Cloud Services Cross-Reference: Networking
Networking is the foundation of every cloud deployment. This document maps equivalent networking services across AWS, Azure, OCI (Oracle Cloud Infrastructure), and Google Cloud Platform (GCP), organized by functional category. Each cloud uses different naming conventions and offers distinct capabilities — this guide surfaces both the equivalencies and the meaningful differences.
1. Virtual Networks
The primary private network construct. All compute, database, and managed services are deployed into (or attached to) this construct.
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Core construct | Amazon VPC (Virtual Private Cloud) | Azure Virtual Network (VNet) | Virtual Cloud Network (VCN) | VPC (Virtual Private Cloud) |
| Scope | Regional; spans all AZs in a region | Regional; spans all AZs in a region | Regional; spans all Availability Domains | Global; a single VPC spans all regions |
| IP address range | CIDR block assigned at creation; can add secondary CIDRs | Address space defined at creation; supports multiple ranges | CIDR block; supports multiple CIDRs | Subnet-level CIDR; VPC itself has no address range |
| VNet/VPC encryption | Not native; use TLS or MACsec via Direct Connect | Virtual Network Encryption (VNET-to-VNET, in preview → GA 2024) | Not native at VCN level; MACsec available on FastConnect | Not native; use Cloud VPN or MACsec on Interconnect |
| Peering | VPC Peering (non-transitive) | VNet Peering (non-transitive by default) | VCN Peering via Local Peering Gateway (LPG) or DRG | VPC Network Peering (non-transitive) |
| Default DNS | AmazonProvidedDNS (169.254.169.253 / .2 of VPC CIDR) | Azure-provided DNS or custom | VCN resolver; custom DNS via DHCP options | Internal DNS via metadata server (169.254.169.254) |
Key differentiators:
- GCP VPCs are global by design — a single VPC spans all regions, and subnets are regional. AWS, Azure, and OCI VPCs/VNets/VCNs are regional and require peering or transit constructs for cross-region connectivity.
- OCI VCN includes a free DRG (Dynamic Routing Gateway) with no per-hour charge; AWS Transit Gateway and Azure Virtual WAN carry per-attachment or per-hour fees.
2. Subnets and Routing
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Subnet scope | Availability Zone (AZ) — one subnet per AZ | Regional — a single subnet spans all AZs in a region | Availability Domain or Regional (regional subnets are preferred) | Regional — subnets span all zones in a region |
| Public subnet | Route table with Internet Gateway (IGW) route | Subnet with route to internet-attached resource; no explicit "public" flag | Public subnet flag; requires Internet Gateway in VCN | Subnet with a default route to the internet via Cloud Router or default gateway |
| Private subnet | No route to IGW; use NAT Gateway for outbound | No public IP on NIC; route outbound via NAT Gateway or Azure Firewall | Private subnet flag; use NAT Gateway for outbound | Subnet with Private Google Access or Cloud NAT for outbound |
| Route tables | Route tables associated per subnet | User-defined routes (UDRs) associated per subnet | Route tables associated per subnet or VCN | Routes are VPC-level; applied to all instances unless overridden by policy routing |
| System routes | AWS managed routes added automatically (local, IGW, etc.) | System routes (auto-created); cannot delete, only override with UDRs | System routing rules; route rules in route tables | Implied system-generated routes for subnet ranges |
| IPv6 | Dual-stack supported | Dual-stack supported | Dual-stack supported; NLB supports IPv6 | Dual-stack supported |
Key differentiator: Azure subnets are regional (span all zones), while AWS and OCI subnets are zone-scoped. GCP subnets are also regional. This affects how multi-AZ architectures are designed — Azure and GCP simplify this compared to AWS and OCI.
