Series MapLesson 58 / 60
Focus mode active/Press Alt+Shift+R to toggle/Esc to exit
Final StretchOrdered learning track

AWS/Azure Mapping Cheat Sheet

Mapping praktis AWS dan Azure untuk account/subscription, IAM/managed identity, VPC/VNet, SG/NSG, DNS, load balancer, API gateway/APIM, PrivateLink, registry, object storage, observability, secrets/config, dan Kubernetes.

28 min read5507 words
PrevNext
Lesson 5860 lesson track51–60 Final Stretch
#aws#azure#mapping#comparison+5 more

Part 058 — AWS/Azure Mapping Cheat Sheet

Goal: setelah menyelesaikan part ini, Anda mampu menerjemahkan konsep AWS ↔ Azure dengan benar, memahami caveat-nya, dan tidak terjebak pada mapping satu-ke-satu yang menyesatkan.

Part ini adalah cheat sheet, tetapi bukan sekadar tabel nama service. Fokusnya adalah mental model equivalence: apa yang mirip, apa yang berbeda, dan apa dampaknya ke Java/JAX-RS backend, EKS/AKS, private connectivity, identity, observability, security, cost, dan production operations.

Rule utama:

AWS dan Azure sering punya service yang terlihat mirip, tetapi boundary, identity model, network behavior, DNS behavior, policy scope, dan operational ownership-nya bisa berbeda.


1. Mapping Caveat

Jangan membaca tabel mapping sebagai “service A sama persis dengan service B”. Mapping hanya membantu orientasi.

Contoh:

  • AWS IAM role bukan sama persis dengan Azure managed identity.
  • AWS Security Group bukan sama persis dengan Azure NSG.
  • AWS VPC Endpoint/PrivateLink bukan sama persis dengan Azure Private Endpoint/Private Link.
  • ALB bukan sama persis dengan Azure Application Gateway.
  • CloudWatch bukan sama persis dengan Azure Monitor + Log Analytics.
  • EKS bukan sama persis dengan AKS.

Yang harus dimapping adalah:

Concept
Boundary
Runtime identity
Network path
DNS behavior
Policy model
Operational ownership
Failure mode
Debugging evidence
Cost driver

2. Account, Subscription, and Organization Mapping

ConceptAWSAzureCaveat
Top-level cloud customer boundaryAWS OrganizationMicrosoft Entra tenant + Management Group hierarchyAzure identity tenant dan billing/resource hierarchy perlu dibedakan.
Workload/account boundaryAWS AccountAzure SubscriptionKeduanya sering dipakai untuk environment/billing/security boundary, tetapi policy model berbeda.
Grouping multiple accounts/subscriptionsOrganizational UnitsManagement GroupsOU biasanya mengelola AWS accounts; management group mengelola subscriptions.
Resource groupingTags, account, region, service-specific groupingResource GroupAzure Resource Group adalah first-class grouping untuk lifecycle dan RBAC scope; AWS tidak punya direct equivalent universal.
Billing/cost allocationAccount, Cost Categories, tagsSubscription, resource group, tagsTag governance penting di keduanya.
Environment separationSeparate accounts commonSeparate subscriptions/resource groups commonInternal landing zone standard harus diverifikasi.

Review notes

Untuk enterprise backend system, account/subscription boundary biasanya menentukan:

  • siapa yang boleh deploy,
  • siapa yang bisa membaca logs,
  • siapa yang bisa mengubah network,
  • siapa yang membayar cost,
  • siapa yang menjadi blast radius saat salah konfigurasi.

Internal verification checklist

  • Apakah dev/test/prod dipisah account/subscription?
  • Apakah shared services punya account/subscription terpisah?
  • Apakah network hub punya account/subscription terpisah?
  • Apakah logging/security account/subscription terpisah?
  • Apakah sandbox dibatasi policy?

3. Region, Availability Zone, and Fault Domain Mapping

ConceptAWSAzureCaveat
Geographic service locationRegionRegionService availability berbeda per region.
Physical isolation inside regionAvailability ZoneAvailability ZoneTidak semua Azure region/service mendukung AZ dengan cara yang sama.
Multi-datacenter durabilityMulti-AZ architectureZone-redundant architectureImplementation berbeda per service.
Region pair / DR conceptMulti-region strategy, Route 53 failover, cross-region replicationPaired regions, Traffic Manager, Front Door, geo-replicationDR bukan otomatis; harus diuji.

Java/JAX-RS impact

Region/AZ memengaruhi:

  • latency ke database/broker/cache,
  • cross-zone data transfer,
  • SDK region configuration,
  • failover behavior,
  • DNS routing,
  • consistency saat multi-region.

