Cloud Computing Glossary

199+ essential cloud computing terms defined in plain language. Covers AWS, Azure, GCP, OCI, and multi-cloud terminology across infrastructure, compute, storage, databases, IAM, DevOps, monitoring, serverless, security, and cost management.

A

ABAC: Attribute-Based Access Control. An authorization model that evaluates attributes (tags, department, environment) attached to the principal, resource, and request context to determine access. AWS supports ABAC through IAM policy condition keys tied to resource tags.
Account: The top-level billing and organizational container in AWS. An AWS account has its own resources, IAM identities, and billing. AWS Organizations groups multiple accounts under a management account for centralized governance. Azure uses subscriptions and GCP uses projects for similar purposes.
ACL: Access Control List. A set of rules that define which network traffic is allowed or denied. Network ACLs operate at the subnet level in AWS VPCs and are stateless (both inbound and outbound rules must be explicitly configured). Also used in object storage to control access to individual objects.
Alerting: The practice of configuring notifications that fire when a metric crosses a defined threshold or an anomaly is detected. Cloud providers offer native alerting through services like Amazon CloudWatch Alarms, Azure Monitor Alerts, and GCP Cloud Monitoring alerting policies.
API Gateway: A managed service that acts as the front door for APIs, handling request routing, authentication, rate limiting, and response transformation. Examples include Amazon API Gateway, Azure API Management, and GCP API Gateway.
APM: Application Performance Monitoring. A category of tools that track application-level performance including response times, error rates, and transaction traces. Cloud-native options include AWS X-Ray, Azure Application Insights, and GCP Cloud Trace.
Archive Storage: The lowest-cost storage tier designed for data that is rarely accessed and can tolerate retrieval delays of minutes to hours. Examples include Amazon S3 Glacier, Azure Archive Storage, and GCP Archive class in Cloud Storage.
ARN: Amazon Resource Name. A globally unique identifier for every resource in AWS, following the format arn:partition:service:region:account-id:resource-type/resource-id. ARNs are used in IAM policies, API calls, and cross-account references.
Artifact Registry: A managed repository for storing build artifacts such as container images, language packages, and OS packages. Examples include AWS ECR, Azure Container Registry, GCP Artifact Registry, and JFrog Artifactory.
Authentication: The process of verifying the identity of a user, service, or device attempting to access a system. Cloud platforms support multiple authentication mechanisms including passwords, API keys, certificates, and federated identity through SAML or OIDC.
Authorization: The process of determining what actions an authenticated identity is allowed to perform on which resources. In cloud environments, authorization is typically enforced through IAM policies that specify allow or deny rules.
Auto-Scaling: The ability to automatically adjust the number of compute resources based on demand. Auto-scaling groups monitor metrics like CPU utilization and add or remove instances to maintain performance while minimizing cost. All major cloud providers offer auto-scaling for VMs, containers, and serverless functions.
Autoscaling Group: An AWS construct (Auto Scaling Group) that manages a fleet of EC2 instances, automatically adding or removing instances based on scaling policies. ASGs maintain a desired capacity, perform health checks, and replace unhealthy instances. Azure uses Virtual Machine Scale Sets; GCP uses Managed Instance Groups.
Availability Zone: A physically isolated data center or group of data centers within a cloud region. Each availability zone has independent power, cooling, and networking. Deploying across multiple AZs provides resilience against single-facility failures. AWS and Azure use the term availability zone; GCP uses the term zone.

B

Backup: A copy of data created to enable recovery from data loss, corruption, or disaster. Cloud providers offer managed backup services like AWS Backup, Azure Backup, and GCP Backup and DR that automate backup scheduling, retention, and cross-region replication.
Bare Metal: A cloud compute option where you rent a physical server without a hypervisor layer, giving you direct access to the hardware. Bare metal instances are used for workloads that require hardware-level access, specific licensing, or maximum performance. Examples include AWS EC2 bare metal instances and OCI bare metal shapes.
Bastion Host: A hardened server in a public subnet that serves as a secure entry point for SSH or RDP access to instances in private subnets. Cloud-managed alternatives include AWS Systems Manager Session Manager, Azure Bastion, and GCP IAP (Identity-Aware Proxy) tunneling, which eliminate the need for a dedicated bastion instance.
Blob Storage: Microsoft Azure's object storage service (Azure Blob Storage), equivalent to Amazon S3. The term blob stands for Binary Large Object and refers to unstructured data like images, videos, logs, and backups.
Block Storage: A storage type that manages data as fixed-size blocks, behaving like a raw disk that can be formatted with a file system. Block storage provides low-latency I/O and is used for boot volumes and databases. Examples include Amazon EBS, Azure Managed Disks, and GCP Persistent Disks.
Blue-Green Deployment: A deployment strategy that maintains two identical production environments (blue and green). New code is deployed to the inactive environment, tested, then traffic is switched over instantly. If issues arise, traffic is switched back to the previous environment with zero downtime.
Bucket: A top-level container for objects in a cloud object storage service. Buckets have globally unique names and are associated with a specific region. Examples include S3 buckets, GCS buckets, and Azure Blob containers.

