Course 5 · Tooling

Cloud Fundamentals

Your mini-platform runs on your laptop today, but in production it runs on someone else's computers — the cloud. This chapter demystifies what "the cloud" actually is for a data engineer: a handful of rentable building blocks (storage, compute, identity) plus a billing model and a security model you have to understand. No paid account required; we reason from the local stack you already built.

Why the cloud: rent instead of own

For decades, running software meant buying physical servers, racking them in a room, and operating them yourself. The cloud's pitch is simple: stop owning hardware and start renting it by the hour from a provider — Amazon Web Services (AWS), Google Cloud (GCP), Microsoft Azure — who runs gigantic data centers and rents you slices of them over the internet. Three things make this transformative for data work:

  • Elasticity. You can ask for 100 machines for one hour to crunch a huge job, then give them back. You pay for the hour, not the machines. Your storage can grow from a gigabyte to a petabyte without you provisioning a single disk. The capacity scales up and down on demand — something owned hardware can never do.
  • Managed services. The provider doesn't just rent you a bare server; it rents you a running database, a running message queue, a running data warehouse — patched, backed up, and kept alive by their engineers. You operate less and build more. Someone else is on call at 3am when the database disk fills up.
  • Speed. Provisioning a server used to take weeks of purchasing. Now it's an API call that returns in seconds. You can spin up an entire platform, try an idea, and tear it down before lunch.
The mental shift

The old world thought in terms of assets you own and depreciate. The cloud world thinks in terms of resources you rent and release. The deep skill isn't memorizing service names — it's learning to provision the right capacity when you need it and, just as importantly, turn it off when you don't.

The tradeoff is real, so name it honestly. Renting can be more expensive than owning if you run resources 24/7 at steady load (the meter never stops). And building on a provider's proprietary managed services creates lock-in — moving your platform from BigQuery to Redshift later is real work, not a config flip. Most teams accept these tradeoffs because elasticity and not operating databases are worth it — but you accept them with eyes open.

Service models & the shared-responsibility model

Cloud offerings sit on a spectrum of "how much does the provider operate for you." The classic three-letter labels describe where the line falls:

ModelYou get…You still manage…Example
IaaS
Infrastructure as a Service
Raw virtual machines, disks, networksThe OS, runtime, your app, scaling, patching the OSEC2 instance (AWS), Compute Engine VM (GCP)
PaaS
Platform as a Service
A managed runtime/service — you bring code or dataJust your code/data and its configBigQuery, Cloud Run, managed Airflow
SaaS
Software as a Service
A finished application you just useNothing operational — only your settings and dataSnowflake, Gmail, Datadog

The further down this list you go, the less you operate and the more you pay the provider to operate for you. A data engineer's life is mostly PaaS — managed warehouses, managed orchestration, managed storage — with occasional IaaS when you need a plain VM.

Underlying all of this is the single most important security idea in the cloud: the shared-responsibility model. Security is a partnership. The provider secures the cloud; you secure what you put in it. The line moves depending on the service model:

IaaS (more yours) SaaS (more theirs) ◀──────────────────────────────────────────────────────────────────▶ YOU secure: your data · access (IAM) · app config · encryption choices ─────────────────────────────────────────────────────── PROVIDER the physical data center · hardware · hypervisor · secures: network backbone · the managed service's internals Rule of thumb: "Security OF the cloud" = provider "Security IN the cloud" = YOU
⚠ The part everyone forgets

The provider keeps the data center locked and the hardware patched — but they will not stop you from making your data public. The most common cloud data breach is an object-storage bucket left open to the world by its owner. "Your data and who can access it" is always on your side of the line, no matter how managed the service is.

The core primitives a data engineer actually uses

Each provider has hundreds of services, which is intimidating until you realize a data platform leans on just a few categories. Learn these four and you can read 90% of architecture diagrams. Think of them as the building blocks your mini-platform's components map onto.

┌─────────────┐ ┌─────────────┐ ┌──────────────┐ ┌──────────────────┐ │ OBJECT │ │ COMPUTE │ │ MANAGED │ │ MANAGED DATA │ │ STORAGE │──▶│ VMs / │──▶│ WAREHOUSE │ │ SERVICES │ │ (the lake) │ │ containers/ │ │ (analytics │ │ (Kafka, Airflow, │ │ S3 · GCS │ │ functions │ │ SQL at │ │ orchestration) │ └─────────────┘ └─────────────┘ │ scale) │ └──────────────────┘ store bytes run your code └──────────────┘ glue & move data cheaply, forever on rented CPU query it

1. Object storage — the backbone of the data lake

Object storage holds files ("objects") in flat containers called buckets, addressed by a key (a path-like name). It is cheap, effectively infinite, and durable (the provider replicates copies for you). It is not a filesystem and not a database — you put and get whole objects over HTTP. Almost every modern data lake is "Parquet files sitting in object storage," and nearly every other service reads from and writes to it. The names: S3 on AWS, Google Cloud Storage (GCS) on GCP. You've already met the local stand-in: MinIO in your mini-platform speaks the S3 API, so the bucket reasoning you learned there transfers directly.

