Cloud Architecture Overview

Lê Ngọc Sơn – lnson@fit.hcmus.edu.vn

2025
 Content
• Introduction to NIST Cloud Computing Reference Architecture
• Cloud Computing Technical Stack – Big picture
• Physical Infrastructure Layer
• Virtualization Layer
• Core Services Layer
• Management Layer
• Application Layer
• Security & Compliance Layer
• User & Business Layer
 Introduction to NIST Cloud Computing Reference Architecture

• Developed by NIST to establish a vendor-neutral

framework for cloud computing.
• Designed for U.S. Government and Federal CIOs,
Procurement Officials, IT Managers.
• Key objectives:
• Define components and taxonomy of cloud
computing.
• Enable secure, interoperable, and cost-effective
cloud adoption.
• Serve as a reference for standards and
guidelines.
 Key Actors

Cloud Consumer Cloud Provider

• Role: Represents individuals or • Core Role: Delivers cloud services to consumers.
organizations that use cloud services. • Key Functional Areas:
• Service Orchestration
• Activities:
• Cloud Service Management
• Requesting services from a Cloud • Security and Privacy
Provider or Broker.
• Utilizing cloud resources such as SaaS,
PaaS, or IaaS.
• Interacting with SLAs (Service Level
Agreements).
 Key Actors
kiểm toán viên đám môi giới đám
mây mây
Cloud Auditor Cloud Broker
• Role: Performs independent assessments of cloud • Role: Acts as an intermediary between the Cloud
services. Provider and Consumer.
• Types of Audits: • Services Provided:
trung gian
• Security Audit: Verifies that security measures • Service Intermediation: Adds value by
meet required standards. managing access or enhancing security.
tổng hợp
• Privacy Impact Audit: Ensures compliance with • Service Aggregation: Combines multiple cloud
privacy regulations. services into one. chênh lệch giá
• Performance Audit: Assesses service • Service Arbitrage: Dynamically selects services
performance and reliability. from multiple providers for flexibility.
vận chuyển
Cloud Carrier
• Role: Facilitates the transport of cloud services from the provider to the consumer.
• Responsibilities:
• Provides connectivity through networks and telecommunications.
• Ensures secure and consistent data delivery.
Cloud Computing Technical Stack – Big Picture
 Tầng cơ sở hạ tầng vật lý

Physical Infrastructure Layer

Data Center Hardware Network

Power • Servers • Core Equipment
• Main grid supply • Rack servers • Switches
• Backup generators • Compute nodes • Routers
• UPS systems • CPUs/GPUs • Load balancers
• Cooling • Memory (RAM) •Connectivity
• HVAC systems • Fiber cables
• Storage
• Network cables
• Hot/cold aisles • SSDs/HDDs
• Physical connections
• Security • Storage arrays
• Access control • Backup systems
• Surveillance
• Environmental monitoring
 Tầng ảo hoá

Virtualization Layer
Virtualization is the enabler of Infrastructure-as-a-Service (IaaS) models in cloud computing. It allows cloud providers
to offer scalable, on-demand resources to users without them needing to manage physical hardware directly.

Compute Virtualization: Storage Virtualization: Network Virtualization:

• Virtual Machines (VMs): Allows • Abstracts physical storage • Abstracts physical network
multiple operating systems and resources (e.g., disks, SSDs) and components, allowing the
applications to run on the same combines them into a unified, creation of virtual networks that
physical server, with each VM flexible pool. are decoupled from the
acting as an independent • Enables features like scalable underlying hardware.
system. storage allocation, snapshots, • Includes features like virtual
• Hypervisors (e.g., VMware ESXi, and replication. switches, virtual LANs (VLANs),
Microsoft Hyper-V, KVM): • Examples: Storage Area and software-defined
Software that manages the Network (SAN), Network networking (SDN).
creation and execution of VMs Attached Storage (NAS), or • Enables more flexible and
by abstracting the physical software-defined storage scalable networking
hardware. solutions. configurations.
 Ảo hóa điện toán

Compute Virtualization

Compute Virtualization

It is a technique of masking or abstracting the physical compute hardware and enabling multiple operating systems (OSs) to run
concurrently on a single or clustered physical machine(s).

• Enables creation of multiple virtual machines (VMs), each

running an OS and application
• VM is a logical entity that looks and behaves like
physical machine
• Virtualization layer resides between hardware and VMs
• Also known as hypervisor
• VMs are provided with standardized hardware resources Virtualization Layer

x86 Architecture

CPU NIC Card Memory Hard Disk

 Compute Virtualization

Hypervisor
x86 Architecture
x86 Architecture

CPU NIC Card Memory Hard Disk CPU NIC Card Memory Hard Disk

Before Virtualization After Virtualization

• Runs single operating system (OS) per machine at a time • Runs multiple operating systems (OSs) per machine
• Couples s/w and h/w tightly concurrently
• May create conflicts when multiple applications run on the • Makes OS and applications h/w independent
same machine • Isolates VM from each other, hence no conflict
• Underutilizes resources • Improves resource utilization
• Is inflexible and expensive • Offers flexible infrastructure at low cost
 siêu giám sát