C

Canary Deployment: A deployment strategy that routes a small percentage of production traffic to a new version while the majority continues hitting the old version. If the canary version performs well, traffic is gradually shifted. This limits the blast radius of a bad deployment.
CDN: Content Delivery Network. A globally distributed network of edge servers that cache and deliver content close to end users, reducing latency and offloading origin servers. Examples include Amazon CloudFront, Azure CDN, GCP Cloud CDN, and Cloudflare.
Chargeback: A FinOps practice where cloud costs are allocated back to the business units or teams that consumed the resources. Chargeback uses actual spending data tied to cost allocation tags, accounts, or projects to bill internal departments for their cloud usage.
CI/CD: Continuous Integration and Continuous Delivery (or Deployment). A set of practices that automate building, testing, and deploying code changes. CI merges code frequently and runs automated tests; CD automatically deploys validated changes to staging or production environments.
CIDR: Classless Inter-Domain Routing. A notation for specifying IP address ranges, written as an IP address followed by a slash and prefix length (e.g., 10.0.0.0/16). CIDR blocks define the IP address space of VPCs, subnets, and firewall rules in cloud networking.
Cloud Agnostic: An architecture or tooling approach designed to work across multiple cloud providers without modification. Cloud-agnostic strategies use abstraction layers, open standards (Kubernetes, Terraform), and portable formats to avoid vendor lock-in.
Cloud Formation: AWS CloudFormation is an infrastructure-as-code service that provisions AWS resources using declarative JSON or YAML templates. CloudFormation manages dependencies between resources, supports rollback on failure, and maintains stack state. Azure's equivalent is ARM/Bicep; GCP's is Deployment Manager.
Cloud Run: A fully managed GCP service that runs stateless containers in response to HTTP requests or events. Cloud Run abstracts away infrastructure management, automatically scales to zero when idle, and charges only for actual request processing time. Similar to AWS App Runner and Azure Container Apps.
Cluster: A group of interconnected compute instances (nodes) that work together as a single system. In Kubernetes, a cluster consists of a control plane and worker nodes that run containerized workloads. Managed cluster services include Amazon EKS, Azure AKS, and GCP GKE.
Cold Start: The latency incurred when a serverless function is invoked after being idle, requiring the cloud provider to allocate resources, download the function code, and initialize the runtime. Cold starts typically add hundreds of milliseconds to seconds of delay and can be mitigated with provisioned concurrency.
Committed Use Discount: A pricing model offered by GCP where you commit to using a minimum level of resources for one or three years in exchange for significant discounts (up to 57% for compute, up to 70% for memory-optimized). Similar to AWS Reserved Instances and Azure Reservations.
Compartment: An Oracle Cloud Infrastructure (OCI) construct for organizing and isolating cloud resources. Compartments are hierarchical and allow you to apply policies, set budgets, and control access at different levels of the resource tree. Roughly equivalent to AWS accounts or Azure resource groups.
Compliance: Adherence to regulatory standards, industry frameworks, and internal policies governing how data is stored, processed, and protected in cloud environments. Common compliance frameworks include SOC 2, HIPAA, PCI-DSS, FedRAMP, ISO 27001, and GDPR.
Container: A lightweight, portable unit of software that packages application code with its dependencies, libraries, and runtime. Containers share the host OS kernel and are isolated from each other, making them faster to start and more resource-efficient than virtual machines. Docker is the most common container runtime.
Control Plane: The management layer of a cloud service or orchestration platform that handles API requests, scheduling, configuration, and state management. In Kubernetes, the control plane includes the API server, scheduler, and etcd. In cloud networking, the control plane manages routing tables and policies.
CORS: Cross-Origin Resource Sharing. A browser security mechanism that controls which web origins can access resources from a different domain. CORS configuration is required on cloud storage buckets, API gateways, and serverless function URLs when web applications make cross-origin requests.
Cost Allocation: The process of attributing cloud spending to specific teams, projects, applications, or cost centers. Cost allocation relies on tagging resources with metadata (e.g., team=platform, env=production) and using provider billing tools to break down spending by tag.

D

Dashboard: A visual interface that displays metrics, logs, and key performance indicators in real time. Cloud dashboards like Amazon CloudWatch Dashboards, Azure Monitor Workbooks, and GCP Cloud Monitoring Dashboards aggregate data from multiple sources into charts, graphs, and tables.
Data Lake: A centralized repository that stores structured, semi-structured, and unstructured data at any scale in its raw format. Data lakes use object storage (S3, GCS, ADLS Gen2) and enable analytics, machine learning, and data processing without upfront schema design.
Data Plane: The layer that handles the actual processing of user data and workloads, as opposed to the control plane that manages configuration. In networking, the data plane forwards packets; in Kubernetes, the data plane runs containers on worker nodes.
Data Warehouse: A managed analytics database optimized for running complex queries across large volumes of structured and semi-structured data. Data warehouses use columnar storage and massively parallel processing. Examples include Amazon Redshift, Azure Synapse Analytics, GCP BigQuery, and Snowflake.
DDoS: Distributed Denial of Service. An attack that floods a target with traffic from many sources to overwhelm its capacity and make it unavailable. Cloud providers offer DDoS protection through services like AWS Shield, Azure DDoS Protection, and GCP Cloud Armor.
Deployment Slot: An Azure App Service feature that creates a separate live instance of your application for staging, testing, or pre-production. You can swap deployment slots to promote a staging version to production with zero downtime and instant rollback.
DevOps: A set of practices that combines software development (Dev) and IT operations (Ops) to shorten the development lifecycle and deliver high-quality software continuously. DevOps emphasizes automation, CI/CD, infrastructure as code, monitoring, and collaboration between development and operations teams.
Direct Connect: A dedicated private network connection between your on-premises data center and a cloud provider, bypassing the public internet. AWS Direct Connect, Azure ExpressRoute, GCP Cloud Interconnect, and OCI FastConnect each offer dedicated connectivity with consistent latency and higher bandwidth.
DNS: Domain Name System. The internet's naming system that translates human-readable domain names (e.g., example.com) into IP addresses. Cloud DNS services like Amazon Route 53, Azure DNS, and GCP Cloud DNS provide managed, highly available DNS hosting with features like health checks and traffic routing.
Document Database: A NoSQL database that stores data as semi-structured documents, typically in JSON or BSON format. Document databases are flexible and schema-free, making them well-suited for content management, catalogs, and user profiles. Examples include Amazon DocumentDB, Azure Cosmos DB, MongoDB Atlas, and GCP Firestore.
Drift: The divergence between the actual state of deployed infrastructure and the desired state defined in infrastructure-as-code templates. Drift occurs when manual changes are made outside of the IaC workflow. Tools like Terraform plan, AWS Config, and Azure Policy detect configuration drift.