2. Compute — running your code

Three flavors, from most to least that you manage:

  • Virtual machines (VMs) — a whole rented computer you SSH into and run anything on. Maximum control, you patch the OS. (EC2 / Compute Engine.)
  • Containers — your Docker image from Chapter 02, run on managed infrastructure without you owning a VM. (ECS/EKS / Cloud Run/GKE.)
  • Serverless functions — you upload just a function; the provider runs it on demand and bills per invocation. No servers to think about. (Lambda / Cloud Functions.)

3. Managed warehouses — analytics SQL at scale

The columnar analytical databases from Course 3, run for you and scaled to terabytes: Redshift (AWS), BigQuery (GCP), and the cross-cloud Snowflake. You load data and write SQL; the provider handles the distributed engine underneath. This is usually the heart of a production data platform.

4. Managed data services — the glue

The moving parts of a pipeline, operated for you: managed streaming (MSK = managed Kafka on AWS, Pub/Sub on GCP), and managed orchestration (MWAA = managed Airflow on AWS, Cloud Composer on GCP). Instead of running Kafka or Airflow yourself, you rent a running, patched instance.

ConceptAWSGCPYour local stand-in
Object storage (data lake)S3Cloud Storage (GCS)MinIO
Virtual machineEC2Compute Engineyour laptop
Run a containerECS / EKSCloud Run / GKEDocker / Compose
Serverless functionLambdaCloud Functions
Data warehouseRedshiftBigQueryPostgres / DuckDB
Managed streamingMSK (Kafka)Pub/Sublocal Kafka container
Managed orchestrationMWAA (Airflow)Cloud ComposerDagster/Airflow container
Why this table is your superpower

Job posts and architecture diagrams name the products, but the concepts are the same everywhere. When you see "we use Pub/Sub and Composer feeding BigQuery," you should now read it as "managed streaming and orchestration feeding a warehouse" — and know exactly what each piece does.

Identity & access management (IAM)

If object storage is the backbone, IAM is the nervous system — and the part beginners struggle with most. IAM answers one question for every action in the cloud: "Is this identity allowed to do this thing to this resource?" Three words you'll use constantly:

TermWhat it is
Identity (user / service account)Who is acting — a human user, or a machine identity that a service uses (e.g. your Airflow job's account).
RoleA bundle of permissions an identity can assume. Instead of granting a human raw keys, you grant them a role.
PolicyThe actual rules — a document saying "identity X may perform action Y on resource Z." Attaching a policy is how permission is granted.

The governing principle is least privilege: grant the minimum permission needed to do the job, and nothing more. Your nightly pipeline that writes one bucket should be able to write that one bucket — not read every bucket, not delete databases, not create users. Least privilege limits the blast radius when (not if) a credential leaks.

Why "Access Denied" is a rite of passage

IAM is the #1 security surface in the cloud — and the #1 source of confusing errors. When something can't reach a bucket or run a query, the cause is almost always a missing or too-narrow policy. The instinct to "just give it admin to make it work" is exactly the instinct least privilege exists to fight. Read the error, find the specific action it was denied, and grant that — not everything.

Regions & availability zones

The cloud isn't one place. Providers split the planet into regions (e.g. us-east-1, europe-west1) — geographic areas where they operate data centers. Each region contains several availability zones (AZs): physically separate data centers, close enough for fast links but isolated so a fire or power loss in one doesn't take down the others. Spreading a system across AZs is how you survive a single data center failing. Three things every data engineer weighs when choosing a region:

  • Latency. Data and compute should live near each other and near your users. A query reaching across an ocean to its storage is needlessly slow.
  • Data residency. Laws often require certain data to physically stay in a country or bloc (EU personal data under GDPR, for instance). The region you pick decides where bytes actually live — recall the export-control and residency constraints from the systems-design chapter; region choice is how you honor them.
  • Cost & availability. Prices and the menu of available services differ between regions; the newest service may not be everywhere yet.
⚠ Region is not just a dropdown

Choosing a region is a compliance and architecture decision, not a cosmetic one. Putting EU citizens' personal data in a US region can be an actual legal violation, and moving data between regions later is slow and costs egress fees. Decide deliberately, early.

