Most cloud projects come down to the same handful of decisions: how
do you manage identity, store secrets, run containers, expose APIs,
back up data. Each cloud answers with a different service, model,
and set of footguns. This page maps the same problem to AWS, Azure,
and GCP — and the gotcha that bites you first.
10 patterns·3 clouds·~12 min read·Updated 2026
How to read this guide
Each pattern starts with the question. Three columns — AWS, Azure,
GCP — show what each cloud calls it, the shape of the
implementation, and the practical gotcha. The "Watch" line
at the bottom of each card is what you'll wish someone had told you
on day one.
The cloud isn't a commodity: the services have
similar names but different models. Most "multi-cloud" strategies
end up paying for the lowest common denominator and getting neither
cloud's best features. Pick one, then go deep.
01
Identity & SSO
Federated user identity for employees and partners.
AWS
IAM Identity Center
SAML/OIDC SSO across all accounts in an Organization. Permission sets attach IAM roles to users/groups. Integrates with external IdPs (Okta, Entra) as identity source.
WatchMulti-region replication is now supported but opt-in — you still pick a home region and configure the replicas. No global group sync; Entra/Okta is usually the source of truth.
Azure
Microsoft Entra ID
Native cloud directory plus SSO. Conditional access, MFA, SAML/OIDC apps, B2B/B2C. Tight Microsoft 365 integration.
WatchConditional access and Privileged Identity Management aren't in the base offering — confirm what's available in your subscription before designing around them.
GCP
Workforce Identity Federation + Cloud Identity
Federate any OIDC/SAML IdP into GCP without syncing users. Cloud Identity provides the directory if you don't bring your own.
WatchWorkforce pools (humans) vs workload identity pools (services) are different APIs — easy to confuse early on.
02
RBAC / IAM
Role-based access for cloud resources.
AWS
IAM (policies + roles)
JSON policies attached to identities or resources. Roles assumed via STS. SCPs at the org level set guardrails. Permission boundaries cap what a principal can do.
WatchEffective permissions are the intersection of identity policy, resource policy, SCP, boundary, and session policy. Debugging takes the IAM Policy Simulator.
Azure
Azure RBAC
Built-in or custom roles assigned at a scope (mgmt group → subscription → resource group → resource). Role assignments inherit downward.
WatchSome legacy services still use classic IAM permissions. Two models exist side-by-side — confusing when migrating older subscriptions.
GCP
IAM (predefined + custom roles)
Roles bound at org / folder / project / resource. Strong predefined role library covers most needs without custom roles.
WatchProject-level over-permissioning is the most common drift. Use folders and IAM Conditions for scoped grants instead of broad ones.
03
Secrets & Key Management
Storing application secrets and managing encryption keys.
AWS
Secrets Manager + KMS
Secrets Manager for rotated app secrets (DB creds, API keys); KMS for encryption keys with key policies and grants. Tight integration with RDS, Lambda, etc.
WatchBoth are per-region. Cross-region replication is explicit, not automatic — plan for it if you need DR.
Azure
Key Vault
Single service for secrets, keys, and certificates. RBAC is the recommended (and now default) authorization model for new vaults; legacy vault access policies still work but are no longer the path forward.
WatchThrottling kicks in at scale (per-vault transaction limits). Firewall rules on the vault are easy to misconfigure and lock yourself out.
GCP
Secret Manager + Cloud KMS
Two services: Secret Manager for app secrets with versioning, Cloud KMS for keys (with HSM tier for FIPS 140-2 L3). Auto-rotation supported.
WatchRegional vs multi-regional secrets is set at creation and can't be changed. Pick deliberately based on availability needs.
04
Backups & Disaster Recovery
Durable backups with point-in-time restore and cross-region copy.
AWS
AWS Backup
Centralized backup across EC2, RDS, EBS, EFS, DynamoDB, S3, and more. Backup vaults, retention rules, and cross-region/cross-account copy.
WatchService coverage isn't uniform — check the support matrix. Vault Lock for compliance is one-way; you can't undo it.
Azure
Azure Backup + Site Recovery
Recovery Services Vault for backups (VMs, files, SQL); Azure Site Recovery for cross-region DR replication and orchestrated failover. The classic VMware/physical ASR experience has been retired — new deployments use the modernized agent-based path.
WatchTwo products with separate models. ASR has its own RPO/RTO knobs and replication mechanics — don't confuse it with Backup.
GCP
Backup and DR Service
Unified backup and DR for Compute Engine VMs, databases, and file systems. Application-consistent snapshots, retention policies, restore orchestration.
WatchNewer than its peers; service coverage is still expanding. Check support before designing around it for niche workloads.
05
Object Storage
Durable, scalable blob storage with tiering.
AWS
S3
Buckets and objects, lifecycle policies, multiple storage classes (Standard / IA / Glacier), versioning, replication. The most mature ecosystem of any cloud service.
WatchBucket names are globally unique. Public access is a footgun without Block Public Access enabled at account level.
Azure
Blob Storage
Storage accounts contain containers, which contain blobs. Hot / Cool / Cold / Archive tiers. Hierarchical namespace turns it into ADLS Gen2 for data lakes.
WatchStorage account is the security and limits boundary, not the container. Account-level egress and IOPS limits matter at scale.
GCP
Cloud Storage (GCS)
Buckets and objects, with regional / dual-regional / multi-regional location types. Storage classes (Standard / Nearline / Coldline / Archive) for tiering.
WatchLocation type is set at bucket creation and is not changeable. Pick based on actual access pattern, not "just in case."
06
Managed Databases
Managed relational and NoSQL options.