3. Load Balancers
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Layer 4 (TCP/UDP) | Network Load Balancer (NLB) | Azure Load Balancer (Standard SKU) | Flexible Network Load Balancer | Network Load Balancer (Passthrough or Proxy) |
| Layer 7 (HTTP/HTTPS) | Application Load Balancer (ALB) | Azure Application Gateway | Flexible Load Balancer | Application Load Balancer (External or Internal) |
| Global HTTP/HTTPS | AWS Global Accelerator (anycast) + ALB | Azure Front Door (global entry point) | Not a separate global LB; WAF + edge via Front Door-equivalent | External Application Load Balancer (global Anycast) |
| Third-party appliance chaining | Gateway Load Balancer (GWLB) | Not a direct equivalent; use NVAs behind Azure Load Balancer | Not a direct equivalent | Not a direct equivalent |
| Classic/legacy LB | Classic Load Balancer (CLB) — deprecated | Basic Load Balancer SKU (retiring) | — | — |
| Internal (private) LB | Internal ALB or Internal NLB | Internal Load Balancer | Internal Flexible Load Balancer | Internal Application or Internal Network Load Balancer |
| SSL/TLS termination | ALB (HTTPS listeners) | Application Gateway, Front Door | Flexible Load Balancer (HTTPS listeners) | Application Load Balancer |
| WebSocket support | ALB | Application Gateway, Front Door | Flexible Load Balancer | Application Load Balancer |
Key differentiators:
- AWS Gateway Load Balancer (GWLB) is unique: it operates at Layer 3 and is designed to chain traffic through third-party security appliances (firewalls, IDS/IPS) transparently using GENEVE encapsulation. Azure and GCP have no direct managed equivalent.
- GCP External Application Load Balancer uses a single global Anycast IP address, simplifying global DNS. AWS equivalent requires combining ALB with Global Accelerator.
- OCI Flexible Load Balancer uses a "shape" model (10 Mbps to 8 Gbps or flexible bandwidth), whereas other clouds auto-scale without pre-selecting bandwidth tiers.
4. Content Delivery Network (CDN)
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| CDN service | Amazon CloudFront | Azure CDN (Standard Microsoft, Standard/Premium Verizon, Standard Akamai) | OCI Web Application Accelerator (WAA) | Cloud CDN |
| Global entry point / advanced CDN | Amazon CloudFront + AWS Global Accelerator | Azure Front Door (Standard / Premium) | Not a full global CDN; WAA operates at load balancer layer only | Cloud CDN (integrated with External Application LB) |
| Edge locations / PoPs | 600+ PoPs (as of 2025) | 100+ PoPs globally | Limited; edge caching at load balancer layer only; not a distributed CDN | 100+ PoPs (Cloud CDN edge nodes) |
| Dynamic acceleration | CloudFront + Lambda@Edge / CloudFront Functions | Azure Front Door (split TCP, dynamic routing) | Compression + caching via WAA policy; no edge presence | Not a standalone dynamic acceleration product |
| WAF at edge | AWS WAF integrated with CloudFront | Azure WAF integrated with Front Door | OCI WAF integrated with Flexible Load Balancer (not edge) | Cloud Armor integrated with External Application LB |
| Streaming | CloudFront (HLS, DASH, smooth streaming) | Azure CDN (HLS, DASH) | Not directly supported | Cloud CDN (HLS, DASH) |
| Free tier | CloudFront Free Tier (1 TB/month) | No free tier for CDN profiles | WAA included at no additional charge for OCI customers | Cloud CDN pricing based on egress |
Key differentiators:
- OCI Web Application Accelerator (WAA) is fundamentally different from the others: it caches responses at the load balancer (not at distributed PoPs worldwide). It is not a CDN in the traditional sense. For global edge delivery, OCI customers typically use a third-party CDN or Oracle's Dyn CDN (legacy).
- Azure Front Door (Standard/Premium) has consolidated CDN and WAF into a single globally distributed product, deprecating legacy Azure CDN profiles (Akamai, Verizon) over time.
- AWS CloudFront supports edge compute (Lambda@Edge, CloudFront Functions) for request/response manipulation at the edge — a capability that GCP and Azure match via serverless edge functions, but OCI does not offer.
