Master Notebook: Cloud & Infrastructure

MODULE 1

Service Models

IaaS / PaaS / SaaS / FaaS — what the cloud manages, what you manage.

Stack Layers

Model	You manage	Cloud manages	Example
On-prem	Everything	Nothing	Bare metal in your DC
IaaS	OS, runtime, app, data	Virtualization, networking, storage, hardware	EC2, GCE, Azure VM
CaaS	Container image, app config	Container runtime, scheduler, infra	ECS, GKE, AKS, Fargate
PaaS	App code, data	Runtime, OS, scaling, infra	App Engine, Heroku, Elastic Beanstalk
FaaS	Function code	Everything else; pay per invocation	Lambda, Cloud Functions
SaaS	Configuration, users	Everything	Gmail, Salesforce

MODULE 2

AWS Core Services

The 20 services that cover 80% of architectures.

Compute

EC2 — VMs. Instance families: m (general), c (compute), r (memory), i (storage), g/p (GPU). Spot = up to 90% off, can be reclaimed in 2 min.
Lambda — FaaS. Max 15 min, 10 GB memory. Cold start mitigations: provisioned concurrency, smaller bundle, SnapStart for Java.
ECS / Fargate — container orchestration. Fargate = serverless containers (no EC2 to manage).
EKS — managed Kubernetes control plane.
Batch — long-running compute jobs.

Storage

S3 — object store. Classes: Standard, IA, One-Zone-IA, Intelligent-Tiering, Glacier Instant / Flexible / Deep Archive. Strong read-after-write since 2020.
EBS — block storage for EC2. gp3 (general SSD, 3000–16000 IOPS), io2 (provisioned), st1 (HDD throughput), sc1 (cold HDD).
EFS — NFS. Multi-AZ, scales automatically. Slower than EBS.
FSx — Lustre / Windows / OpenZFS / NetApp managed file systems.

Databases & Data

RDS — managed Postgres / MySQL / MariaDB / Oracle / SQL Server. Multi-AZ for HA, read replicas for scale.
Aurora — RDS-compatible, storage-decoupled. 6 copies across 3 AZs. Faster failover than RDS.
DynamoDB — managed k-v / document. Single-digit ms p99. PK + optional SK. GSI / LSI for secondary access. On-demand vs provisioned RCU/WCU.
ElastiCache — managed Redis / Memcached.
Redshift — columnar warehouse, OLAP.
Athena — serverless SQL on S3 (Presto).
Kinesis — managed streaming. Data Streams (Kafka-like), Firehose (load to S3/Redshift), Analytics (Flink-on-Kinesis).

Networking

VPC — private virtual network. Subnets per AZ, public/private split.
ALB — L7 LB, HTTP-aware, target groups, path/host routing, WebSockets.
NLB — L4 LB, TCP/UDP, static IP, ultra-low latency, preserves source IP.
API Gateway — managed API frontend, auth, rate limit, transformation.
CloudFront — CDN with edge compute (Lambda@Edge / Functions).
Route 53 — DNS with health checks + weighted / latency / geo routing.
VPN / Direct Connect / Transit Gateway — hybrid + multi-VPC connectivity.

Messaging & Integration

SQS — managed queue. Standard (best-effort order, at-least-once) or FIFO (exactly-once, ordered). DLQ for poison messages.
SNS — pub/sub fanout. SNS → SQS / Lambda / HTTP / email / SMS.
EventBridge — event bus with rules + scheduler.
Step Functions — managed state machines, sagas.
MSK — managed Kafka.

IAM & Security

IAM — users, roles, policies. Trust + permission policies.
STS — short-lived credentials via AssumeRole.
KMS — managed keys, envelope encryption. CMK + data keys.
Secrets Manager — secret storage with rotation; Parameter Store for non-secret config.
Cognito — user pools (identity) + identity pools (federated).
WAF / Shield — L7 firewall + DDoS.

Observability

CloudWatch — metrics, logs, alarms. Custom metrics via PutMetric / EMF.
X-Ray — distributed tracing.
CloudTrail — API audit log.
Config — resource state + compliance.

MODULE 3

GCP / Azure Mappings

Same primitives, different names.