E

EBS: Amazon Elastic Block Store. A block storage service that provides persistent volumes for EC2 instances. EBS volumes support multiple types (gp3, io2, st1, sc1) optimized for different performance characteristics. Volumes persist independently of the instance lifecycle and can be snapshotted for backups.
EC2: Amazon Elastic Compute Cloud. AWS's core virtual machine service that provides resizable compute capacity. EC2 offers hundreds of instance types across families optimized for general purpose, compute, memory, storage, accelerated computing, and high-performance computing workloads.
Edge Computing: A computing paradigm that processes data close to the source of data generation rather than in a centralized data center. Cloud edge services include AWS Outposts, Azure Stack Edge, GCP Distributed Cloud, and Lambda@Edge for running code at CDN edge locations.
Egress: Outbound data transfer from a cloud provider's network to the internet or another region. Cloud providers typically charge for egress traffic while ingress (inbound) is free. Egress costs can be a significant portion of cloud bills for data-intensive applications.
Elastic IP: A static public IPv4 address in AWS that you can associate with an EC2 instance or network interface. Elastic IPs persist across instance stop/start cycles and can be remapped to different instances for failover. Azure uses static public IP addresses; GCP uses static external IP addresses.
Elasticity: The ability of a cloud system to dynamically acquire and release resources as demand changes. Elastic systems scale out when demand increases and scale in when demand decreases, ensuring you only pay for what you use while maintaining performance.
Encryption: The process of encoding data so it can only be read by parties with the correct decryption key. Cloud services provide encryption at rest (stored data) and encryption in transit (data moving over networks). Cloud providers offer managed encryption using keys stored in services like AWS KMS, Azure Key Vault, and GCP Cloud KMS.
Endpoint: A URL or network address that exposes a cloud service for API calls or network access. VPC endpoints (AWS), private endpoints (Azure), and Private Service Connect (GCP) allow private connectivity to cloud services without traversing the public internet.
Envelope Encryption: A multi-layered encryption strategy where data is encrypted with a data encryption key (DEK), and the DEK is encrypted with a key encryption key (KEK) managed by a KMS. This approach limits the blast radius of key compromise and improves performance for large datasets.
Ephemeral Storage: Temporary storage attached to a compute instance that is lost when the instance is stopped, terminated, or restarted. Instance store volumes (AWS), temporary disks (Azure), and local SSDs (GCP) provide high-performance ephemeral storage for caches, buffers, and scratch data.
ETL: Extract, Transform, Load. A data integration process that extracts data from source systems, transforms it into a target format, and loads it into a destination such as a data warehouse. Cloud ETL services include AWS Glue, Azure Data Factory, and GCP Dataflow.
Event Bus: A serverless messaging service that routes events between applications, services, and AWS accounts based on rules. Amazon EventBridge, Azure Event Grid, and GCP Eventarc are managed event bus services that enable event-driven architectures without managing messaging infrastructure.
Event-Driven Architecture: A design pattern where state changes (events) trigger downstream processing. Components communicate asynchronously through events rather than direct API calls, improving decoupling and scalability. Common in serverless architectures using triggers, event buses, and message queues.

F

FaaS: Function as a Service. A serverless compute model where you deploy individual functions that execute in response to events. The cloud provider manages all infrastructure, scaling, and runtime. Examples include AWS Lambda, Azure Functions, GCP Cloud Functions, and OCI Functions.
Fargate: AWS Fargate is a serverless compute engine for containers that works with Amazon ECS and EKS. Fargate eliminates the need to manage EC2 instances for container workloads -- you specify CPU, memory, and networking, and Fargate handles the infrastructure. Azure Container Instances and GCP Cloud Run offer similar serverless container capabilities.
Fault Domain: A grouping of hardware within a data center that shares a single point of failure, such as a power source or network switch. Spreading workloads across fault domains reduces the risk of simultaneous failures. Oracle Cloud uses fault domains within availability domains; Azure uses fault domains within availability sets.
Federation: The practice of establishing trust between identity providers so users authenticated in one system can access resources in another without separate credentials. Cloud federation uses protocols like SAML 2.0 and OIDC to link corporate directories (Active Directory, Okta) to cloud IAM.
FedRAMP: Federal Risk and Authorization Management Program. A U.S. government compliance framework that standardizes the security assessment and authorization of cloud services used by federal agencies. Cloud providers maintain FedRAMP-authorized regions and services for government workloads.
File Storage: A storage type that organizes data in a hierarchical directory structure with folders and files, accessible via standard protocols like NFS or SMB. Cloud file storage services include Amazon EFS, Azure Files, GCP Filestore, and OCI File Storage.
FinOps: A cloud financial management discipline that brings together finance, engineering, and business teams to optimize cloud spending. FinOps practices include cost visibility, allocation, forecasting, rate optimization (reserved instances, savings plans), and rightsizing underutilized resources.
Firewall: A network security mechanism that controls inbound and outbound traffic based on defined rules. Cloud firewalls operate at different layers: network firewalls (AWS Network Firewall, Azure Firewall), security groups (instance-level), and web application firewalls (WAF) for HTTP traffic.

G

GDPR: General Data Protection Regulation. A European Union regulation governing the collection, processing, and storage of personal data for individuals in the EU. GDPR compliance affects cloud architecture decisions around data residency, encryption, access controls, and data subject rights.
Geo-Redundancy: A data protection strategy that replicates data across geographically distant regions to protect against regional disasters. Geo-redundant storage (Azure GRS), S3 Cross-Region Replication (AWS), and dual-region or multi-region Cloud Storage (GCP) provide geographic data durability.
GitOps: An operational framework where the desired state of infrastructure and applications is stored in Git repositories. Changes are made through pull requests, and automated controllers (Flux, ArgoCD) reconcile the actual state with the declared state in Git.
Graph Database: A database that stores data as nodes, edges, and properties, optimized for traversing relationships. Graph databases excel at social networks, recommendation engines, and fraud detection. Examples include Amazon Neptune, Azure Cosmos DB (Gremlin API), and Neo4j.