PR review question

Apakah dependency ini berada di region/AZ yang sama dengan workload, dan apa dampaknya ke latency, cost, dan failure isolation?


4. Identity and Access Mapping

ConceptAWSAzureCaveat
Human/workload principalIAM principalEntra principalAzure identity berasal dari Entra ID; AWS IAM native ke account.
UserIAM UserEntra UserIAM user untuk workload biasanya anti-pattern; Entra user human identity.
GroupIAM GroupEntra GroupScope/usage berbeda.
Runtime roleIAM RoleManaged Identity / Service Principal + RBACTidak one-to-one. IAM role menggabungkan trust + permissions; Azure memakai identity + role assignment.
Temporary credentialSTS credentialsToken from Entra/managed identityCredential lifecycle dan audience berbeda.
Permission policyIAM PolicyAzure RBAC role definition/assignmentAWS policy action/resource/condition berbeda dari Azure scope-based RBAC.
Trust relationshipIAM role trust policyFederated identity credential / app registration trustOIDC subject/audience harus diverifikasi.
Workload identity in KubernetesIRSA / EKS Pod IdentityAKS Workload Identity / managed identitySDK chain dan annotation berbeda.
AuditCloudTrailAzure Activity Log / Entra logsCoverage dan query model berbeda.

Critical caveat

AWS IAM role menjawab dua hal sekaligus:

Who can assume me?
What can I do after assumed?

Azure lebih sering memisahkan:

Which identity exists?
What role assignment does it have?
At which scope?
How does workload obtain token for that identity?

Java/JAX-RS impact

Dalam Java service:

  • AWS SDK membaca credential dari provider chain.
  • Azure SDK sering memakai DefaultAzureCredential atau credential spesifik.
  • Runtime identity harus eksplisit untuk Kubernetes.
  • Error auth sering muncul sebagai SDK exception, bukan HTTP auth error internal.

Review questions

  • Runtime principal sebenarnya apa?
  • Scope permission minimum di mana?
  • Apakah token/credential temporary?
  • Apakah trust relationship terlalu luas?
  • Apakah audit log bisa menjelaskan access?

5. Network Mapping

ConceptAWSAzureCaveat
Virtual networkVPCVNetKeduanya konsep virtual network, tetapi service integration berbeda.
SubnetSubnetSubnetAzure subnet dapat punya delegation/service-specific behavior.
Route tableRoute TableRoute Table / UDRAzure UDR sering dipakai untuk force traffic ke firewall/NVA.
Internet entryInternet GatewayPublic IP / platform routingAWS IGW explicit VPC component; Azure model berbeda.
NAT outboundNAT GatewayAzure NAT GatewayCost/placement/association berbeda.
Network firewallingSecurity Group, NACL, AWS Network FirewallNSG, ASG, Azure Firewall, NVASG stateful at ENI/resource level; NSG at subnet/NIC level.
VNet/VPC peeringVPC PeeringVNet PeeringTransitive routing limitations/behavior harus dipahami.
Hub routingTransit GatewayVirtual WAN / hub-spoke with Azure FirewallNot direct equivalent.
Flow diagnosticsVPC Flow LogsNSG Flow Logs / Network WatcherTooling dan query model berbeda.

Security Group vs NSG caveat

AWS Security Group:

  • stateful,
  • attached to ENI/resource,
  • allow rules only,
  • often used as workload boundary.

Azure NSG:

  • stateful,
  • attached to subnet and/or NIC,
  • has inbound/outbound security rules,
  • rule priority matters,
  • often combined with UDR/Azure Firewall/private endpoint design.

Java/JAX-RS impact

Network misconfiguration muncul sebagai:

  • DNS failure,
  • connect timeout,
  • TLS handshake failure,
  • intermittent latency,
  • connection reset,
  • broker/database connection timeout,
  • SDK timeout.

PR review question

Apakah route, firewall, DNS, and source/destination identity jelas dari pod sampai dependency?


6. DNS Mapping

ConceptAWSAzureCaveat
Public DNSRoute 53 public hosted zoneAzure DNS public zoneDomain ownership dan delegation harus diverifikasi.
Private DNSRoute 53 private hosted zoneAzure Private DNS ZoneAssociation/linking model berbeda.
Hybrid DNS resolverRoute 53 Resolver inbound/outbound endpointsAzure DNS Private ResolverConditional forwarding harus didesain.
LB aliasRoute 53 AliasAzure DNS CNAME/Alias record support depending targetTidak semua target punya alias behavior identik.
Private endpoint DNSPrivate hosted zone / endpoint private DNSPrivate DNS Zone + zone groupAzure Private Endpoint sangat bergantung pada private DNS zone setup.
Kubernetes DNSCoreDNS in EKSCoreDNS in AKSCluster DNS sama-sama Kubernetes, tapi upstream resolver path berbeda.