Cross-Cloud Equivalents

AWS	GCP	Azure
EC2	Compute Engine	Virtual Machines
Lambda	Cloud Functions / Run	Functions
S3	Cloud Storage	Blob Storage
EBS	Persistent Disk	Managed Disks
RDS	Cloud SQL	Azure SQL / Postgres / MySQL
Aurora	AlloyDB / Spanner (global)	Cosmos DB (multi-model)
DynamoDB	Firestore / Bigtable	Cosmos DB
SQS	Pub/Sub (queue mode)	Service Bus / Queue Storage
SNS	Pub/Sub	Event Grid / Service Bus topics
Kinesis	Pub/Sub + Dataflow	Event Hubs
ALB	Cloud Load Balancing (HTTPS)	App Gateway / Front Door
CloudFront	Cloud CDN	Front Door / CDN
Route 53	Cloud DNS	Azure DNS / Traffic Manager
EKS	GKE	AKS
Redshift	BigQuery	Synapse Analytics
IAM	Cloud IAM	Entra ID + RBAC
KMS	Cloud KMS	Key Vault
CloudWatch	Cloud Monitoring + Logging	Monitor + Log Analytics

MODULE 4

Containers

Image format, runtime, registry.

Image Anatomy

Layered filesystem (overlayfs). Each Dockerfile instruction = layer.
Layer cache: identical layer hashes are reused across builds. Order Dockerfile from least → most changing.
Multi-stage builds: build in heavy image, copy artifacts to slim runtime.
OCI image spec — vendor-neutral standard. Distroless / scratch / alpine for minimal base.

# multi-stage example
FROM golang:1.22 AS build
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -o /out/app

FROM gcr.io/distroless/static
COPY --from=build /out/app /app
USER 65532:65532
ENTRYPOINT ["/app"]

Runtime & Linux Primitives

Namespaces — pid, net, mnt, uts, ipc, user, cgroup. Isolate process view.
cgroups v2 — limit + account CPU, memory, IO, pids.
seccomp / AppArmor / SELinux — syscall filtering, MAC.
Container runtimes — containerd, CRI-O, runc (OCI runtime).

MODULE 5

Kubernetes

Declarative orchestration. Reconciliation loops drive desired state.

Architecture

Control plane: API server (kube-apiserver), etcd (state), scheduler, controller-manager, cloud-controller-manager.
Node: kubelet (agent), kube-proxy (network), container runtime (containerd).
Everything is a CRUD operation on the API server; controllers watch + reconcile.

Core Objects

Object	Purpose
Pod	Smallest unit; 1+ containers sharing net + IPC
ReplicaSet	Maintains N pod replicas
Deployment	Declarative rolling update over ReplicaSets
StatefulSet	Stable identity + ordered rollout (DBs)
DaemonSet	One pod per node (logs, monitoring agents)
Job / CronJob	Run-to-completion / scheduled work
Service (ClusterIP / NodePort / LB)	Stable virtual IP + endpoints
Ingress / Gateway API	L7 routing into cluster
ConfigMap / Secret	Config + sensitive data
PersistentVolume / PVC / StorageClass	Storage provisioning
HPA / VPA / Cluster Autoscaler / Karpenter	Scaling pods + nodes
NetworkPolicy	Pod-to-pod L3/L4 firewall

Scheduling

Filters (node selector, taints/tolerations, affinity, resource fit) → scoring → bind.
Requests = scheduler reservation; limits = runtime cap. Set CPU request always; CPU limit cautiously (throttling).
QoS classes: Guaranteed (req=lim), Burstable, BestEffort. Eviction order: BestEffort → Burstable → Guaranteed.
Pod disruption budgets (PDB) protect availability during voluntary disruption.

Operators & CRDs

Custom controllers reconcile custom resources. Patterns: state machine for app lifecycle (e.g., Postgres operator handles backups, failover, scaling). Tools: kubebuilder, Operator SDK.

Rollouts

RollingUpdate: maxSurge, maxUnavailable. Default deployment.
Recreate: kill all then start. Brief downtime.
Blue/Green: two deployments, switch service selector.
Canary: weighted routing via Service Mesh (Istio/Linkerd) or Argo Rollouts.

MODULE 6

Infrastructure as Code

Terraform / Pulumi / CloudFormation / CDK.

Terraform Concepts

Providers (aws, gcp, k8s) → resources → state file.
State: source of truth for what TF created. Remote backend (S3 + DynamoDB lock, Terraform Cloud).
Plan / Apply: dry-run shows diff. Apply executes.
Modules: reusable groups of resources. Inputs / outputs / variables.
Workspaces or directories for env separation (dev / staging / prod).
Drift = real infra ≠ state. Detect via plan; reconcile or import.

Tooling Comparison

Tool	Lang	Pros	Cons
Terraform	HCL	Multi-cloud, large ecosystem, mature	HCL limited; state mgmt headaches
Pulumi	Python/TS/Go	Real lang, tests, conditionals	Smaller community
CloudFormation	YAML/JSON	Native AWS, no state to manage	AWS-only, slow rollback
AWS CDK	TS/Python/Java/Go	Synth to CFN; constructs	AWS-only; opinionated abstractions
Crossplane	K8s CRDs	GitOps-native; multi-cloud as K8s	K8s-shaped solutions only

MODULE 7

Cloud Networking

VPC anatomy + connectivity patterns.

