Public Cloud
How It Works
Public cloud infrastructure is owned and operated by a third-party provider — AWS, Microsoft Azure, Google Cloud Platform (GCP), or others — and shared across multiple tenants. You consume resources on demand, pay per use, and the provider handles hardware procurement, physical security, and base-level platform management.
The major providers operate regions globally. AWS has regions in Stockholm (eu-north-1), Frankfurt (eu-central-1), and Mumbai (ap-south-1). Azure operates in Sweden Central, Germany West Central, and Central India. GCP offers europe-north1 (Finland) and asia-south1 (Mumbai). Region selection is critical for latency, data residency, and pricing — it is not an afterthought.
When Public Cloud Is the Right Call
- Variable or unpredictable workloads: auto-scaling eliminates capacity planning guesswork. You pay for what you use, not what you might need.
- Startups and fast-iteration teams: zero upfront CapEx, instant provisioning. Ship first, optimize later.
- Stateless or cloud-native applications: containerized microservices, serverless functions (AWS Lambda, Azure Functions, Cloud Run), and managed databases (RDS, Cloud SQL) are built for public cloud primitives.
- Dev/test environments: spin up, run tests, tear down. Reserved capacity makes no sense here.
Where Public Cloud Falls Short
- Data sovereignty constraints: GDPR Article 44 restricts transfers of personal data outside the EEA unless adequate protections exist. Using a US-headquartered provider's EU region is generally acceptable, but the Schrems II implications and ongoing EU–US Data Privacy Framework developments require legal review, not just a region selection. Under India's DPDPA 2023, the central government can restrict transfers to specific countries — organizations must track these notifications.
- Steady-state, high-utilization workloads: a VM running at 80%+ utilization 24/7 for years is almost always cheaper on-premises or in private cloud. Reserved Instances and Savings Plans (typically offering 30–60% savings over on-demand pricing, per AWS's own documentation) close the gap but don't eliminate it for truly static loads.
- Highly regulated environments: some financial services regulators and defense agencies require physical isolation that logical tenancy separation in public cloud does not satisfy.
Private Cloud
How It Works
Private cloud dedicates infrastructure to a single organization. It can run on-premises in your own data center or be hosted by a third party (hosted private cloud). The defining characteristic is single-tenancy and direct control over the infrastructure stack.
Modern private clouds use the same orchestration technologies as public providers. VMware Cloud Foundation, OpenStack, Nutanix, and Azure Stack HCI provide IaaS-like consumption models internally. Kubernetes distributions like Red Hat OpenShift or Rancher add container orchestration on top.
When Private Cloud Makes Sense
- Strict compliance regimes: financial institutions under national banking regulations (e.g., Finansinspektionen in Sweden, BaFin in Germany) sometimes face requirements that demand verifiable physical isolation. Healthcare organizations handling EU patient data often prefer private infrastructure to simplify GDPR accountability chains.
- Predictable, high-density compute: HPC workloads, large-scale batch processing, or ML training on dedicated GPU clusters can be more cost-effective on owned hardware when utilization stays high.
- Legacy application dependencies: mainframe-adjacent workloads or applications with hardcoded IP dependencies, non-TCP/IP protocols, or licensing tied to physical cores often cannot move to public cloud without a rewrite.
The Real Costs People Underestimate
Private cloud is not "free because we already own the servers." Opsio's Cloud FinOps engagements consistently reveal hidden costs: facility power and cooling, hardware refresh cycles (typically 3–5 years), staff to manage firmware, patches, and physical security, plus the opportunity cost of engineers doing undifferentiated heavy lifting instead of building product features.
The honest math: if your utilization is below 60% on average, you're likely overpaying for private cloud. If it's consistently above 75%, you're likely saving money compared to public cloud on-demand pricing — though you need to factor in the agility cost of procurement lead times.
Hybrid Cloud
How It Works
Hybrid cloud connects private infrastructure (on-premises or hosted) with one or more public cloud environments through orchestration, networking, and often shared identity layers. The key differentiator from simply using both is integration: workloads, data, and management planes operate across environments in a coordinated way.