Common failure mapping

SymptomAWS likely areaAzure likely area
Pod resolves public IP for private servicePrivate hosted zone association / private DNS disabledPrivate DNS Zone link / zone group missing
On-prem cannot resolve private endpointRoute 53 Resolver forwardingAzure DNS Private Resolver / conditional forwarder
Intermittent stale endpointTTL/cache/old CNAMETTL/cache/old CNAME
Kubernetes service name not resolvingCoreDNS/service objectCoreDNS/service object

PR review question

From inside the pod, what does nslookup or equivalent resolve, and is that the intended private/public endpoint?


7. Load Balancer and Ingress Mapping

ConceptAWSAzureCaveat
L4 load balancerNetwork Load BalancerAzure Load BalancerFeature behavior and integration differ.
L7 load balancerApplication Load BalancerApplication GatewaySimilar L7 role, not identical. App Gateway often includes WAF option.
Kubernetes ingress integrationAWS Load Balancer ControllerAGIC / Application Routing add-ons / ingress controllersController annotations differ significantly.
Target/backend groupTarget GroupBackend PoolHealth check/probe model differs.
Health checkTarget group health checkHealth probeStatus interpretation differs.
TLS certificateACMKey Vault/App Gateway certificate integration depending setupCertificate lifecycle differs.
Edge/global frontendCloudFront / Global AcceleratorAzure Front Door / Traffic ManagerDifferent routing and caching models.
WAFAWS WAFAzure WAFRule model and logging differ.

ALB vs Application Gateway caveat

ALB and Application Gateway both solve L7 routing, but review must compare:

  • ingress controller integration,
  • WAF capability,
  • TLS certificate lifecycle,
  • private frontend support,
  • health probe behavior,
  • source IP behavior,
  • cost model,
  • logs/diagnostics,
  • Kubernetes target registration.

PR review question

If a request returns 502/503/504, which layer owns the error and what health check/probe/log proves it?


8. API Gateway and API Management Mapping

ConceptAWSAzureCaveat
API gateway serviceAmazon API GatewayAzure API ManagementAPIM has strong API product/developer portal/policy orientation.
Route/stageRoute/stage/deploymentAPI/operation/product/version/revisionObject model differs.
Auth integrationLambda authorizer/JWT authorizer/IAM/Cognitovalidate-jwt/OAuth2/OIDC/policies/subscriptionPolicy syntax and auth model differ.
Rate limitUsage plan/throttlingRate limit policiesDifferent enforcement concepts.
Private APIPrivate API with VPC endpointAPIM private endpoint/internal modeNetwork model differs.
TransformationMapping templates/integration configAPIM policiesDifferent capability surface.

Gateway vs ingress caveat

API gateway is not just “another ingress”. It may own:

  • API productization,
  • consumer authentication,
  • usage plans/subscriptions,
  • rate limiting,
  • request/response transformation,
  • developer portal,
  • private API boundary,
  • API version governance.

Ingress usually owns Kubernetes cluster entry routing.

PR review question

Is this concern API governance, cluster ingress, reverse proxying, or service mesh? Which layer should own it?


9. Private Connectivity Mapping

ConceptAWSAzureCaveat
Private service accessVPC EndpointPrivate EndpointNot identical.
Provider/consumer private serviceAWS PrivateLinkAzure Private LinkNaming similar, implementation model differs.
Interface endpointInterface VPC EndpointPrivate Endpoint NICDNS/security model differs.
Gateway endpointGateway Endpoint for S3/DynamoDBNo direct same equivalentAzure uses Private Endpoint/service endpoints depending service/design.
Private DNSPrivate DNS enabled / Route 53 PHZPrivate DNS Zone group/linkAzure private endpoint DNS requires careful zone integration.
Endpoint policyVPC endpoint policyRBAC/network controls/service firewallPolicy surface differs.

AWS PrivateLink and Azure Private Link are conceptually similar: private access to services without traversing public internet. But implementation differs in:

  • endpoint resource representation,
  • DNS integration,
  • provider/consumer model,
  • security boundary,
  • approval workflow,
  • service support matrix,
  • cross-region/cross-tenant behavior.

PR review question

Is private connectivity proven by DNS, routing, security policy, and service logs — or merely assumed because a private endpoint object exists?