VPC Topology

VPC = isolated address space (e.g., 10.0.0.0/16).
Subnets per AZ (typically 2–3 AZs). Public subnet = route to IGW; private = no IGW route.
NAT Gateway in public subnet → outbound internet from private subnet.
Route tables associate with subnets. Security groups (stateful, instance-level) + NACLs (stateless, subnet-level).
VPC endpoints: Interface (ENI for AWS service) or Gateway (S3 / DynamoDB free).

Cross-VPC / Hybrid

VPC peering — 1:1, non-transitive, same/different account/region.
Transit Gateway — hub-and-spoke, transitive, scales to thousands of VPCs.
PrivateLink — expose service via interface endpoint without VPC peering.
VPN — IPsec over internet, ~1 Gbps per tunnel.
Direct Connect — dedicated fiber, 1–100 Gbps, lower latency + predictable.

Egress Cost

MODULE 8

Storage Tiers & Patterns

Match access pattern to tier; lifecycle policies move automatically.

S3 Classes

Class	Cost / GB-mo	Retrieval	Use
Standard	$0.023	Instant	Hot data
Intelligent-Tiering	$0.023 → $0.0036	Instant	Unknown access pattern
Standard-IA	$0.0125	Instant + retrieval $	Backup, infrequent access
One-Zone-IA	$0.01	Instant	Re-creatable, single AZ
Glacier Instant Retrieval	$0.004	Instant	Archive accessed rarely
Glacier Flexible	$0.0036	Minutes–hours	Backup
Glacier Deep Archive	$0.00099	12 hours	Compliance, long retain

EBS Volume Types

gp3 — default. 3000 IOPS / 125 MB/s baseline; provision more.
io2 Block Express — up to 256k IOPS, <1 ms; expensive.
st1 / sc1 — HDD, sequential workloads, cheap.
Snapshots = incremental, stored in S3 internally.

MODULE 9

Cost Optimization

FinOps basics. Engineering decisions = cost decisions at scale.

Pricing Levers

On-Demand — full price, no commit.
Reserved Instances / Savings Plans — 1 or 3 yr commit; up to ~72% off. Compute SP = flexible across services.
Spot — up to 90% off; can be reclaimed in 2 min. Pair with checkpointing or Karpenter.
Right-sizing — match instance to workload. Compute Optimizer surfaces.
Auto-scaling — scale to zero off-hours where possible.

Watch For

Idle EBS volumes / snapshots / Elastic IPs.
NAT Gateway egress for internal traffic — use VPC endpoints.
Cross-AZ chatter — colocate replicas / cache.
S3 unfinished multipart uploads (lifecycle rule to expire).
Log retention default = forever; set retention.
RDS over-provisioned IOPS; switch to gp3.

MODULE 10

Cheat Sheet

Pick services fast. Defaults for new projects.

Default Stack (AWS)

Compute: ECS Fargate or EKS
Data: Aurora Postgres + DynamoDB
Cache: ElastiCache Redis
Queue: SQS + EventBridge
Object: S3 + CloudFront
Auth: Cognito or external IdP

Pick LB

HTTP(S) + path/host routing → ALB
TCP/UDP, static IP, ultra-low latency → NLB
Global anycast → Global Accelerator / CloudFront
Cross-region failover → Route 53 health checks

Pick DB

Relational + transactions → Aurora / RDS Postgres
K-V, ms latency, scale-out → DynamoDB
Search → OpenSearch
Time-series → Timestream / Influx on EC2
Graph → Neptune
Wide-column → Keyspaces (Cassandra)

K8s Sanity

Always set requests; limits with care
Liveness ≠ readiness; startup probe for slow boot
PDB on every Deployment in prod
NetworkPolicy default-deny ingress
Pin image digest, not tag
Use HPA on custom metrics, not just CPU

Cost Quick Wins

S3 lifecycle: Standard → IA → Glacier
EBS gp2 → gp3 (10–20% cheaper)
VPC endpoint for S3/Dynamo to skip NAT
Compute Savings Plan @ ~60% baseline
Spot for batch/CI/dev
Set log retention < 30 days unless required

IaC Hygiene

Remote state + state lock
One module per logical unit
Plan in PR; apply on merge
No hardcoded secrets — use SM / Vault
Drift detection scheduled
Tag everything: env, owner, cost-center