The cost model — and why platforms get expensive fast

The cloud bills pay-per-use: storage by the gigabyte-month, compute by the second or hour, queries by the data scanned or by uptime. Used well, you pay only for what you consume. Used carelessly, the bill is a horror story — and data platforms are especially prone to surprise costs. The classic gotchas:

GotchaWhat happensThe fix
Egress / data transferGetting data out of a region or the provider costs money (ingress is usually free). Cross-region copies and chatty pipelines rack it up quietly.Keep compute and storage in the same region; minimize cross-cloud movement.
Idle resourcesA VM or warehouse left running overnight bills the whole time, doing nothing.Auto-stop/scale-to-zero; tear down dev resources.
Big scansWarehouses like BigQuery bill by bytes scanned. SELECT * on a huge table, run often, gets pricey.Select only needed columns; partition tables; filter early.
Forgotten storageOld data and logs accumulate forever at a steady monthly drip.Lifecycle rules to delete or move to cheaper cold storage.

The discipline of treating cost as a first-class engineering concern — visible, attributed, and optimized — is called FinOps. The mindset is simple: every resource has a meter running, so design with the meter in mind. Tag resources so you know what each team spends, set budget alerts, and make "turn it off" the default for anything not in use.

Why data platforms in particular

Data work combines large volumes (storage adds up), heavy compute (big transforms and scans), and movement (egress between services). Each is a cost lever, and they multiply. A single poorly-filtered dashboard query re-running every five minutes has surprised many teams with a four-figure monthly bill.

Hands-on: reason about bucket access

You don't need a paid account to think like a cloud engineer. Your local MinIO from the mini-platform speaks the S3 API, so the exact same access reasoning applies. The question to internalize: who is allowed to do what to this bucket?

If you had real credentials, listing a bucket with the AWS CLI looks like this — and the shape is identical whether it hits AWS or your local MinIO endpoint:

terminal
# List your buckets (uses the identity configured in your credentials)
aws s3 ls

# List objects inside one bucket
aws s3 ls s3://griddp-raw/

# Point the SAME command at local MinIO instead of real AWS:
aws --endpoint-url http://localhost:9000 s3 ls s3://griddp-raw/

# Copy a local file up into the bucket
aws s3 cp ./events.parquet s3://griddp-raw/events/events.parquet

Now reason about it without running anything. Suppose aws s3 ls s3://griddp-raw/ returns Access Denied. Walk the IAM question: which identity is the command using? Does its policy grant the s3:ListBucket action on that specific bucket? Under least privilege, a write-only pipeline identity legitimately can't list — and that's the system working, not breaking. The fix is a policy that grants exactly the action needed, not admin everywhere.

✓ The reasoning that transfers

Every "can't reach storage" problem in the cloud reduces to the same three checks: the right identity, the right action in its policy, on the right resource. Practice that reasoning on MinIO locally and it works unchanged on S3 or GCS.

✓ Check yourself

  • Can you explain elasticity and managed services to a friend — and name the tradeoff (cost, lock-in)?
  • On the shared-responsibility model, which side is "your data and who can access it" on — always?
  • Can you name the four core primitives and give the AWS and GCP name for each?
  • Why does choosing a region involve law, not just latency?
  • Name three ways a data platform's cloud bill blows up.
Exercise — Map your mini-platform to the cloud

For each local component in the mini-platform you wired in Chapter 03, write down the managed cloud service it would become in production — once on AWS, once on GCP. Then add a one-line note on what that move buys you.

Local component→ AWS→ GCPWhat you gain
MinIO (object storage / lake)S3Cloud Storage (GCS)Effectively infinite, durable storage you don't operate or back up
Postgres / DuckDB (warehouse)RedshiftBigQueryScales to terabytes; the provider runs the engine
Dagster/Airflow container (orchestration)MWAA (managed Airflow)Cloud ComposerScheduler is patched, monitored, and highly available for you
Kafka container (streaming)MSKPub/SubNo brokers to operate or scale by hand
Your dbt / transform jobsECS / LambdaCloud Run / Cloud FunctionsCode runs on rented compute; nothing to keep alive
Compose networking + secretsVPC + IAM + Secrets ManagerVPC + IAM + Secret ManagerNetwork isolation and least-privilege access enforced by the provider

The takeaway: the architecture you built locally is the same architecture you'd run in production — only each box becomes a managed service. That's why building it on your laptop first was worth it. You already understand the system; the cloud just operates the pieces for you.

Next

You can reason about the cloud's building blocks; now let's automate getting your code onto them safely and repeatably. → CI/CD for Data