H

HDD: Hard Disk Drive. A mechanical storage device using spinning platters. In cloud storage, HDD-backed volumes offer lower cost per GB but higher latency and lower IOPS compared to SSD-backed volumes. Suitable for throughput-oriented workloads like large sequential reads.
Health Check: An automated probe that verifies whether a compute instance, container, or service endpoint is functioning correctly. Load balancers, container orchestrators, and DNS services use health checks to route traffic away from unhealthy targets and trigger auto-healing or replacement.
HIPAA: Health Insurance Portability and Accountability Act. A U.S. regulation that sets standards for protecting sensitive patient health information (PHI). Cloud providers offer HIPAA-eligible services and will sign Business Associate Agreements (BAAs) to support healthcare workloads.
Horizontal Scaling: Adding more instances or nodes to a system to handle increased load, also known as scaling out. Horizontal scaling distributes workload across multiple machines and is the primary scaling approach for stateless web applications and microservices. Contrasts with vertical scaling (scaling up) which adds resources to a single instance.
HSM: Hardware Security Module. A dedicated physical device for generating, storing, and managing cryptographic keys with tamper-resistant hardware. Cloud HSM services include AWS CloudHSM, Azure Dedicated HSM, and GCP Cloud HSM, used for regulatory compliance and high-security key management.
Hybrid Cloud: An architecture that combines on-premises infrastructure (or private cloud) with public cloud services, allowing data and applications to move between them. Hybrid cloud enables organizations to keep sensitive workloads on-premises while leveraging cloud elasticity for variable workloads.
Hypervisor: Software that creates and manages virtual machines by abstracting physical hardware. Cloud providers use hypervisors (Xen, KVM, Hyper-V, Nitro) to run multiple tenant VMs on shared physical servers. Type-1 hypervisors run directly on hardware; type-2 run on a host operating system.

I

IaC: Infrastructure as Code. The practice of managing and provisioning cloud resources through machine-readable configuration files rather than manual processes. IaC tools include Terraform, AWS CloudFormation, Azure Bicep, GCP Deployment Manager, and Pulumi.
IAM: Identity and Access Management. The framework of policies, services, and tools that control who (identity) can do what (access) on which resources. Every major cloud provider has an IAM service: AWS IAM, Azure Entra ID (formerly Azure AD), GCP IAM, and OCI IAM.
Idempotent: An operation that produces the same result regardless of how many times it is executed. Idempotency is critical in cloud automation and IaC -- running terraform apply or a CloudFormation update multiple times should not create duplicate resources or cause errors.
Identity: A unique representation of a user, service, or device within an IAM system. Cloud identities include user accounts, service accounts, managed identities, roles, and federated identities from external identity providers.
Immutable Infrastructure: An operational pattern where servers are never modified after deployment. Instead of patching in place, you build a new image, deploy it, and destroy the old instances. This ensures consistency and eliminates configuration drift.
Ingress: Inbound network traffic entering a cloud network or service. In Kubernetes, an Ingress resource defines rules for routing external HTTP/HTTPS traffic to services within the cluster. Cloud providers typically do not charge for data ingress.
Instance: A single virtual machine running in the cloud. The term is used by AWS (EC2 instances), GCP (Compute Engine instances), and OCI (compute instances). Azure uses the term virtual machine. Instances come in various types optimized for compute, memory, storage, or GPU workloads.
Internet Gateway: A horizontally scaled, highly available VPC component that enables communication between instances in a VPC and the internet. An internet gateway provides a target in route tables for internet-routable traffic and performs network address translation for instances with public IP addresses.
IOPS: Input/Output Operations Per Second. A performance metric for storage devices that measures how many read and write operations a disk can perform per second. IOPS is a critical metric when sizing block storage volumes for databases and latency-sensitive applications.
ISO 27001: An international standard for information security management systems (ISMS). ISO 27001 certification demonstrates that an organization has established systematic controls for managing information security risks. All major cloud providers maintain ISO 27001 certification.

J

JSON: JavaScript Object Notation. A lightweight data interchange format widely used in cloud APIs, configuration files, IAM policies, and infrastructure-as-code templates. AWS IAM policies, Azure ARM templates, and GCP resource configurations use JSON as a primary format.

K

Key Pair: A pair of cryptographic keys (public and private) used for SSH authentication to cloud compute instances. The public key is stored on the instance; the private key is kept by the user. Key pairs are used to securely log into EC2 instances, Azure VMs, and GCP Compute Engine instances.
KMS: Key Management Service. A managed service for creating, storing, rotating, and controlling access to encryption keys. AWS KMS, Azure Key Vault, and GCP Cloud KMS provide centralized key management with audit logging and integration with other cloud services for envelope encryption.
Kubernetes: An open-source container orchestration platform that automates deploying, scaling, and managing containerized applications across clusters of nodes. Managed Kubernetes services include Amazon EKS, Azure AKS, GCP GKE, and OCI Container Engine for Kubernetes (OKE).