10. Container Registry Mapping

ConceptAWSAzureCaveat
Container registryAmazon ECRAzure Container RegistrySimilar role, different auth/network/SKU/scanning model.
RepositoryECR repositoryACR repositorySimilar.
Image tagTagTagMutable unless policy/process prevents it.
Immutable referenceImage digestImage digestPrefer digest for production promotion.
Registry auth from KubernetesEKS/ECR integration, IAMAKS/ACR integration, managed identity/RBACRuntime identity differs.
Private accessECR interface endpointACR private endpointDNS/private endpoint behavior differs.
ScanningECR scanning/enhanced scanningMicrosoft Defender/ACR capabilities depending planVerify internal security tooling.
ReplicationECR replicationACR geo-replicationDifferent cost/SKU behavior.

Java/JAX-RS impact

Registry affects application indirectly:

  • image pull failure prevents rollout,
  • wrong tag deploys wrong version,
  • mutable tag breaks rollback evidence,
  • vulnerability finding blocks promotion,
  • private registry DNS/auth failure causes pod stuck in ImagePullBackOff.

PR review question

Is production deploy pinned to an immutable artifact, and can the cluster pull it privately with the intended identity?


11. Object Storage Mapping

ConceptAWSAzureCaveat
Object storage serviceAmazon S3Azure Blob StorageSimilar object storage abstraction, different security/namespace/features.
Top-level namespaceBucketStorage account + containerAzure has storage account boundary before container.
ObjectObjectBlobSimilar.
Object key/pathKeyBlob name“Folder” is logical.
Temporary URLPresigned URLSAS tokenSecurity model and revocation behavior differ.
LifecycleLifecycle rulesLifecycle management policiesSimilar purpose.
VersioningS3 VersioningBlob versioningVerify behavior and restore process.
EncryptionSSE-S3/SSE-KMSStorage encryption/CMKKey model differs.
Private accessS3 VPC endpointBlob private endpointDNS/network model differs.

Presigned URL vs SAS caveat

Both can grant temporary access. But review must inspect:

  • permissions granted,
  • TTL,
  • revocation model,
  • signed resource scope,
  • IP/network restriction if used,
  • auditability,
  • whether link leaks customer data.

Java/JAX-RS impact

  • Upload/download should stream.
  • Large file should not load fully into heap.
  • Metadata must avoid sensitive data.
  • URL generation must be bounded and auditable.
  • Retry/idempotency matters for multipart upload.

PR review question

Does this design expose bytes through app service, direct object storage link, or both — and what are the memory/security/observability consequences?


12. Config, Secret, and Key Mapping

ConceptAWSAzureCaveat
Parameter/configSSM Parameter StoreAzure App ConfigurationParameter Store can also hold SecureString; App Configuration is config/feature flag focused.
Dynamic config rolloutAWS AppConfigAzure App ConfigurationFeature flag/reload model differs.
Secret managerAWS Secrets ManagerAzure Key Vault SecretsSimilar use case, different identity/policy/audit model.
Secure parameterSSM SecureStringKey Vault Secret / App Configuration Key Vault referenceNot direct equivalent.
Key managementAWS KMSAzure Key Vault Keys / Managed HSMPolicy/RBAC model differs.
CertificateACM / IAM server cert legacy / private CAKey Vault Certificates / App Gateway cert integrationLifecycle differs.
Kubernetes secret integrationSecrets Store CSI Driver provider AWS / External SecretsSecrets Store CSI Driver provider Azure / External SecretsVerify internal pattern.

Secret vs config rule

Config: non-sensitive behavior input.
Secret: sensitive credential/token/key material.
Key: cryptographic primitive controlling encryption/signing.
Certificate: identity/trust material for TLS or signing.

Do not store all four in one place without a lifecycle reason.

PR review question

What is the lifecycle of this value: who creates it, who reads it, how it rotates, how app reloads it, and how access is audited?


13. Observability Mapping

ConceptAWSAzureCaveat
Metrics/logs/alarms platformCloudWatchAzure MonitorAzure Monitor often pairs with Log Analytics workspace.
Log groupingLog groups/log streamsLog Analytics tables/workspacesQuery model differs.
Query languageCloudWatch Logs InsightsKusto Query Language/KQLDifferent skills/tooling.
TracingX-Ray / ADOT / OpenTelemetryApplication Insights / Azure Monitor OpenTelemetryVerify instrumentation standard.
Container insightsCloudWatch Container InsightsContainer Insights in Azure MonitorDifferent dashboards/cost drivers.
AuditCloudTrailActivity LogDifferent coverage.
Resource config/complianceAWS ConfigAzure PolicyDifferent policy models.