Core enabling technologies include:
| Technology | Purpose | Examples |
|---|---|---|
| Hybrid connectivity | Private network links between on-prem and cloud | AWS Direct Connect, Azure ExpressRoute, GCP Cloud Interconnect |
| Hybrid compute | Run cloud services on-premises | AWS Outposts, Azure Arc, Google Anthos |
| Identity federation | Single identity across environments | Azure AD (Entra ID), Okta, AWS IAM Identity Center |
| Container orchestration | Workload portability | Kubernetes (EKS, AKS, GKE) with consistent manifests |
| Monitoring and observability | Unified visibility | Datadog, Dynatrace, Grafana Cloud |
Why Hybrid Dominates Enterprise Adoption
According to Flexera's State of the Cloud, hybrid has consistently been the dominant enterprise strategy for several consecutive years. The reasons are practical, not theoretical:
1. Migration is gradual: no enterprise lifts everything to public cloud in one step. Hybrid is the natural transitional architecture during any Cloud Migration program.
2. Workload placement flexibility: sensitive data stays on private infrastructure while customer-facing applications scale on public cloud. A Swedish e-commerce company might keep PII in a Stockholm-based private environment while running its CDN and compute layer on AWS eu-north-1.
3. Burst capacity: run baseline compute on-premises and burst to public cloud during peaks — Black Friday traffic, quarter-end batch processing, seasonal demand.
4. DR and resilience: use public cloud as a disaster recovery target for on-premises workloads. AWS Elastic Disaster Recovery, Azure Site Recovery, and similar services make this operationally viable.
Hybrid Cloud Operational Challenges
Hybrid is not "the best of both worlds" without effort. From Opsio's 24/7 NOC operations managing hybrid environments, the recurring pain points are:
- Network complexity: latency-sensitive workloads split across environments create debugging nightmares. If your database is on-prem and your application is in public cloud, every query traverses the interconnect. Measure this before architecting it.
- Inconsistent security posture: firewall rules on-prem, security groups in AWS, NSGs in Azure — three different policy languages describing the same intent. Drift is inevitable without Infrastructure as Code (Terraform, Pulumi) and continuous policy validation (OPA, Checkov).
- Monitoring fragmentation: an alert fires in CloudWatch, another in your on-prem Zabbix instance, and a third in Datadog. Without a unified observability layer, your SOC team wastes time correlating across consoles instead of resolving incidents.
Multi-Cloud
Multi-Cloud vs. Hybrid: A Necessary Distinction
These terms are often used interchangeably. They shouldn't be. Hybrid means mixing private and public infrastructure. Multi-cloud means using two or more public cloud providers. An organization using AWS and Azure is multi-cloud. An organization using AWS and an on-premises VMware cluster is hybrid. An organization doing both is hybrid multi-cloud — and managing it is the most operationally complex scenario in cloud infrastructure.
Deliberate vs. Accidental Multi-Cloud
This distinction matters more than any architectural diagram. Most multi-cloud environments are accidental: the product team chose AWS, the data team chose GCP for BigQuery, and the company acquired a firm running everything on Azure. Nobody planned it; it just happened.
Deliberate multi-cloud has specific justifications:
- Regulatory requirements: some EU financial regulators require concentration-risk mitigation — not depending on a single cloud provider for critical services. NIS2 Article 21 requires "multi-vendor ICT strategies" in certain interpretations for essential entities.
- Best-of-breed services: GCP BigQuery for analytics, AWS for general compute, Azure for Microsoft 365 integration and Active Directory. This is defensible when the cost of cross-cloud networking and operational overhead is worth the service-level advantage.
- Geographic coverage: no single provider has regions everywhere. An organization needing local compute in a country where only one provider has a region will be multi-cloud by necessity.
The Operational Tax of Multi-Cloud
Running Opsio's Managed DevOps across multi-cloud estates, we see the operational tax clearly:
- IAM divergence: AWS IAM, Azure Entra ID, and GCP IAM use different permission models, different trust chain mechanisms, and different audit log formats. Building a unified access governance layer requires significant tooling investment.