5. DNS
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Public DNS hosting | Amazon Route 53 | Azure Public DNS | OCI DNS (Public Zones) | Cloud DNS (Public Zones) |
| Private DNS (VPC/VNet) | Route 53 Private Hosted Zones | Azure Private DNS Zones | OCI DNS (Private Views) | Cloud DNS (Private Zones) |
| DNS resolver for hybrid | Route 53 Resolver (inbound + outbound endpoints) | Azure DNS Private Resolver | OCI DNS Resolver (per VCN; forwarding rules for hybrid) | Cloud DNS (inbound/outbound forwarding policies) |
| Traffic management / routing policies | Route 53 Traffic Policies (latency, weighted, geolocation, failover, multi-value, IP-based) | Azure Traffic Manager (DNS-based; priority, weighted, performance, geographic, subnet, multi-value) | OCI Traffic Management Steering Policies (IP prefix, ASN, geolocation, failover, load balancer) | Cloud DNS + Cloud Load Balancing (no dedicated DNS-based traffic manager; use Global LB) |
| DNSSEC | Supported (Route 53) | Supported (Azure Public DNS) | Supported | Supported |
| Health checks for DNS failover | Route 53 Health Checks (HTTP, HTTPS, TCP; can trigger DNS failover) | Traffic Manager health probes | OCI health checks via Traffic Management | Cloud DNS health checks (GA 2024) |
| Domain registration | Route 53 (registrar included) | Not a domain registrar; use third-party | Not a domain registrar | Cloud Domains (separate registrar service) |
Key differentiators:
- AWS Route 53 is the only cloud provider with a built-in domain registrar, enabling a fully integrated register-to-route workflow.
- Azure Traffic Manager is DNS-based global load balancing (not a CDN or proxy) — conceptually equivalent to Route 53 Traffic Policies. Azure also offers Azure Front Door for actual proxy-based global routing.
- GCP lacks a standalone DNS-based traffic manager; global traffic routing is handled at the load balancer level using global Anycast, not at the DNS resolution level.
6. VPN Gateway
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Service name | AWS Site-to-Site VPN | Azure VPN Gateway | OCI Site-to-Site VPN | Cloud VPN (HA VPN) |
| Protocol | IPsec / IKEv1, IKEv2 | IPsec / IKEv2 | IPsec / IKEv1, IKEv2 | IPsec / IKEv2 |
| Tunnel redundancy | 2 tunnels per VPN connection (active/active possible) | Active-active or active-passive modes | 2 tunnels per IPsec connection | HA VPN: 2 tunnels per HA VPN gateway (99.99% SLA) |
| Max throughput | 1.25 Gbps per VPN connection; up to 10 Gbps with ECMP via Transit Gateway | Up to 10 Gbps (VpnGw5 SKU with Zone-Redundant) | Up to 450 Mbps per tunnel aggregate | Up to 3 Gbps per HA VPN tunnel (with ECMP) |
| BGP support | Yes (dynamic routing) | Yes (BGP routing) | Yes (BGP routing) | Yes (via Cloud Router) |
| Client VPN (P2S) | AWS Client VPN (OpenVPN / SAML) | Azure Point-to-Site VPN (SSTP, IKEv2, OpenVPN) | Not a native managed client VPN; use third-party or bastion | Cloud VPN does not support point-to-site; use Identity-Aware Proxy or third-party |
| Accelerated VPN | AWS Accelerated Site-to-Site VPN (uses Global Accelerator) | Not available | Not available | HA VPN over Interconnect (encrypted dedicated path) |
Key differentiators:
- GCP Cloud VPN requires Cloud Router for dynamic (BGP) routing; the router is a separate object managed at the VPC level.
- OCI Site-to-Site VPN has no point-to-site (client) VPN — for remote access, OCI customers use Azure Bastion-equivalents or third-party solutions.
