GKE |
| Parameter / Config Store | SSM Parameter Store Hierarchical config + SecureString params | Azure App Configuration Centralised app settings + feature flags | Runtime Configurator / Secret Manager Secret Manager covers most config use cases |
When to Use: Serverless vs Container Instances vs Kubernetes
All three clouds offer the same three compute tiers for containerised or event-driven workloads. Choosing the wrong tier is a common source of unnecessary cost and complexity.
| Factor | Serverless Functions Lambda / Azure Functions / Cloud Functions |
Container Instances / Serverless Containers Fargate+AppRunner / Container Apps+ACI / Cloud Run |
Kubernetes (Managed) EKS / AKS / GKE |
Managed Batch AWS Batch / Azure Batch / Cloud Batch |
|---|---|---|---|---|
| Best for | Event-driven, short-lived tasks triggered by an event (HTTP, queue, schedule, file upload) | Stateless APIs, microservices, background workers β no infrastructure management | Complex, long-running workloads with many services, custom networking, stateful apps | Large-scale, parallelisable compute jobs β ML training, data processing, simulations, rendering |
| Max execution time | Short β seconds to ~15 min Lambda: 15 min Β· Azure Functions: 10 min (Consumption) | Unlimited Long-running containers fully supported | Unlimited No platform-imposed time limit | Hours to days Designed for long-running jobs |
| Cold starts | Yes β noticeable on first invoke Mitigated by Provisioned Concurrency (at extra cost) | Minimal Container stays warm; scale-to-zero optional | None Pods run continuously; controlled by HPA/KEDA | VM provisioning delay Minutes to spin up a job fleet; not for latency-sensitive work |
| Scaling | Instant, per-request scaling Scales to zero automatically | Fast, event-driven or HTTP-based KEDA / HTTP concurrency / CPU scaling | HPA / VPA / KEDA / Cluster Autoscaler Full control but more configuration needed | Automatic fleet scaling across many VMs Splits job into parallel tasks across a compute fleet |
| State | Stateless only Use DynamoDB / S3 / ElastiCache for state | Stateless preferred Can mount volumes; stateful via external store | Stateful supported StatefulSets, PersistentVolumes, operators | Job reads input / writes output to storage S3 / Blob / GCS for input-output; no in-memory state between tasks |
| Networking | Limited VPC integration available but adds cold-start latency | VNet / VPC integration available Ingress controller, internal/external traffic | Full control CNI plugins, network policies, service mesh | VPC / VNet integration Jobs run inside your network; can access private resources |
| Cost model | Pay per invocation + duration Cheapest at low/sporadic traffic; expensive at high volume | Pay per vCPU/memory per second Scale-to-zero saves cost during idle periods | Pay for node VMs (even when idle) Most cost-efficient at sustained high load | Pay for VM time while job runs Spot / preemptible VMs cut cost by 60β90% |
| Operational overhead | Lowest No servers, no containers, no OS patching | Low Manage your container image; platform handles the rest | High Node pools, upgrades, networking, RBAC, observability | LowβMedium Define job + container; platform manages the fleet |
| Multi-container / sidecar support | No Single function runtime only | Limited Cloud Run supports sidecar containers (multi-container) | Yes β full pod spec Init containers, sidecars, ephemeral containers | Yes β multi-container job definitions Each task runs in its own container |
Quick Decision Guide
β Use Serverless Functions when:
- Workload is event-driven β triggered by HTTP, a queue message, a file drop, or a schedule (cron)
- Execution is short and bounded β processing time measured in seconds, not minutes
- Traffic is spiky or unpredictable β you want instant scale-to-zero to avoid idle cost
- The team wants zero infrastructure overhead β no Dockerfiles, no OS patches, no cluster upgrades
- Examples: webhook handlers, image resizing on upload, nightly data transforms, IoT event processing
β Use Container Instances / Serverless Containers when:
- Workload is a stateless HTTP API or microservice that needs more than a simple function β e.g., a REST service with dependencies
- You need longer execution time or background processing without the overhead of Kubernetes
- The app already runs in a container and you want the simplest path to production
- Traffic is variable but regular β scale-to-zero saves money but cold starts are acceptable
- You want VNet / VPC integration without managing node pools
- Examples: REST APIs, async workers, scheduled jobs, internal tools, web apps, CI/CD task runners
β Use Kubernetes when:
- You have many services that need to communicate with each other with fine-grained network policies
- Workloads are stateful β databases, message brokers, distributed caches running as pods
- You need custom scheduling, node affinity, GPU nodes, or specialised hardware
- Your organisation needs multi-tenancy β namespaces, RBAC, resource quotas per team
- Traffic is sustained and high β the per-VM node cost becomes cheaper than per-request serverless pricing
- You are running third-party software (operators, Helm charts) that requires full Kubernetes APIs
- Examples: microservices platforms, ML training pipelines, Kafka + Flink stacks, legacy apps being re-platformed
β Use Managed Batch when:
- You have a large, parallelisable workload β split into thousands of independent tasks (e.g. process one file per task)
- Jobs are long-running β hours to days, well beyond serverless function time limits
- You need GPU or high-memory compute β ML training, video transcoding, scientific simulations
- Workload is not latency-sensitive β a few minutes of VM provisioning delay is acceptable
- You want to use Spot / Preemptible VMs to cut compute costs by 60β90% with automatic retries on eviction
- Examples: genomics pipelines, nightly ETL over TBs of data, financial risk simulations, bulk image/video processing, ML model training
β οΈ Common pitfalls to avoid:
- Don't use K8s for a handful of simple APIs β the operational cost will exceed the workload complexity. Serverless containers handle this better.
- Don't use serverless functions for long-running tasks β execution time limits and cold starts will cause reliability issues. Use containers instead.
- Don't put stateful workloads in serverless containers without an external store β containers are ephemeral and will lose local state on scale-down.
- Cold starts matter for user-facing latency β if sub-100ms P99 is required, either use provisioned concurrency (functions) or keep minimum instances warm (containers).
- Don't use Batch for real-time or interactive workloads β VM provisioning delay makes it unsuitable for anything user-facing. Use serverless functions or containers instead.
Key Takeaways
- Naming conventions differ significantly: AWS tends to use acronyms (EC2, S3, EKS, RDS), Azure uses descriptive service names (Virtual Machine, Blob Storage, AKS), and GCP uses "Cloud X" patterns (Cloud SQL, Cloud Run, Cloud Armor).
- Front Door is Azure-native: Azure Front Door bundles global load balancing, CDN, WAF, and SSL in one service. AWS and GCP compose these from separate services (Global Accelerator + CloudFront + WAF).
- WAF attachment points vary: AWS WAF attaches to CloudFront / ALB / API Gateway. Azure WAF lives on Application Gateway or Front Door. GCP Cloud Armor attaches to Cloud Load Balancing.
- GCP VPC is global: Unlike AWS and Azure where VPCs/VNets are regional, a single GCP VPC spans all regions.
- Container registries have converged: AWS ECR, Azure ACR, GCP Artifact Registry all support OCI-compliant images. GCR (gcr.io) is legacy in GCP β Artifact Registry is the current standard.
- Azure bundles secrets, keys, and certs in one service: Azure Key Vault handles secrets, encryption keys, HSM-backed keys, and certificates under a single service. AWS and GCP split these across Secrets Manager / KMS / ACM and Secret Manager / Cloud KMS / Certificate Manager respectively.
- Avoid static credentials in Kubernetes: All three clouds offer workload identity mechanisms (IRSA on EKS, Workload Identity Federation on AKS and GKE) so pods can access secrets without storing long-lived credentials.