logging

Multi-cloud comparison: Resource zoning

Ran Xing AWS, Azure, cryptograph, GCP, IAM, Multi-cloud, Network, Security Architect, Storage , , , , , ,

Summary

If you want to understand the cloud infrastructure better, I would suggest you start looking at the resource zoning. Within resource zoning, there will be things like IAM, Data Encryption, network, HA, Disaster Recovery, etc. You can take this “road trip” to walk throughout the Cloud “kingdom”.

If you can compare the services across different cloud providers, you can get more insights horizontally.

In this series, I will compare cloud services in different topics, with resource zoning in this session. I won’t cover all the services, but security related ones as usual.

Compare

Here is the detailed list from my GIT repo. Welcome to contribute to this repo.

Example

A couple of examples here are listed on how to utilise the table.

ex1: Security logging

All the security logging services across different Cloud provider are either global or cross-region. But there is a little bit difference.
GCP Audit Logging
AWS Cloudtrail
AZure Activity Logs

GCP Audit Logging within Stackdriver service is global resource. It has resource types including project, organization, folder, billing account.

AWS Cloudtrail is cross-region resource, but you have to manually enable for all regions.

AZure Activity Logs can exported on the Subscription level while you can select multiple regions for steaming to Event Hub or export to Storage Account.

ex2: Networking

In GCP VPC is global resources. And Subnet is regional resources. So logically you can understand the IP ranges is associated on Subnet level. Routes are global resource, so they are defined on VPC level. In AWS, VPC is regional resources, and Subnet is zonal resources. You can only assign one subnet entirely into one AZ. You can then imagine the IP ranges and routes should be on the VPC level. In Azure because not all the Azure regions support availability zones. So subnets, routes, network security groups and application security groups are all regional resources.

Driving from all the facts above, it would be much easier to explain more details in the following few section around networking in this series.

Note:

GCP all resources, whether global, zonal, or regional, must be unique within the project.

Reference:

Global, regional, and zonal resources
Resource Locations
AWS Global vs Regional vs AZ resources - Certification
What are Availability Zones in Azure?