- AWS Accelerated VPN routes traffic through AWS Global Accelerator edge nodes, reducing latency for geographically distant connections.
7. Dedicated / Private Interconnect (On-Premises Connectivity)
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Service name | AWS Direct Connect | Azure ExpressRoute | OCI FastConnect | Cloud Interconnect (Dedicated or Partner) |
| Connection type | Dedicated (1 or 10 Gbps) or Hosted (50 Mbps to 10 Gbps via partner) | Dedicated (ExpressRoute Direct: 10/100 Gbps) or Circuit via partner (50 Mbps to 10 Gbps) | FastConnect Direct (1/10/100 Gbps) or via colocation partner | Dedicated Interconnect (10/100 Gbps VLAN attachments) or Partner Interconnect |
| Max bandwidth | 100 Gbps (LAG aggregation of 10 Gbps ports) | 400 Gbps ExpressRoute Direct (announced; available 2026) | 100 Gbps per port | 200 Gbps per interconnect connection (20 x 10 Gbps) |
| Redundancy SLA | 99.99% with dual connections in different facilities | 99.95% (Standard); 99.99% (Premium / dual) | 99.9% single FastConnect; 99.99% with redundant connections | 99.9% single; 99.99% with redundant HA topology |
| BGP routing | Yes (private ASN required) | Yes (private ASN; Microsoft peering for M365/Azure PaaS) | Yes; BGP for dynamic routing | Yes via Cloud Router (BGP with ASN) |
| Encryption | MACsec on Dedicated connections (select locations) | MACsec on ExpressRoute Direct | MACsec supported on FastConnect | MACsec on Dedicated Interconnect (GA); HA VPN over Interconnect |
| Cross-cloud | Not native; use VPN or third-party | Not native | OCI Interconnect for Azure (Oracle Interconnect); OCI Interconnect for Google Cloud | Cross-Cloud Interconnect (connect GCP to AWS, Azure, or Oracle directly) |
| Cost model | Port-hour + data transfer charges | Circuit + gateway charges; no data transfer fees on private peering | Port-hour only; no data transfer charges | Port charges; data transfer via VLAN attachment |
Key differentiators:
- OCI FastConnect charges only a per-port-hour fee with no data transfer fees — this is a significant cost advantage over AWS Direct Connect and Azure ExpressRoute for high-volume data workloads.
- OCI and GCP both offer dedicated cross-cloud interconnect products. Oracle Interconnect for Azure and Oracle Interconnect for Google Cloud provide a low-latency, private path between OCI and the other cloud. GCP's Cross-Cloud Interconnect connects GCP to AWS, Azure, and Oracle at their colocation facilities.
- Azure ExpressRoute supports Microsoft Peering, which allows customers to access Microsoft 365 and Dynamics 365 over the dedicated circuit — no AWS or GCP equivalent for their respective SaaS offerings.
8. Firewalls and Network Security
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Instance-level security | Security Groups (stateful; allow-only rules; per-ENI) | Network Security Groups (NSG; stateful; allow + deny; per NIC or subnet) | Security Lists (stateful or stateless; per subnet) + Network Security Groups (per VNIC) | Firewall rules (stateful; VPC-level; priority-based) |
| Managed network firewall | AWS Network Firewall | Azure Firewall (Standard / Premium SKU) | OCI Network Firewall | Cloud Firewall (Standard / Enterprise tier) |
| Firewall management plane | AWS Firewall Manager | Azure Firewall Manager | Not a separate management service; managed via policies in console | Cloud Firewall Policy (VPC Firewall Policies; hierarchical) |
| WAF | AWS WAF | Azure WAF (on Application Gateway or Front Door) | OCI WAF (edge policy or load balancer policy) | Cloud Armor (WAF + DDoS) |
| DDoS protection | AWS Shield (Standard — free; Advanced — paid) | Azure DDoS Protection (Network Protection or IP Protection) | OCI DDoS Protection (included; no separate SKU for basic protection) | Cloud Armor (Standard includes volumetric DDoS; Managed Protection Plus for advanced) |
| Intrusion detection | AWS Network Firewall (IDS/IPS rules) | Azure Firewall Premium (IDPS) | OCI Network Firewall (IDPS via Suricata rules) | Cloud IDS (Intrusion Detection System; separate service) |
Key differentiators:
- AWS uses Security Groups (per-ENI, stateful) and optionally Network ACLs (subnet-level, stateless). OCI uses both Security Lists (subnet-level) and Network Security Groups (VNIC-level), and allows stateless rules for high-performance scenarios. GCP uses VPC-wide firewall rules with priority ordering.