Hypervisor

Hypervisor
đồng thời
It is a software that allows multiple operating systems (OSs) to run concurrently on a physical machine and to
interact directly with the physical hardware.
• Has two components
• Kernel
• Virtual Machine Monitor
(VMM)

VMM VMM VMM

Hypervisor (Kernel and VMM)

x86 Architecture

CPU NIC Card Memory Hard Disk

ảo hóa lưu trữ

Storage virtualization
 Network Virtualization

Network Virtualization is a technology that abstracts and combines

hardware and software network resources into a single, manageable
virtual network. It allows multiple virtual networks to share the same
physical network infrastructure while maintaining isolation, flexibility, and
efficiency. This is achieved by decoupling network functions, such as
routing, switching, and security, from the underlying physical hardware.
 Virtualized Data Center

Transforming a Classic Data Center (CDC) into a Virtualized Data Center (VDC)
Virtualized Data Center (VDC) requires virtualizing the
core elements of the data center.
Virtualize Network

Virtualize Storage

Virtualize Compute

Classic Data Center (CDC)

Using a phased approach to a virtualized

infrastructure enables smoother transition to
virtualize core elements.
 tầng dịch vụ cốt lõi

Core Services Layer

The Core Services layer is the heart of a cloud computing stack. It provides the essential building blocks required for running
and managing applications, systems, and workloads in the cloud. These services form the foundation upon which other
functionalities, such as application hosting, storage, and networking, are built.
Compute: Storage Network
• Refers to the processing power needed to • Provides the capacity to store, manage, and • Manages the connectivity between cloud
resources and external systems. Networkin
run applications, workloads, and services in retrieve data in the cloud. It includes services ensure data transfer, security, and
the cloud. various types of storage for different use availability:
• Examples include: cases: • Virtual Private Clouds (VPCs): Isolated
• Virtual Machines (VMs): Virtualized compute • Object Storage: Ideal for unstructured data like networks within a public cloud.
instances that run operating systems and files and multimedia (e.g., AWS S3, Google • Load Balancers: Distribute incoming traffic
applications. Cloud Storage). across multiple resources (e.g., AWS ELB, A
• Containers: Lightweight, portable • Block Storage: Used for applications requiring Load Balancer).
environments for applications (e.g., Docker, low-latency access, like databases (e.g., AWS • Content Delivery Networks (CDNs): Speed
Kubernetes). EBS, Azure Managed Disks). content delivery by caching data closer to u
• Serverless Computing: On-demand execution • File Storage: Network-based file systems (e.g., (e.g., Cloudflare, AWS CloudFront).
Azure Files, AWS FSx).
of code without managing servers (e.g., AWS • Firewalls and Security Groups: Protect
Lambda, Azure Functions). • Archival Storage: Cost-effective long-term resources by defining access control rules.
• Bare Metal Servers: Physical servers offered storage for infrequently accessed data (e.g.,
AWS Glacier). • DNS Services: Manage domain names and
without virtualization for high-performance routing (e.g., AWS Route 53, Azure DNS).
needs.
 Tầng quản lý

Management Layer
• Focuses on the tools, processes, and frameworks required to efficiently operate, monitor, and optimize cloud
resources. This layer plays a critical role in ensuring the smooth functioning of cloud environments by automating
routine tasks, managing workloads, and providing insights for better decision-making.

Orchestration Monitoring Automation

• Refers to the automated coordination and •Provides real-time visibility into the •Involves using scripts, tools, or platforms
management of cloud resources to ensure performance, health, and usage of cloud to handle repetitive tasks and processes
that workflows, applications, and services resources. automatically, reducing human
run seamlessly. •Ensures proactive detection and resolution intervention.
• Key functions: of issues to minimize downtime and •Key functions:
• Automating the deployment of applications maintain performance. • Automating the scaling of resources
and services. •Key functions: based on demand (auto-scaling).
• Managing dependencies between services. • Tracking resource utilization (CPU, • Automating backups and disaster
• Ensuring that resources are provisioned and memory, storage). recovery processes.
de-provisioned as needed.
• Monitoring application performance • Managing configuration updates and
• Tools: Kubernetes (for container (response times, error rates). patches.
orchestration), Apache Airflow, AWS
• Generating alerts for anomalies or •Tools: Ansible, Puppet, Chef, Jenkins, AWS
CloudFormation, Terraform (for
infrastructure as code). failures. Lambda.
•Tools: Prometheus, Grafana, AWS
•
CloudWatch, Azure Monitor, Datadog, New
 Tầng ứng dụng

The Application Layer

Refers to the components and services that allow developers and businesses to build, run, and manage
applications in the cloud. This layer focuses on enabling the creation and operation of software that directly serves
users, typically through frontend and backend systems, APIs, and integrations.