- Cost visibility fragmentation: AWS Cost Explorer, Azure Cost Management, and GCP Billing Export each emit data in different schemas. Without a Cloud FinOps platform (Apptio Cloudability, Vantage, or similar), you cannot answer "how much does this product cost to run?" across providers.
- Skills dilution: each cloud provider has thousands of services. Deep expertise in all three is rare. Teams spread thin across providers master none.
The honest recommendation: don't pursue multi-cloud as a strategy. Pursue it only when you have a specific, defensible reason for each additional provider, and budget for the operational overhead it creates.
Community Cloud
Community cloud — shared infrastructure among organizations with common requirements — is the least discussed model but remains relevant in specific sectors. Examples include government community clouds (AWS GovCloud, Azure Government), research communities (GÉANT in Europe), and industry consortia sharing compliant infrastructure.
In practice, community cloud is architecturally similar to a private cloud with shared tenancy among vetted organizations. Its relevance is narrow but real: if you're a Swedish municipality sharing infrastructure with other municipalities through SKR (Sveriges Kommuner och Regioner), you're on community cloud.
Cloud Deployment Models Comparison
| Dimension | Public Cloud | Private Cloud | Hybrid Cloud | Multi-Cloud |
|---|---|---|---|---|
| Ownership | Provider-owned, shared | Organization-owned or hosted | Mixed | Multiple providers |
| CapEx | None (OpEx only) | High (hardware, facility) | Mixed | None per provider, high aggregate |
| Scalability | Near-infinite | Limited by capacity | Burst to public | Near-infinite per provider |
| Control | Limited (provider APIs) | Full | Split | Limited per provider |
| Compliance simplicity | Moderate (shared responsibility) | High (you own the stack) | Complex (multiple scopes) | Most complex |
| Operational complexity | Low to moderate | Moderate to high | High | Highest |
| Best for | Variable workloads, startups | Regulated, steady-state | Most enterprises | Specific best-of-breed needs |
| Vendor lock-in risk | High (single provider) | Low (you own it) | Moderate | Low (by design) |
How to Choose the Right Cloud Deployment Model
Choosing a deployment model is a workload-level decision, not an organization-level one. Different applications within the same enterprise will legitimately belong in different models. Here is the decision framework Opsio applies:
Step 1: Classify Your Workloads
For each workload, assess:
- Data sensitivity: does it process personal data under GDPR, financial data under banking regulations, or health data under national health-data laws? Under NIS2, essential and important entities in 18 sectors must implement risk-management measures that may constrain deployment options.
- Performance profile: latency-sensitive (needs to be close to users or other systems), throughput-heavy (needs high bandwidth), or compute-intensive (needs specific hardware like GPUs)?
- Demand variability: steady-state, seasonal peaks, or unpredictable spikes?
- Integration dependencies: does this workload depend on on-premises systems (databases, mainframes, legacy APIs)?
Step 2: Map Constraints
- Regulatory: GDPR data-residency requirements, DPDPA 2023 cross-border transfer restrictions, sector-specific rules (PSD2 for payments, MiFID II for trading).
- Financial: CapEx budget availability, existing hardware with remaining useful life, committed spend agreements with providers.
- Organizational: team skills, existing tooling, vendor relationships.
Step 3: Select Per Workload, Then Aggregate
Once each workload has a target model, the aggregate determines your organizational model. If every workload targets public cloud, you're public-cloud-only. If workloads span private and public, you're hybrid. If they span multiple public providers, you're multi-cloud.
Step 4: Reassess Periodically
Cloud deployment is not a set-and-forget decision. Workload characteristics change. Pricing changes. Regulations change. Opsio recommends a formal reassessment at minimum annually, aligned with contract renewal cycles and compliance audit schedules.
EU and India Compliance Considerations
European Union
GDPR: Article 44 restricts personal data transfers outside the EEA. Deployment model choices must ensure data residency controls are architecturally enforced, not just policy-based. AWS, Azure, and GCP all offer EU-region data residency commitments, but configurations like cross-region replication, CDN caching, and support-access tooling can inadvertently transfer data outside intended boundaries.
NIS2 Directive: applicable since October 2024, NIS2 requires essential and important entities to implement appropriate technical and organizational measures for cybersecurity risk management. This includes supply-chain security — your cloud provider is part of your supply chain. Deployment model decisions should document how each model satisfies NIS2 Article 21 requirements.