- OCI Network Firewall is powered by Palo Alto Networks technology, providing Layer 7 inspection with URL filtering, application detection, and Suricata-based IDS/IPS rules.
- AWS Network Firewall gained native Transit Gateway integration in 2025, eliminating the need for "inspection VPC" architectures. AWS also introduced a Network Firewall Proxy (preview 2025) for managed egress security with TLS interception.
- GCP Cloud IDS is a passive intrusion detection system (no blocking) that mirrors traffic to Palo Alto threat detection engines. Active blocking requires Cloud Firewall Enterprise or a third-party NVA.
9. Transit / Peering (Multi-VPC / Hub-and-Spoke)
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Transit routing hub | AWS Transit Gateway | Azure Virtual WAN (Standard tier) | OCI Dynamic Routing Gateway (DRG v2) | Network Connectivity Center (NCC) |
| Hub-and-spoke model | Transit Gateway (hub); VPCs as spokes | Virtual WAN Hub; VNets as spokes | DRG (hub); VCNs as spokes | NCC Hub; VPCs and hybrid spokes |
| Transitive routing | Transit Gateway supports transitive routing between attached VPCs | Virtual WAN supports transitive routing within a hub | DRG supports transitive routing across attached VCNs and on-premises | NCC enables transitive routing across spokes |
| Cross-region | AWS Transit Gateway Peering (inter-region TGW) | Virtual WAN (global; spans regions natively) | DRG supports cross-region VCN attachment | NCC supports cross-region spoke attachment |
| Pricing | Per attachment per hour + per GB data processed | Per connection unit per hour + per GB (varies by SKU) | DRG has no per-hour or per-GB charge (included) | NCC: data transfer fees; no per-attachment fee |
| Route control | TGW route tables; blackhole routes; route propagation controls | Virtual WAN route tables; custom routing; static routes | DRG route tables per attachment; import/export route distribution | NCC route policies; Cloud Router for BGP |
| SD-WAN integration | Transit Gateway Connect (GRE tunnels for SD-WAN) | Virtual WAN (native SD-WAN partner automation) | DRG (SD-WAN via IPsec) | NCC supports SD-WAN partner routers as spokes |
Key differentiators:
- OCI DRG v2 is included at no additional charge — no per-attachment fee, no data processing fee. AWS Transit Gateway and Azure Virtual WAN both charge per attachment per hour plus data processing fees, which can become significant in large multi-VPC environments.
- Azure Virtual WAN is the most opinionated product — it abstracts away route table management for common hub-and-spoke topologies. AWS Transit Gateway and OCI DRG offer more granular routing control.
- GCP Network Connectivity Center uses a hub-and-spoke model that also aggregates VPN, Interconnect, and Router Appliance spokes into a single managed hub.
10. Private Link / Private Endpoints
Private connectivity to managed services (PaaS) without traversing the public internet.