L

Label: A key-value pair attached to GCP and Kubernetes resources for organization, filtering, and cost allocation. Labels serve the same purpose as tags in AWS and Azure. GCP resources support up to 64 labels per resource.
Lambda: AWS Lambda is Amazon's serverless compute service that runs code in response to events without provisioning or managing servers. The term is sometimes used colloquially to refer to serverless functions in general, though each provider has its own service (Azure Functions, GCP Cloud Functions).
Landing Zone: A pre-configured, multi-account cloud environment that follows best practices for security, networking, identity, and governance. Landing zones provide a foundation for organizations to deploy workloads at scale. Examples include AWS Control Tower, Azure Landing Zones, and GCP Landing Zone blueprints.
Latency: The time delay between a request being sent and the response being received, typically measured in milliseconds. In cloud architecture, latency is affected by geographic distance, network hops, processing time, and resource contention. Low latency is critical for real-time applications.
Least Privilege: A security principle that grants users and services only the minimum permissions required to perform their specific tasks. Implementing least privilege in cloud IAM reduces the blast radius of compromised credentials and limits the impact of accidental actions.
Lifecycle Policy: A set of rules that automatically transitions objects between storage tiers or deletes them after a specified period. Lifecycle policies reduce storage costs by moving infrequently accessed data to cheaper tiers (e.g., S3 Standard to S3 Glacier) and cleaning up expired data.
Load Balancer: A service that distributes incoming network traffic across multiple backend targets (instances, containers, functions) to improve availability and performance. Cloud load balancers operate at layer 4 (TCP/UDP) or layer 7 (HTTP/HTTPS). Examples include AWS ALB/NLB, Azure Load Balancer, and GCP Cloud Load Balancing.
Logs: Timestamped records of events generated by applications, operating systems, and cloud services. Log management services like Amazon CloudWatch Logs, Azure Monitor Logs, and GCP Cloud Logging collect, store, and analyze logs for troubleshooting, auditing, and compliance.

M

Managed Database: A database service where the cloud provider handles provisioning, patching, backups, replication, and scaling. Managed databases let you focus on application logic rather than database administration. Examples include Amazon RDS, Azure SQL Database, GCP Cloud SQL, and OCI Autonomous Database.
Managed Identity: An Azure feature that provides an automatically managed identity in Azure Entra ID for applications to use when connecting to Azure services. Managed identities eliminate the need to store credentials in code. AWS uses IAM roles attached to services; GCP uses service accounts.
Message Queue: A service that enables asynchronous communication between application components by storing messages in a queue until they are processed. Message queues decouple producers from consumers and handle traffic spikes. Examples include Amazon SQS, Azure Queue Storage, GCP Cloud Tasks, and RabbitMQ.
Metadata: Data that describes other data or resources. In cloud computing, metadata includes instance tags, resource labels, object metadata (content type, last modified), and service configuration attributes. Instance metadata services (IMDS) provide VMs with information about themselves.
Metrics: Quantitative measurements of system behavior collected at regular intervals, such as CPU utilization, request count, error rate, and latency percentiles. Cloud monitoring services ingest metrics from compute, storage, database, and application resources to enable dashboards and alerting.
MFA: Multi-Factor Authentication. A security mechanism that requires two or more verification factors (password, phone, hardware token, biometric) to authenticate. MFA is a critical security control for cloud accounts and should be enabled for all IAM users with console access.
Microservices: An architectural style that structures an application as a collection of loosely coupled, independently deployable services. Each microservice owns its data and communicates with others via APIs or events. Microservices are commonly deployed on Kubernetes or serverless platforms.
Multi-AZ: A deployment configuration that replicates resources across multiple availability zones within a region for high availability. Multi-AZ deployments are common for databases (RDS Multi-AZ), load balancers, and application instances to survive single-AZ failures.
Multi-Cloud: A strategy that uses services from two or more cloud providers simultaneously. Organizations adopt multi-cloud for best-of-breed service selection, geographic coverage, regulatory requirements, or to reduce dependence on a single vendor.

N

Namespace: A logical partition within a Kubernetes cluster that provides scope for resource names, resource quotas, and access policies. Namespaces enable multi-tenancy within a single cluster by isolating workloads for different teams, environments, or applications.
NAT Gateway: A managed network address translation service that allows instances in private subnets to initiate outbound connections to the internet while preventing inbound connections. NAT gateways are used when private resources need to download updates or call external APIs without being publicly accessible.
Node: A single compute instance (physical or virtual) that is part of a cluster. In Kubernetes, worker nodes run pods and are managed by the control plane. Node pools group nodes with the same configuration (instance type, OS, labels) for workload scheduling.
NoSQL: A category of databases that do not use traditional relational table schemas. NoSQL databases include key-value stores (DynamoDB, Redis), document databases (MongoDB, Firestore), wide-column stores (Cassandra, Bigtable), and graph databases (Neptune, Neo4j). They are chosen for flexibility, horizontal scalability, and specific access patterns.
NSG: Network Security Group. An Azure and OCI resource that contains a list of security rules allowing or denying inbound and outbound network traffic based on source, destination, port, and protocol. NSGs are applied to subnets or individual network interfaces. Functionally similar to AWS security groups.

O

Object Lock: An immutability feature for cloud object storage that prevents objects from being deleted or overwritten for a specified retention period. S3 Object Lock supports compliance and governance modes for meeting regulatory requirements like SEC Rule 17a-4 and FINRA.
Object Storage: A storage architecture that manages data as objects (files) with associated metadata and a unique identifier, rather than as blocks or files in a hierarchy. Object storage is massively scalable and used for backups, media, data lakes, and static website hosting. Examples include Amazon S3, Azure Blob Storage, GCP Cloud Storage, and OCI Object Storage.
Observability: The ability to understand the internal state of a system from its external outputs -- metrics, logs, and traces (the three pillars). Observability goes beyond monitoring by enabling engineers to ask new questions about system behavior without deploying new instrumentation.
OCID: Oracle Cloud Identifier. A unique identifier assigned to every resource in Oracle Cloud Infrastructure, following the format ocid1.<resource-type>.<realm>.[<region>].<unique-id>. Similar in purpose to AWS ARNs and Azure resource IDs.
OIDC: OpenID Connect. An identity layer built on top of OAuth 2.0 that allows applications to verify user identity and obtain profile information. Cloud providers use OIDC for federation, allowing Kubernetes pods, GitHub Actions, and other external systems to assume cloud IAM roles without long-lived credentials.
OLAP: Online Analytical Processing. A data processing approach optimized for complex, read-heavy analytical queries across large datasets. OLAP systems (data warehouses, BI tools) use columnar storage and aggregation to support reporting and business intelligence workloads.
OLTP: Online Transaction Processing. A data processing approach optimized for high-volume, low-latency transactional operations like inserts, updates, and lookups. OLTP databases (MySQL, PostgreSQL, SQL Server) are designed for consistency and concurrency in applications like e-commerce and banking.
On-Demand: A cloud pricing model where you pay for compute, storage, or services by the second or hour with no upfront commitment or long-term contract. On-demand pricing offers maximum flexibility but is typically the most expensive option compared to reserved or spot pricing.
Orchestration: The automated coordination of multiple tasks, services, or containers to accomplish a workflow. Container orchestration (Kubernetes), workflow orchestration (AWS Step Functions, Azure Logic Apps), and infrastructure orchestration (Terraform) manage complex multi-step processes.