Critical caveat

CloudWatch is a broad AWS observability service. Azure Monitor is an umbrella platform that often uses Log Analytics workspaces and Application Insights depending signal type. Do not expect identical dashboard/query/retention/cost behavior.

Java/JAX-RS impact

For portability, application should standardize:

  • structured logs,
  • correlation ID,
  • OpenTelemetry traces,
  • RED/USE metrics,
  • dependency metrics,
  • error classification,
  • PII-safe logging.

Then export to cloud-native backend based on environment.

PR review question

Are app-level telemetry conventions cloud-portable even if storage/query backend differs?


14. Kubernetes Mapping: EKS vs AKS

ConceptAWS EKSAzure AKSCaveat
Managed KubernetesAmazon EKSAzure Kubernetes ServiceBoth manage control plane, but add-ons/network/identity differ.
Node computeManaged node group, self-managed nodes, FargateNode pools, VM Scale SetsOperational lifecycle differs.
Pod networkingAmazon VPC CNIAzure CNI / Azure CNI Overlay / kubenet legacy awarenessIP planning differs significantly.
Workload identityIRSA / EKS Pod IdentityAKS Workload Identity / managed identityMapping not exact.
Registry integrationECR + IAMACR + managed identity/RBACPull auth differs.
Load balancer integrationAWS Load Balancer ControllerAzure Load Balancer/App Gateway/AGIC/application routingController annotations differ.
StorageEBS CSI, EFS CSIAzure Disk CSI, Azure Files CSIStorage semantics differ.
ObservabilityCloudWatch Container Insights / PrometheusAzure Monitor Container Insights / Log AnalyticsCost/query differs.
AutoscalingCluster Autoscaler, KarpenterCluster Autoscaler, node pool scalingKarpenter equivalent not direct.

EKS vs AKS caveat

The Kubernetes API is portable. The production platform behavior is not fully portable.

Non-portable areas:

  • CNI/IP allocation,
  • ingress controller annotations,
  • service type load balancer behavior,
  • workload identity setup,
  • storage classes,
  • private cluster access,
  • observability integration,
  • node upgrade process,
  • registry auth,
  • network policy implementation.

PR review question

Is this Kubernetes manifest truly portable, or does it depend on EKS/AKS-specific annotations, identity, storage, ingress, or networking behavior?


15. Managed PostgreSQL Mapping

ConceptAWSAzureCaveat
Managed PostgreSQLAmazon RDS for PostgreSQLAzure Database for PostgreSQL Flexible ServerSimilar managed DB role, different parameters/HA/private access model.
PostgreSQL-compatible cloud-native variantAmazon Aurora PostgreSQL-CompatibleNo direct exact equivalentAurora architecture differs from standard PostgreSQL.
Parameter tuningDB parameter groupServer parametersNaming/limits differ.
Private networkingDB subnet group + SGPrivate access/private endpoint/VNet integrationModel differs.
HAMulti-AZZone-redundant / same-zone HA optionsService-specific behavior differs.
Backup/PITRAutomated backups/PITRAutomated backup/PITRRetention/restore workflow differs.
Read scalingRead replicasRead replicasLag/connection endpoint behavior differs.

Java/JAX-RS impact

  • JDBC URL may change across failover.
  • TLS certificate chain may differ.
  • Connection pool must tolerate failover.
  • DNS caching can affect recovery.
  • Parameter limits may change query/runtime behavior.
  • Private endpoint DNS impacts app connectivity.

PR review question

Does the app connection pool and DNS behavior tolerate database failover and maintenance events?


16. Messaging Mapping

ConceptAWSAzureCaveat
Managed KafkaAmazon MSKEvent Hubs Kafka-compatible endpoint awarenessEvent Hubs Kafka endpoint is compatibility layer, not full Kafka cluster equivalence.
RabbitMQ managedAmazon MQ for RabbitMQNo direct Azure first-party RabbitMQ equivalent in same sense; often marketplace/self-managedVerify internal platform.
Self-managed brokerKafka/RabbitMQ on EKSKafka/RabbitMQ on AKSOperational burden high.
Connector ecosystemMSK ConnectEvent Hubs integrations / external connectorsDifferent ecosystem/semantics.
Private connectivityVPC/subnet/SG/PrivateLink depending servicePrivate Endpoint/VNet integration depending serviceMust verify service-specific support.