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Service name | AWS PrivateLink | Azure Private Link | OCI Private Endpoint + OCI Private Service Access (PSA) | Private Service Connect (PSC) |
| Endpoint in VPC/VNet | VPC Interface Endpoint (powered by PrivateLink) | Private Endpoint (private IP in VNet subnet) | Private Endpoint (private IP in VCN subnet) | PSC Endpoint (private IP in VPC subnet) |
| Supported services | AWS services (S3, DynamoDB via Gateway Endpoints; 100+ others via Interface Endpoints) | Azure PaaS services (Storage, SQL, Key Vault, etc.) + partner services | 25+ OCI services (Object Storage, Autonomous DB, etc.) | Google APIs, Google Cloud services, and published services |
| Customer-published services | AWS PrivateLink (publish NLB-backed service; consumers create Interface Endpoints) | Azure Private Link Service (publish Standard LB-backed service) | OCI Private Service Gateway (provider model) | PSC (publish service via Service Attachment; consumers create PSC Endpoints) |
| Cost | Per endpoint per hour + per GB data processed | Per private endpoint per hour + per GB processed | No per-hour or per-GB charge (free) | Per endpoint per hour + per GB processed |
| DNS integration | Route 53 Private Hosted Zones for endpoint DNS | Private DNS zones auto-created when private endpoint is provisioned | VCN DNS resolves private endpoint FQDNs automatically | Cloud DNS for PSC endpoint resolution |
Key differentiators:
- OCI Private Endpoints and Private Service Access are provided at no additional charge — no per-hour connection fees and no per-byte data fees. AWS, Azure, and GCP all charge per endpoint-hour and per GB.
- OCI Private Service Access (PSA) supports Zero Trust Packet Routing policies, allowing NSG-based control over which resources can reach a PSA endpoint — a more granular access model than other clouds.
- AWS has two endpoint types: Gateway Endpoints (S3 and DynamoDB; free, no private IP) and Interface Endpoints (everything else; PrivateLink; per-hour charge). GCP's PSC merges these into a single model.
11. NAT Gateway
Managed outbound NAT for private subnets.
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Service name | NAT Gateway | Azure NAT Gateway | OCI NAT Gateway | Cloud NAT |
| Scope | Per AZ (deploy one per AZ for HA) | Per subnet (or regional with zone-redundancy in Standard SKU) | Per VCN; attached to route tables | Per region; one Cloud NAT per Cloud Router |
| Outbound IP | Elastic IP (static) or auto-assigned public IP | Public IP or IP Prefix (up to /28) | Reserved public IP or ephemeral | External IP (reserved or auto-assigned) |
| Private NAT | Private NAT Gateway (2023) — routes between overlapping CIDRs | Not available (use Azure Firewall for private NAT scenarios) | Not available as a separate feature | Not available as a standalone feature |
| Bandwidth / scalability | Auto-scales to 100 Gbps | Auto-scales; scales with Public IP Prefix size | Scales with instance traffic (no stated cap) | Auto-scales; minimum 64 ports per endpoint |
| Cost | Per NAT Gateway per hour + per GB processed | Per hour + per GB processed | No charge for OCI NAT Gateway (free) | Per hour + per GB processed |
| Idle timeout control | Configurable (30–910 seconds for TCP) | Configurable (4–120 minutes TCP idle) | Not configurable (system managed) | Configurable (20 seconds to 600 seconds) |
Key differentiators:
- OCI NAT Gateway is free — no per-hour or per-GB charge. All other clouds charge both per hour and per GB.
- AWS Private NAT Gateway is a unique feature that allows routing between VPCs with overlapping CIDR ranges, which standard VPC peering cannot accommodate.
- In AWS, NAT Gateways are AZ-scoped, so you must deploy one per AZ for high availability. Azure, OCI, and GCP operate at the regional/VCN level.