Frontend Systems Backend Services APIs & Integration

•Represents the user interface •Handles the business logic, •Facilitates communication
and experience (UI/UX) of the processing, and data between different software
application. management behind the scenes. components, systems, or
•Includes web browsers, mobile •Processes user requests, services.
applications, or desktop interacts with databases, and •Enables developers to integrate
interfaces that interact with the returns results to the frontend. third-party services, connect
underlying backend services. •Technologies: microservices, or expose
•Technologies: • Backend frameworks: application functionality.
• Web frameworks: React, Node.js, Django, Flask, •Types of APIs:
Angular, Vue.js. Spring Boot. • RESTful APIs, GraphQL,
• Mobile frameworks: Flutter, • Databases: MySQL, gRPC.
React Native. MongoDB, PostgreSQL, •Tools: Postman (API testing),
DynamoDB. Swagger (API documentation).
 Tầng bảo mật và tuân thủ

Security & Compliance Layer

The Security & Compliance layer in the cloud computing technical stack is focused on safeguarding cloud
environments, data, and applications while ensuring adherence to regulatory requirements and industry standards.
This layer is critical to maintaining trust, protecting sensitive information, and ensuring that organizations operate
securely within the cloud.
Network Security: Data Protection: Identity Management:
• Protects cloud-based networks • Ensures data confidentiality, • Manages user identities and their
and resources from unauthorized integrity, and availability in the access to cloud resources.
access, attacks, and breaches. cloud. • Key Features:
• Key Features: • Key Features: • Identity and Access Management
• Firewalls: Filter and control • Data Encryption: Encrypts data at (IAM): Manages roles, policies, and
incoming and outgoing traffic (e.g., rest (e.g., AWS KMS, Azure Key permissions (e.g., AWS IAM, Azure
AWS Security Groups, Azure Vault) and in transit (e.g., SSL/TLS). AD).
Firewall). • Backup and Recovery: Ensures data • Single Sign-On (SSO): Enables users
• Virtual Private Networks (VPNs): can be restored in case of loss or to access multiple applications with
Secure connections to cloud corruption. one set of credentials.
resources. • Access Controls: Defines who can • Multi-Factor Authentication (MFA):
• Intrusion Detection and Prevention access data and under what Adds an extra layer of security by
Systems (IDS/IPS): Monitor and conditions. requiring additional verification
mitigate potential threats. steps.
 Security & Compliance Layer

Compliance Management Threat Detection and Response Governance and Audit

• Ensures that the organization meets • Identifies and mitigates potential • Ensures proper management of cloud
industry regulations and standards. threats in real-time. resources and tracks activity to
• Common Compliance Standards: • Key Features: maintain accountability.
• GDPR (General Data Protection • Security Information and Event • Key Features:
Regulation) Management (SIEM): Collects and • Cloud Resource Policies: Define
• HIPAA (Health Insurance Portability and analyzes security data (e.g., Splunk, acceptable usage and behavior for
Accountability Act) Azure Sentinel). resources.
• PCI DSS (Payment Card Industry Data • Automated Incident Response: Uses • Audit Logs: Track changes, accesses, and
Security Standard) tools to automatically respond to actions in the cloud (e.g., AWS
detected threats. CloudTrail, Azure Monitor).
• Tools:
• Cloud compliance tools like AWS • •
Artifact, Azure Compliance Manager.
 Tầng người dùng và kinh doanh

User & Business Layer

Focuses on the interaction between cloud services and the end users or business operations. It ensures that cloud
resources deliver value by enabling analytics, user management, cost management, and other business-oriented
features. This layer is critical for aligning cloud services with organizational goals and user needs.
User Management: Cost Management:
Analytics & Business Intelligence (BI):
•Focuses on managing user accounts, •Provides tools to monitor, control,
•Provides tools and capabilities to analyze
access, and activities across cloud and optimize the cost of cloud
data stored or processed in the cloud to
applications and services. resources.
extract actionable insights.
•Features: •Features:
•Features:
• Role-based access control (RBAC): • Billing dashboards: Track and
• Data visualization: Create charts and
Assign permissions based on user analyze cloud spending.
dashboards to make data insights
roles. • Budgeting and alerts: Set
easier to understand.
• User activity tracking: Monitor and spending limits and receive
• Predictive analytics: Use AI/ML
log user actions for auditing and alerts when thresholds are
models to predict trends and
compliance. exceeded.
patterns.
• Authentication and Single Sign-On • Cost optimization
• Reports and KPIs: Generate reports
(SSO): Simplifies user access across recommendations: Identify
to track business performance
cloud services. unused or underutilized
metrics.
•Examples: resources to save money.
•Examples:
• Azure Active Directory, Okta, AWS •Examples:
• AWS QuickSight, Microsoft Power BI,
IAM (Identity and Access • AWS Cost Explorer, Azure Cost
Google Looker, Tableau.
Management). Management, Google Cloud