P

Pay-As-You-Go: A cloud billing model where you are charged only for the resources you consume, with no minimum commitments. Pay-as-you-go pricing is the default model for most cloud services and enables organizations to avoid upfront capital expenditure. Also called on-demand or consumption-based pricing.
PCI-DSS: Payment Card Industry Data Security Standard. A set of security requirements for organizations that handle credit card data. Cloud providers offer PCI-DSS compliant services and shared responsibility models that cover infrastructure controls while customers manage application-level security.
Peering: A networking arrangement that enables direct, private connectivity between two VPCs, virtual networks, or cloud accounts without routing traffic through the public internet. VPC peering (AWS), VNet peering (Azure), and VPC Network Peering (GCP) provide low-latency, high-bandwidth connections between networks.
Pipeline: An automated workflow that defines the steps for building, testing, and deploying software. CI/CD pipelines are defined as code and execute stages like source checkout, compilation, unit testing, integration testing, security scanning, and deployment to target environments.
Pod: The smallest deployable unit in Kubernetes, consisting of one or more containers that share the same network namespace, IP address, and storage volumes. Pods are scheduled onto nodes by the Kubernetes scheduler and managed by controllers like Deployments and StatefulSets.
Policy: A document (typically JSON or YAML) that defines permissions, rules, or governance controls in a cloud environment. IAM policies specify which actions are allowed or denied on which resources. Organizational policies enforce guardrails like region restrictions or required encryption.
Portability: The ability to move applications, data, and workloads between cloud providers or between cloud and on-premises environments with minimal effort. Portability is enhanced by using open standards, containers, Kubernetes, and infrastructure-as-code tools like Terraform.
Preemptible Instance: A GCP compute instance that runs on excess capacity at a steep discount (60-91% off) but can be terminated by Google with 30 seconds notice when capacity is needed. Equivalent to AWS Spot Instances and Azure Spot VMs. Suitable for fault-tolerant, batch, and stateless workloads.
Principal: An entity (user, role, service account, federated identity) that is authenticated and can make requests to cloud services. IAM policies are attached to principals to define what actions they can perform on which resources.
Private Link: A networking feature that provides private connectivity from a virtual network to cloud services or partner services, routing traffic over the provider's backbone network instead of the public internet. Available as AWS PrivateLink, Azure Private Link, and GCP Private Service Connect.
Private Subnet: A subnet within a VPC that does not have a route to an internet gateway, making its resources inaccessible from the public internet. Private subnets are used for databases, application servers, and internal services that should not be directly exposed.
Project: The fundamental organizational unit in Google Cloud Platform. A GCP project contains resources, has its own IAM policies, and is associated with a billing account. Projects serve a similar purpose to AWS accounts or Azure subscriptions.
Provisioned Concurrency: A serverless feature that keeps a specified number of function instances pre-initialized and ready to respond immediately, eliminating cold start latency. Available in AWS Lambda and Azure Functions Premium plan. Increases cost but provides consistent low-latency responses.
Public Subnet: A subnet within a VPC that has a route to an internet gateway, allowing resources with public IP addresses to be accessed from the internet. Public subnets typically host load balancers, bastion hosts, and NAT gateways.

Q

Queue: A message queuing service that decouples application components by storing messages until they are processed. Queues ensure reliable delivery and handle traffic bursts. Cloud queuing services include Amazon SQS, Azure Queue Storage, Azure Service Bus, and GCP Cloud Tasks.

R

RBAC: Role-Based Access Control. An authorization model where permissions are assigned to roles, and roles are assigned to users. RBAC simplifies permission management by grouping related permissions. Azure and Kubernetes use RBAC extensively; AWS achieves similar patterns through IAM groups and roles.
RDS: Amazon Relational Database Service. A managed service that simplifies deploying and operating relational databases (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Aurora) in the cloud. RDS handles provisioning, patching, backups, and replication.
Read Replica: A read-only copy of a database that receives asynchronous updates from the primary instance. Read replicas distribute read traffic across multiple database instances, improving query performance and availability. Supported by RDS, Azure SQL, GCP Cloud SQL, and most managed database services.
Region: A geographic area containing multiple isolated data centers (availability zones). Each cloud provider operates regions worldwide. Selecting a region affects latency, data residency, available services, and pricing. Resources in one region are independent of resources in another.
Replication: The process of copying data between storage locations, databases, or regions to improve durability, availability, and disaster recovery. Cloud storage services offer same-region replication (default), cross-region replication, and cross-account replication.
Reserved Instance: A pricing model where you commit to using a specific instance type in a specific region for one or three years in exchange for significant discounts (up to 72% off on-demand pricing). AWS and Azure offer reserved instances; GCP offers committed use discounts.
Resource Group: An Azure and OCI construct that logically groups related resources for unified management, access control, and billing. Every Azure resource must belong to exactly one resource group. Resource groups can contain resources from different regions.
Rightsizing: The FinOps practice of analyzing resource utilization data to recommend optimal instance types and sizes. Rightsizing identifies overprovisioned resources (paying for more CPU or memory than needed) and underprovisioned resources (impacting performance). Cloud providers offer rightsizing recommendations through cost management tools.
Role: An IAM entity that defines a set of permissions and can be assumed by users, services, or applications. Unlike user accounts, roles do not have permanent credentials. AWS IAM roles are assumed via STS; Azure roles are assigned through RBAC; GCP roles are bound to members in IAM policies.
Rolling Update: A deployment strategy that gradually replaces old instances of an application with new ones, a few at a time. Rolling updates maintain availability by ensuring some instances are always running during the deployment. This is the default strategy for Kubernetes Deployments.
Route Table: A set of rules (routes) that determine where network traffic is directed within a VPC. Each subnet is associated with a route table that specifies how traffic destined for specific CIDR blocks should be routed -- to an internet gateway, NAT gateway, VPN connection, peering connection, or other target.