Caveat

Kafka protocol compatibility does not guarantee identical behavior in:

  • broker metadata,
  • topic management,
  • retention,
  • partitioning,
  • consumer group behavior,
  • transactions/idempotent producer support,
  • operational metrics,
  • quotas/throttling,
  • failure semantics.

PR review question

Are we depending on generic Kafka client behavior, or on broker-specific semantics that may not map across AWS/Azure?


17. Redis Mapping

ConceptAWSAzureCaveat
Managed Redis/ValkeyAmazon ElastiCache for Redis/ValkeyAzure Cache for Redis / Azure Managed RedisSKU/features/failover/networking differ.
Cluster modeCluster mode enabled/disabledClustering options depend tierVerify client compatibility.
Replication/failoverReplication group/Multi-AZReplica/failover based on tierBehavior differs.
Private accessSubnet/security groupPrivate endpoint/VNet integrationDNS/network behavior differs.
AuthAUTH/ACL/TLS depending setupAccess keys/Entra/RBAC/TLS depending service/tierVerify current platform standard.

Java/JAX-RS impact

  • Redis client must handle failover.
  • Connection pool must be bounded.
  • Cache miss path must not overload database.
  • TTL strategy must be explicit.
  • Eviction policy affects correctness.
  • Serialization versioning matters.

PR review question

Is Redis being used as cache, lock, session store, rate limiter, or state store — and does the selected managed service mode preserve the required semantics?


18. IaC, Governance, and Policy Mapping

ConceptAWSAzureCaveat
Declarative IaC nativeCloudFormationARM templates / BicepTerraform may be standard internally despite native options.
Cross-cloud IaCTerraformTerraformProvider behavior differs.
Organization policySCPManagement group policy / Azure PolicyDifferent enforcement model.
Resource complianceAWS ConfigAzure PolicyDifferent rule/evaluation model.
AuditCloudTrailAzure Activity LogCoverage differs.
Resource lockTermination protection / stack policy / IAM controlsResource locksNot direct equivalent.
TagsAWS tagsAzure tagsRequired tags and enforcement differ.

PR review question

Is this policy enforced preventively, detected after drift, or merely documented as convention?


19. Quick AWS ↔ Azure Mapping Table

AreaAWSAzure
Organization hierarchyAWS Organizations, OUManagement Groups, Subscriptions
Workload boundaryAWS AccountAzure Subscription
Resource groupingTags, service groupingResource Group
IdentityIAMMicrosoft Entra ID + Azure RBAC
Runtime roleIAM RoleManaged Identity / Service Principal
Temporary credentialsSTSEntra token / managed identity token
Kubernetes workload identityIRSA / EKS Pod IdentityAKS Workload Identity
NetworkVPCVNet
SubnetSubnetSubnet
RouteRoute TableRoute Table / UDR
Firewall ruleSecurity Group / NACLNSG / ASG / Azure Firewall
NATNAT GatewayAzure NAT Gateway
Private service accessVPC Endpoint / PrivateLinkPrivate Endpoint / Private Link
DNSRoute 53Azure DNS / Private DNS Zone
Hybrid DNSRoute 53 ResolverAzure DNS Private Resolver
L4 LBNLBAzure Load Balancer
L7 LBALBApplication Gateway
API gatewayAPI GatewayAPI Management
Edge/global routingCloudFront / Global Accelerator / Route 53Azure Front Door / Traffic Manager
WAFAWS WAFAzure WAF
Container registryECRACR
KubernetesEKSAKS
Object storageS3Blob Storage
Managed PostgreSQLRDS PostgreSQL / Aurora PostgreSQLAzure Database for PostgreSQL Flexible Server
Managed KafkaMSKEvent Hubs Kafka-compatible endpoint awareness
RabbitMQ managedAmazon MQ for RabbitMQSelf-managed/marketplace/partner pattern often used
Redis managedElastiCache / MemoryDB awarenessAzure Cache for Redis / Azure Managed Redis
ConfigSSM Parameter Store / AppConfigAzure App Configuration
SecretsSecrets Manager / SSM SecureStringKey Vault Secrets
KeysKMSKey Vault Keys / Managed HSM
Logs/metricsCloudWatchAzure Monitor / Log Analytics
TracingX-Ray / ADOT / OpenTelemetryApplication Insights / Azure Monitor OpenTelemetry
AuditCloudTrailActivity Log
Config complianceAWS ConfigAzure Policy
Native IaCCloudFormationARM/Bicep
Cross-cloud IaCTerraformTerraform

20. Portability Checklist

Before designing “cloud portable” application behavior, classify portability into layers.