Cloud sovereignty: Germany's BSI C5 attestation and France's SecNumCloud label impose additional requirements on cloud providers. Organizations in these markets may need providers with specific national certifications, which can constrain deployment model options.
India
DPDPA 2023: India's Digital Personal Data Protection Act empowers the central government to restrict cross-border transfers of personal data to notified countries. Organizations deploying in India should ensure primary data processing occurs in Indian regions (AWS ap-south-1 Mumbai, Azure Central India, GCP asia-south1 Mumbai) with architectural controls preventing data egress to non-approved jurisdictions.
RBI guidelines: financial services firms in India must comply with RBI's framework on outsourcing IT services, which includes specific requirements on data localization and audit access to cloud provider infrastructure.
What Opsio Sees: Operational Patterns Across Deployment Models
Running 24/7 SOC and NOC operations across customer environments spanning all deployment models, several patterns emerge consistently:
Hybrid environments generate the most incidents from network boundary failures. The interconnect between on-premises and public cloud (Direct Connect, ExpressRoute) is a single point of failure that teams undermonitor. When it degrades, symptoms appear as application slowness rather than network failure, causing misdirected troubleshooting.
Multi-cloud cost attribution is the top FinOps challenge. Organizations running workloads across two or more providers consistently struggle to answer basic questions like "what does this application cost per month?" without dedicated tooling and tagging discipline.
Private cloud environments drift fastest from security baselines. Public cloud providers continuously update default configurations (encryption-at-rest defaults, TLS minimums, public-access blocks). Private cloud infrastructure retains whatever configuration was set at deployment unless actively maintained.
Public-cloud-only organizations are fastest to adopt new capabilities but also accumulate the most unused resources. The ease of provisioning creates sprawl. Flexera's State of the Cloud has consistently identified cloud waste as a top concern, and pure public-cloud environments are where Opsio's FinOps practice finds the most optimization opportunity.
Frequently Asked Questions
What are the 4 cloud deployment models?
The four models defined by NIST SP 800-145 are public cloud (shared infrastructure operated by a provider like AWS, Azure, or GCP), private cloud (dedicated infrastructure for a single organization), hybrid cloud (workloads spanning both public and private environments with orchestration between them), and community cloud (shared infrastructure among organizations with common requirements, such as government agencies). Multi-cloud — using multiple public providers — is often treated as a fifth model in practice.
Which cloud deployment model is most commonly used?
Hybrid cloud is the most commonly adopted model among enterprises. Flexera's State of the Cloud report has consistently found that a majority of enterprises pursue a hybrid strategy, combining on-premises or private cloud resources with one or more public clouds. Pure public-cloud-only deployments are more common among startups and smaller organizations that lack legacy infrastructure requiring on-premises integration.
What is IaaS, PaaS, and SaaS and how do they relate to deployment models?
IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) are cloud service models — they describe the abstraction layer and what the provider manages versus what you manage. Deployment models describe where and how infrastructure is hosted. The two are independent: you can run IaaS on a private cloud, consume PaaS on a public cloud, or use SaaS delivered through a hybrid architecture. Choosing a deployment model does not lock you into a specific service model.
Is AWS a public, private, or hybrid cloud?
AWS is primarily a public cloud provider, but it supports all deployment models. AWS Outposts brings AWS-managed infrastructure into your on-premises data center for private or hybrid deployments. AWS GovCloud provides isolated regions for US government workloads. AWS Local Zones extend compute closer to end users. Most organizations use AWS as the public cloud component of a broader hybrid or multi-cloud strategy.
Is hybrid cloud cheaper than private cloud?
Cost depends entirely on the workload profile. Hybrid cloud typically reduces costs for variable workloads because you can burst to public cloud instead of over-provisioning private infrastructure for peak demand. However, hybrid introduces networking costs (interconnect fees, data transfer charges), integration complexity, and additional tooling overhead. For steady-state workloads with consistently high utilization, private cloud can be more cost-effective per compute unit. The rigorous approach: model TCO for your specific workloads across both models before deciding.