S

S3: Amazon Simple Storage Service. AWS's object storage service that offers virtually unlimited scalability, high durability (99.999999999%), and multiple storage classes for different access patterns. S3 is used for data lakes, backups, static websites, and application data.
SAML: Security Assertion Markup Language. An XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). SAML 2.0 is widely used for SSO into cloud consoles and SaaS applications from corporate identity providers.
Savings Plan: An AWS flexible pricing model that offers discounts (up to 72%) in exchange for committing to a consistent amount of compute usage (measured in dollars per hour) for one or three years. Savings Plans apply across instance families, regions, and services, offering more flexibility than Reserved Instances.
Scaling Policy: A rule that defines when and how an auto-scaling group should add or remove instances. Policies can be based on metrics (target tracking, step scaling), schedules (time-based), or predictive models. Proper scaling policies balance performance with cost efficiency.
Secret: A sensitive piece of information such as an API key, database password, certificate, or OAuth token. Cloud secrets management services (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) store, rotate, and control access to secrets, eliminating the need to hardcode them in application code.
Security Group: A virtual firewall that controls inbound and outbound traffic for AWS EC2 instances and other resources. Security groups are stateful (return traffic is automatically allowed), operate at the instance level, and contain allow rules only. Equivalent to Azure and OCI Network Security Groups.
Serverless: A cloud execution model where the provider dynamically manages the allocation and provisioning of servers. You write code and configure triggers; the provider handles scaling, patching, and infrastructure. Serverless services include functions (Lambda), databases (DynamoDB), and storage (S3).
Service Account: A non-human identity used by applications, VMs, and services to authenticate and authorize API calls to cloud services. Service accounts have their own credentials and IAM permissions. GCP and OCI use the term service account; AWS uses IAM roles for services; Azure uses managed identities.
Service Mesh: A dedicated infrastructure layer that handles service-to-service communication in a microservices architecture. Service meshes provide traffic management, mutual TLS encryption, observability, and resiliency (retries, circuit breaking) without modifying application code. Examples include Istio, Linkerd, and AWS App Mesh.
Sharding: A database scaling technique that partitions data across multiple database instances (shards), each holding a subset of the data. Sharding improves write throughput and storage capacity by distributing the load. The shard key determines how data is distributed.
Showback: A FinOps practice similar to chargeback but informational only -- costs are reported to teams without actual billing. Showback creates cost awareness and accountability without the organizational overhead of internal fund transfers.
SLA: Service Level Agreement. A contractual commitment from a cloud provider specifying the minimum level of service (typically uptime percentage) and the financial credits available if the SLA is not met. Common SLAs range from 99.9% (8.7 hours downtime/year) to 99.999% (5.2 minutes downtime/year).
SLI: Service Level Indicator. A quantitative measurement of a specific aspect of service performance, such as request latency, error rate, or throughput. SLIs are the raw metrics used to determine whether an SLO is being met.
SLO: Service Level Objective. An internal target for service reliability, expressed as a percentage or threshold of a Service Level Indicator (e.g., 99.95% of requests complete in under 200ms). SLOs are typically more aggressive than external SLAs and guide engineering prioritization.
Snapshot: A point-in-time copy of a block storage volume or database. Snapshots capture the complete state of the volume and can be used to create new volumes, restore data, or replicate across regions. Snapshots are stored incrementally -- only changed blocks since the last snapshot are saved.
SOC 2: System and Organization Controls 2. An auditing framework that evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are commonly requested during vendor security assessments for cloud services.
Spot Instance: An AWS EC2 instance that runs on spare compute capacity at discounts of up to 90% compared to on-demand pricing. Spot instances can be interrupted with a two-minute warning when AWS needs the capacity back. Ideal for fault-tolerant workloads like batch processing, CI/CD, and data analysis.
SSD: Solid State Drive. A storage device that uses flash memory with no moving parts, providing significantly lower latency and higher IOPS than HDDs. In cloud storage, SSD-backed volumes (gp3, io2 on AWS; Premium SSD on Azure) are used for databases, boot volumes, and latency-sensitive applications.
SSO: Single Sign-On. An authentication mechanism that allows users to log in once with a single set of credentials and access multiple applications and cloud accounts without re-authenticating. SSO is implemented using SAML 2.0 or OIDC and managed through services like AWS IAM Identity Center, Azure Entra ID, and Okta.
Static Website Hosting: The ability to serve static web content (HTML, CSS, JavaScript, images) directly from cloud object storage, eliminating the need for web servers. S3, Azure Blob Storage, GCP Cloud Storage, and Firebase Hosting all support static website hosting, often combined with a CDN for global delivery.
Storage Class: A tier within a cloud object storage service that offers different pricing for storage and access based on data access frequency. Common storage classes include hot (frequently accessed), warm (infrequent), cold (rare), and archive (long-term retention). Lifecycle policies can automatically transition objects between classes.
Subnet: A logical subdivision of a VPC's IP address range. Subnets are associated with a specific availability zone and can be public (routed to the internet) or private (no direct internet access). Subnets segment network resources and apply different routing and security rules.
Subscription: The primary billing and organizational unit in Microsoft Azure. A subscription contains resource groups and resources, is associated with a billing account, and can have its own RBAC policies and spending limits. Similar to AWS accounts or GCP projects.