AWS
RDS / Aurora + DynamoDB
RDS for managed Postgres/MySQL/etc. Aurora for cloud-native scale and read replicas. DynamoDB for serverless KV/NoSQL with single-digit-ms reads.
WatchAurora storage scales transparently — capacity surprises don't surface until production. DynamoDB capacity modes (on-demand vs provisioned) trade flexibility for predictable throughput — match to traffic shape.
Azure
Azure SQL / Postgres + Cosmos DB
Azure SQL Database (PaaS, SQL Server engine — not full instance compatibility; use SQL Managed Instance for that). Managed Postgres/MySQL. Cosmos DB for multi-model NoSQL — APIs for NoSQL/document, MongoDB, Cassandra, Gremlin (graph), Table, and PostgreSQL — with global distribution.
WatchDTU vs vCore service models behave differently under load — pick based on workload predictability. Cosmos DB's RU (request unit) model surprises beginners — runaway queries throttle hard.
GCP
Cloud SQL / AlloyDB + Spanner / Firestore
Cloud SQL for managed Postgres/MySQL, AlloyDB for Postgres-compatible scale. Spanner for globally consistent SQL. Firestore for document NoSQL.
WatchSpanner is brilliant but operationally heavy — minimum node footprint runs even at idle. Choose only when global strong consistency genuinely earns it.
07
Container Orchestration
Managed Kubernetes for production workloads.
AWS
EKS (or ECS)
EKS for upstream Kubernetes; ECS for AWS-native scheduling without K8s overhead. Fargate runs both serverlessly (no nodes to manage).
WatchEKS control plane runs whether you use it or not. Node group management (or Karpenter) is on you unless you go Fargate.
Azure
AKS
Managed Kubernetes with deep Entra ID and Azure RBAC integration. Workload identity gives pods their own credentials without baked-in secrets.
WatchPick networking deliberately at cluster creation. Kubenet is being retired — Azure CNI Overlay (Cilium-powered) is the long-term path; one-way migration is supported.
GCP
GKE (Standard or Autopilot)
GKE Standard gives you nodes; Autopilot fully manages capacity per pod (no nodes to think about). Strong upstream alignment and release channels.
WatchAutopilot's pod restrictions (privileged mode, some DaemonSets, host network) bite when you need them. Read the limits before committing.
08
API Gateway
A managed front door for HTTP/HTTPS APIs.
AWS
API Gateway (REST or HTTP) + AppSync
REST API for the full feature set (request validation, transformations, native WAF). HTTP API is leaner and cheaper but does not natively integrate AWS WAF — you front it with CloudFront if you need it. AppSync for managed GraphQL. Native Lambda integration on all three.
WatchREST and HTTP APIs have different feature sets — not a drop-in swap. Pick based on which features you actually need, not "just in case."
Azure
API Management (APIM)
Full API lifecycle gateway: developer portal, policies (XML-based), versioning, products, subscriptions. Strong B2B and partner-facing story.
WatchService tiers gate major features (VNet integration, multi-region, zone redundancy) — pick deliberately at provisioning, not after.
GCP
API Gateway + Apigee
API Gateway is lightweight (good for serverless backends). Apigee is the enterprise option: full lifecycle, monetization, deep analytics.
WatchApigee is enterprise-grade and operationally heavy. API Gateway is much more limited — pick deliberately based on lifecycle needs.
09
Networking (VPC)
Private virtual networks, subnets, peering, and transit.
AWS
VPC + Transit Gateway
Per-region VPCs with subnets per AZ. Transit Gateway for hub-and-spoke between many VPCs. PrivateLink for exposing services without VPC peering.
WatchRoute tables and security groups are separate concerns; both must align for traffic to flow. NACLs add a third layer that's easy to forget.
Azure
VNet + Virtual WAN
VNet per region with subnets. NSGs for security at subnet/NIC level. Virtual WAN as a managed hub for many-VNet topologies and on-prem connectivity.
WatchVNet peering is non-transitive by default. You need Virtual WAN, an NVA, or hub-spoke routing to forward across.
GCP
VPC (global by default)
A single VPC spans all regions, with regional subnets. Private Service Connect for service exposure. Shared VPC for centralized network ownership.
WatchShared VPC vs standalone VPC choice affects org-wide IAM. Switching later is painful — decide early.
10
Observability
Logs, metrics, traces, and alerts.
AWS
CloudWatch + X-Ray
CloudWatch for logs, metrics, alarms, dashboards. CloudWatch Logs Insights for ad-hoc log queries. X-Ray for distributed tracing.
WatchLog volume grows fast without source-level filtering. Set retention deliberately per log group; the default is "never expire."
Azure
Azure Monitor (Log Analytics + App Insights)
Unified umbrella. Application Insights for app telemetry (auto-instrumentation for .NET/Node). Log Analytics workspace for KQL queries across all sources.
WatchLog Analytics ingest grows uncontrollably without source-level filtering. Prune verbose logs before they hit the workspace.
GCP
Google Cloud Observability (Logging, Monitoring, Trace)
Integrated logging, metrics, and tracing. Strong defaults for GKE/GCE workloads. Log-based metrics let you build alerts from log patterns.
WatchDefault log bucket retention varies by source. Set explicit retention rules per bucket and configure the log router to sink only what you need.
Pick the cloud, then commit to its model
Cross-cloud portability is alluring and rarely worth the trade-off. Most
teams that try to stay neutral pay for the lowest common denominator
and get neither cloud's best features.
Pick the cloud whose model fits your team's existing knowledge, your
compliance posture, and your scaling profile — then go all-in on
its services. The savings come from depth, not breadth.