12. Traffic Manager / Global Accelerator
Services that improve global availability, latency, or perform DNS-based global load balancing.
| Concept | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Anycast global routing | AWS Global Accelerator | Azure Front Door (reverse proxy; Anycast entry) | Not available natively | External Application Load Balancer (global Anycast) |
| DNS-based global LB | Route 53 Traffic Policies (latency, geolocation, failover, weighted) | Azure Traffic Manager (DNS TTL-based routing) | OCI Traffic Management (steering policies: IP prefix, ASN, geolocation, failover) | Cloud DNS (no native DNS-based traffic manager; use global LB instead) |
| Health check integration | Route 53 health checks drive DNS failover | Traffic Manager health probes (HTTP, HTTPS, TCP) | OCI health checks via steering policies | Cloud DNS public IP health checks (GA 2024) |
| Performance routing | Global Accelerator (routes to nearest healthy endpoint via AWS backbone) | Front Door (routes to nearest POP; performance-based) | Not a native performance routing service | External Application LB (routes to nearest backend) |
| Failover | Route 53 (active-passive failover with health checks) | Traffic Manager (priority routing) + Front Door | OCI Traffic Management (failover origin pools) | Cloud DNS health checks + routing policies |
Key differentiators:
- AWS Global Accelerator and GCP External Application Load Balancer both use Anycast IPs — clients connect to the nearest PoP, and traffic rides the cloud backbone to the actual backend. Azure Front Door works similarly as a reverse proxy at the edge.
- Azure Traffic Manager is DNS-based (not a proxy), meaning it cannot do session persistence, SSL termination, or WAF at the global routing layer — for those features, Azure Front Door is required.
- GCP has no dedicated DNS-based global traffic manager comparable to Route 53 Traffic Policies or Azure Traffic Manager; all global routing is handled at the load balancer level.
Summary Matrix
| Category | AWS | Azure | OCI | GCP |
|---|---|---|---|---|
| Virtual Network | Amazon VPC | Azure VNet | OCI VCN | GCP VPC (global) |
| Layer 4 Load Balancer | Network Load Balancer | Azure Load Balancer | Flexible Network Load Balancer | Network Load Balancer |
| Layer 7 Load Balancer | Application Load Balancer | Application Gateway | Flexible Load Balancer | Application Load Balancer |
| CDN | Amazon CloudFront | Azure CDN / Azure Front Door | Web Application Accelerator (WAA) | Cloud CDN |
| DNS | Amazon Route 53 | Azure DNS + Traffic Manager | OCI DNS + Traffic Management | Cloud DNS |
| VPN | Site-to-Site VPN / Client VPN | VPN Gateway | Site-to-Site VPN | Cloud VPN (HA VPN) |
| Dedicated Interconnect | AWS Direct Connect | Azure ExpressRoute | OCI FastConnect | Cloud Interconnect |
| Managed Firewall | AWS Network Firewall | Azure Firewall | OCI Network Firewall | Cloud Firewall |
| WAF | AWS WAF | Azure WAF | OCI WAF | Cloud Armor |
| DDoS Protection | AWS Shield | Azure DDoS Protection | OCI DDoS Protection (included) | Cloud Armor |
| Transit / Hub-Spoke | AWS Transit Gateway | Azure Virtual WAN | OCI DRG v2 | Network Connectivity Center |
| Private Endpoints | AWS PrivateLink | Azure Private Link | OCI Private Endpoint / PSA | Private Service Connect |
| NAT Gateway | AWS NAT Gateway | Azure NAT Gateway | OCI NAT Gateway (free) | Cloud NAT |
| Global Traffic Routing | AWS Global Accelerator | Azure Front Door | OCI Traffic Management (DNS-only) | External Application LB (Anycast) |
References
- AWS VPC FAQs
- AWS Elastic Load Balancing Features
- AWS Load Balancer Types Comparison
- Amazon Route 53
- Azure Networking Services Overview
- Azure CDN Feature Comparison
- Azure Networking 2025 Blog
- OCI Networking Overview
- OCI Networking Products
- OCI Dynamic Routing Gateway
- OCI WAF Overview
- OCI Web Application Accelerator Overview
- OCI Private Service Access
- GCP Networking Products
- GCP Cloud Load Balancing
- GCP Cloud Interconnect Overview
- GCP Cloud VPN Overview
- GCP Cloud Armor Overview
- GCP Private Service Connect