20.1 Portable layers

Usually portable with discipline:

  • Java/JAX-RS application logic.
  • HTTP API contract.
  • OpenAPI spec.
  • Structured logging format.
  • OpenTelemetry instrumentation.
  • Container image format.
  • Kubernetes Deployment/Service basics.
  • PostgreSQL SQL subset if managed service differences are controlled.
  • Kafka client usage if broker semantics are compatible.

20.2 Partially portable layers

Portable only with abstraction or environment-specific config:

  • Cloud SDK integrations.
  • Object storage access.
  • Presigned URL/SAS generation.
  • Secret/config retrieval.
  • Workload identity.
  • Ingress annotations.
  • StorageClass.
  • Autoscaling behavior.
  • Observability export.
  • Private endpoint DNS.

20.3 Non-portable layers

Expect provider-specific implementation:

  • IAM/RBAC policy.
  • VPC/VNet design.
  • PrivateLink/Private Endpoint setup.
  • API Gateway/APIM policies.
  • WAF rules.
  • Managed database HA/backup settings.
  • Kubernetes CNI behavior.
  • Cloud-native audit/compliance policy.
  • Cost model.
  • Quota model.

20.4 Rule

Do not force portability where correctness, security, or operability requires provider-specific implementation.

Better approach:

Portable application contract
+ provider-specific platform adapter
+ explicit environment verification
+ common observability vocabulary

21. Migration Checklist: AWS to Azure or Azure to AWS

21.1 Identity

  • Map runtime identities.
  • Replace IAM role assumptions with managed identity/service principal or vice versa.
  • Rebuild trust/federation.
  • Re-scope permission.
  • Validate SDK credential chain.

21.2 Networking

  • Rebuild CIDR/VNet/VPC plan.
  • Recheck subnet sizing.
  • Translate SG/NSG/firewall model.
  • Recreate private endpoint/private link.
  • Rebuild private DNS.
  • Validate hybrid routing.

21.3 Kubernetes

  • Translate ingress annotations.
  • Translate StorageClass.
  • Translate workload identity.
  • Translate registry pull auth.
  • Validate CNI/IP behavior.
  • Validate autoscaling/node pool behavior.

21.4 Data services

  • Validate PostgreSQL version/extensions/parameters.
  • Validate backup/restore process.
  • Validate broker semantics.
  • Validate Redis failover/cluster mode.
  • Validate object storage consistency/access policy.

21.5 Operations

  • Rebuild dashboards.
  • Rebuild alerts.
  • Rebuild log queries.
  • Rebuild audit evidence.
  • Rebuild DR runbook.
  • Rebuild cost model.

22. Review Checklist for Architecture Mapping

Use this when someone says “Azure equivalent of X is Y” or “AWS equivalent of X is Y”.

[ ] Are we mapping concept or service name?
[ ] Does the boundary match?
[ ] Does the identity model match?
[ ] Does the policy scope match?
[ ] Does the network path match?
[ ] Does private DNS behave the same?
[ ] Does Kubernetes integration behave the same?
[ ] Does SDK credential chain behave the same?
[ ] Does observability produce equivalent evidence?
[ ] Does cost model differ?
[ ] Does quota model differ?
[ ] Does DR behavior differ?
[ ] Does compliance evidence differ?
[ ] What is provider-specific and should not be abstracted away?

23. Common Wrong Assumptions

Wrong assumption 1 — “VPC equals VNet exactly”

Better view:

  • Both are virtual network containers.
  • But routing, service endpoint, private endpoint, firewall, DNS, and Kubernetes CNI behavior differ.

Wrong assumption 2 — “IAM role equals managed identity”

Better view:

  • AWS IAM role combines trust and permission model.
  • Azure managed identity is an identity; authorization is via role assignment or service-specific access policy.

Wrong assumption 3 — “Private endpoint means private traffic automatically works”

Better view:

  • Private endpoint object is only one part.
  • DNS, routing, security rules, firewall, service access policy, and source network must align.

Wrong assumption 4 — “Kubernetes makes cloud differences irrelevant”

Better view:

  • Kubernetes standardizes scheduling and service abstractions.
  • Cloud-specific CNI, ingress, storage, identity, load balancer, registry, and observability still matter.

Wrong assumption 5 — “Cloud SDK defaults are production-ready”

Better view:

  • Defaults may work for happy path.
  • Production needs explicit timeout, retry, credential source, region/endpoint, metrics, logging, and throttling behavior.

Wrong assumption 6 — “Object storage is just file storage”

Better view:

  • Object storage is not a POSIX filesystem.
  • It has object keys, metadata, lifecycle, signed access, eventual operational constraints, and different access semantics.