T

Tagging: The practice of attaching key-value metadata labels to cloud resources for organization, cost allocation, access control, and automation. Tags like env=production, team=platform, and cost-center=engineering enable filtering, reporting, and policy enforcement across resources.
Tenancy: The root organizational container in Oracle Cloud Infrastructure (OCI) that holds all compartments, users, groups, and resources. A tenancy is created when you sign up for OCI and is associated with a home region. Similar to an AWS organization or Azure tenant.
Terraform: An open-source infrastructure-as-code tool by HashiCorp that uses a declarative configuration language (HCL) to provision and manage resources across multiple cloud providers. Terraform maintains state files that track the current infrastructure and plans changes before applying them.
Throughput: The amount of data transferred per unit of time, typically measured in MB/s or Gbps. Throughput is a critical metric for storage volumes, network links, and data pipelines. It differs from IOPS in that throughput measures volume of data while IOPS measures number of operations.
Time Series Database: A database optimized for storing and querying timestamped data points such as metrics, sensor readings, and financial ticks. Examples include Amazon Timestream, Azure Data Explorer, GCP Cloud Bigtable (for time series patterns), InfluxDB, and TimescaleDB.
Traces: Distributed traces that follow a request as it travels through multiple services, recording timing and metadata at each hop. Traces are essential for debugging latency issues in microservice architectures. Cloud tracing services include AWS X-Ray, Azure Application Insights, and GCP Cloud Trace.
Transit Gateway: A managed networking hub that connects multiple VPCs, VPNs, and on-premises networks through a central gateway. Transit gateways simplify network topology by replacing full-mesh peering with hub-and-spoke connectivity. Available as AWS Transit Gateway, Azure Virtual WAN, and GCP Network Connectivity Center.
Trigger: An event source that invokes a serverless function. Triggers can include HTTP requests, database changes, file uploads, message queue messages, scheduled timers, and stream events. The trigger type determines how the function receives its input payload.

U

Universal Credits: An Oracle Cloud pricing model where customers purchase credits that can be consumed across any OCI service. Universal credits provide flexibility to shift spending between services as needs change, with committed pricing offering discounts over pay-as-you-go rates.
Uptime: The percentage of time a service is operational and accessible. Uptime is the primary metric in SLAs. Common uptime targets include 99.9% (three nines, ~8.7 hours downtime/year), 99.99% (four nines, ~52 minutes/year), and 99.999% (five nines, ~5.2 minutes/year).

V

Vendor Lock-In: A situation where dependence on a specific cloud provider's proprietary services, APIs, or tools makes it difficult and costly to migrate to another provider. Lock-in increases with deeper use of provider-specific services. Mitigation strategies include IaC, containers, and open standards.
Vertical Scaling: Increasing the resources (CPU, memory, disk) of an existing instance to handle more load, also known as scaling up. Vertical scaling is simpler than horizontal scaling but has upper limits defined by the largest available instance type and typically requires a restart.
Virtual Machine: A software emulation of a physical computer that runs an operating system and applications on shared physical hardware via a hypervisor. VMs are the foundational compute unit in cloud computing. Each provider offers VM services: AWS EC2, Azure Virtual Machines, GCP Compute Engine, OCI Compute.
VNet: Virtual Network. Microsoft Azure's equivalent of a VPC, providing an isolated network environment in the cloud. VNets have their own address space, subnets, route tables, and network security groups. VNet peering enables connectivity between virtual networks.
VPC: Virtual Private Cloud. A logically isolated virtual network in the cloud where you launch resources. A VPC has its own IP address range (CIDR block), subnets, route tables, and network gateways. AWS, GCP, and OCI use the term VPC; Azure uses Virtual Network (VNet).
VPN: Virtual Private Network. An encrypted tunnel between two networks over the public internet. Cloud VPN services (AWS Site-to-Site VPN, Azure VPN Gateway, GCP Cloud VPN) connect on-premises data centers to cloud VPCs, providing secure hybrid connectivity at lower cost than dedicated connections.

W

WAF: Web Application Firewall. A security service that filters and monitors HTTP/HTTPS traffic to web applications, protecting against attacks like SQL injection, cross-site scripting (XSS), and bot traffic. Cloud WAFs include AWS WAF, Azure Web Application Firewall, and GCP Cloud Armor.
Warm Pool: A pool of pre-initialized EC2 instances maintained by an Auto Scaling group to reduce the time it takes to scale out. Warm pool instances can be in a stopped or running state and are moved into the active group when scaling events occur, reducing launch latency.
Well-Architected Framework: A set of best practices and design principles published by cloud providers for building secure, performant, resilient, and cost-efficient architectures. AWS, Azure, GCP, and OCI each publish their own well-architected framework covering pillars like operational excellence, security, reliability, performance, cost optimization, and sustainability.
Workload: A distinct application, service, or set of processes running on cloud infrastructure. Workload is a general term used to describe anything from a single function to a complex multi-service application. Cloud governance and cost management tools organize resources by workload for visibility and control.

X

X-Ray: AWS X-Ray is a distributed tracing service that collects data about requests served by your application, providing an end-to-end view of request flow through microservices. X-Ray generates service maps and identifies performance bottlenecks and errors.

Y

YAML: YAML Ain't Markup Language. A human-readable data serialization format commonly used for configuration files in cloud computing. Kubernetes manifests, Ansible playbooks, CloudFormation templates, Azure Pipelines, and GitHub Actions workflows are typically written in YAML.

Z

Zero Trust: A security model that assumes no user, device, or network is inherently trustworthy and requires verification for every access request regardless of location. Zero trust principles include least-privilege access, microsegmentation, continuous verification, and the elimination of implicit trust based on network position.
Zone: In Google Cloud Platform, a zone is a deployment area within a region, equivalent to an availability zone in AWS and Azure. Each zone has independent power, cooling, and networking. Deploying across multiple zones within a region provides high availability.

Put these concepts into practice

Explore our interactive cloud tools and in-depth learning guides -- all free, no account required.

Browse Tools Learning Guides