Wrong assumption 7 — “Multi-cloud improves resilience automatically”

Better view:

  • Multi-cloud increases operational complexity.
  • It may reduce provider dependency but introduces data replication, identity, DNS, observability, and runbook complexity.

24. Java/JAX-RS Backend Mapping Strategy

For Java/JAX-RS services, avoid scattering provider-specific code everywhere.

Recommended layering:

JAX-RS Resource Layer
  ↓
Application Service Layer
  ↓
Domain Logic
  ↓
Port / Interface
  ↓
Provider Adapter: AWS or Azure
  ↓
Cloud SDK Client

Example port

public interface ObjectDocumentStore {
    UploadResult upload(DocumentUploadCommand command);
    DownloadHandle createDownloadHandle(DocumentDownloadCommand command);
    void delete(DocumentDeleteCommand command);
}

AWS adapter

  • Uses S3 client.
  • Uses presigned URL if needed.
  • Uses AWS credential provider chain.
  • Uses region/endpoint config.
  • Emits AWS-specific metrics tags carefully.

Azure adapter

  • Uses Blob Storage client.
  • Uses SAS if needed.
  • Uses Azure credential chain.
  • Uses blob endpoint config.
  • Emits Azure-specific metrics tags carefully.

What should remain common

  • Domain operation semantics.
  • Request validation.
  • File size limit.
  • Metadata policy.
  • Audit event.
  • Timeout budget.
  • Error classification.
  • Retry policy intent.
  • PII/logging rules.

What should remain provider-specific

  • IAM/RBAC details.
  • Endpoint/private DNS.
  • SDK client configuration.
  • Signed URL/SAS generation mechanics.
  • Encryption key integration.
  • Service-specific exception mapping.

25. Internal Verification Checklist

Use this checklist in CSG/team context.

Platform model

  • Which cloud providers are actually used?
  • Which workloads run on AWS?
  • Which workloads run on Azure?
  • Which workloads run on-prem?
  • Are AWS/Azure used symmetrically or for different product/customer contexts?

Account/subscription

  • AWS account structure.
  • Azure subscription structure.
  • Environment separation.
  • Shared services boundary.
  • Network boundary.
  • Logging/security boundary.
  • Cost allocation tags.

Network

  • VPC/VNet diagrams.
  • CIDR plan.
  • Subnet plan.
  • Route tables/UDR.
  • SG/NSG/firewall rules.
  • Private endpoint inventory.
  • Public endpoint inventory.
  • Hybrid connectivity.

Identity

  • IAM roles.
  • Azure managed identities/service principals.
  • Workload identity mapping.
  • CI/CD identity.
  • Human operator access.
  • Break-glass policy.
  • Audit logs.

Kubernetes

  • EKS clusters.
  • AKS clusters.
  • Namespace strategy.
  • ServiceAccount strategy.
  • Ingress controllers.
  • Storage classes.
  • Network policies.
  • Observability add-ons.

Managed services

  • PostgreSQL provider.
  • Kafka/RabbitMQ provider.
  • Redis provider.
  • Object storage provider.
  • Secret/config provider.
  • Container registry provider.
  • Monitoring/tracing backend.

Operations

  • CI/CD pipeline.
  • Terraform/IaC repo.
  • GitOps repo.
  • Runbooks.
  • Incident notes.
  • DR evidence.
  • Cost dashboards.
  • Security review process.

26. Final Mapping Principle

The most useful mapping is not:

AWS service X = Azure service Y

The useful mapping is:

For this production capability,
what is the runtime boundary,
identity model,
network path,
DNS behavior,
security policy,
observability evidence,
cost driver,
failure mode,
and rollback path
in AWS versus Azure?

That is the level of mapping senior backend engineers need for real production systems.


27. Reference Anchors

Use these as vendor anchors, then verify internal platform reality:


28. Key Takeaways

  • AWS/Azure mapping membantu orientasi, tetapi tidak boleh menggantikan review desain.
  • Mapping paling berbahaya adalah mapping nama service tanpa memahami boundary dan failure mode.
  • Identity, private connectivity, DNS, load balancing, Kubernetes integration, observability, and cost are the areas where “equivalent service” most often hides real differences.
  • Java/JAX-RS backend should keep domain semantics portable, but cloud adapters explicit.
  • In CSG/team context, verify actual account/subscription, VPC/VNet, identity, private endpoint, DNS, EKS/AKS, observability, CI/CD, IaC, and runbook standards internally.
Lesson Recap

You just completed lesson 58 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.