Cloud
Engineer
Roadmap

Every cloud server runs Linux. You cannot be a cloud engineer without fluency in the command line. Master the Linux file system hierarchy: /, /etc, /var, /home, /usr. Learn essential commands: ls, cd, grep, find, awk, sed, ps, top, df, du, chmod, chown, ssh. Understand file permissions and ownership — critical for security. Learn process management: systemd, journalctl, cron jobs. Study package management: apt (Ubuntu/Debian), yum/dnf (RHEL/Amazon Linux). Master shell scripting with Bash: variables, loops, conditionals, functions — you'll write these daily for automation. Understand environment variables, stdin/stdout/stderr, pipes, and redirects. Practice everything on Ubuntu — it's the most common cloud distro.

Cloud is fundamentally distributed computing over networks. Without networking knowledge you'll be stuck debugging VPC issues for hours. Master the OSI model — know which layer each problem lives at. Understand TCP/IP, UDP, DNS, DHCP, HTTP/S, SSH, FTP. Learn IP addressing and subnetting — CIDR notation (/16, /24, /32) is used everywhere in VPC design. Study routing and switching concepts: default gateways, route tables, NAT. Understand firewalls and security groups: inbound/outbound rules, stateful vs stateless. Learn load balancing: L4 vs L7, round-robin, health checks. Study CDN principles and DNS record types (A, CNAME, MX, TXT, NS). These concepts map directly to AWS VPC, Security Groups, ELB, and Route 53.

AWS has 33% of the cloud market — start here. Deeply learn: EC2 (virtual machines): instance types, AMIs, key pairs, EBS volumes, Auto Scaling Groups, Launch Templates. S3: buckets, storage classes, lifecycle policies, versioning, presigned URLs, static website hosting. VPC: subnets (public/private), Internet Gateway, NAT Gateway, Route Tables, Security Groups, NACLs, VPC Peering. IAM: users, groups, roles, policies (identity-based vs resource-based), MFA — this is the most important security service. RDS & DynamoDB: managed relational and NoSQL databases. Lambda: serverless functions, event triggers, cold starts. ELB: ALB vs NLB, target groups, listener rules. Route 53: DNS hosting, health checks, routing policies. CloudWatch: metrics, logs, alarms, dashboards. Earn AWS Solutions Architect Associate certification — it validates all of this.

Most enterprises use 2+ clouds. Learn the AWS equivalents on GCP and Azure to be a versatile hire. GCP focus: Compute Engine (EC2 equiv.), Cloud Storage (S3), GKE — Google Kubernetes Engine (the best managed K8s), BigQuery (data warehousing), Cloud Run (serverless containers), Cloud IAM, and VPC networking. GCP is dominant in data engineering and ML workloads. Azure focus: Azure VMs, Azure Blob Storage, AKS (Kubernetes), Azure Active Directory / Entra ID (critical for enterprise — AD integration is a key differentiator), Azure DevOps, App Service, and Azure Networking (VNets, NSGs). Earn Google Associate Cloud Engineer or Azure AZ-900/AZ-104 as secondary certs. Understanding the concept mapping across clouds (VPC ↔ VNet ↔ VPC) makes you a fast learner on any platform.

Containers are the unit of deployment in modern cloud. Master Docker completely. Understand container vs VM: containers share the host kernel, VMs have separate OS — containers are faster, lighter, portable. Learn to write production-quality Dockerfiles: multi-stage builds, layer caching, minimal base images (alpine, distroless), non-root users, .dockerignore. Master Docker Compose for multi-container local development: services, networks, volumes, environment files. Understand container registries: Docker Hub, Amazon ECR, Google Artifact Registry — tagging, pushing, pulling images. Learn container networking: bridge, host, overlay networks. Understand container security: image scanning with Trivy, running as non-root, read-only filesystems, secrets management. Learn Docker volumes for persistent data. Know the difference between COPY vs ADD, CMD vs ENTRYPOINT — interviewers love this.

Kubernetes (K8s) is the most important technology in cloud engineering today. It orchestrates containers at scale. Master the core objects: Pods (smallest unit), Deployments (declarative rollouts, replicas, rolling updates), Services (ClusterIP, NodePort, LoadBalancer — how pods are exposed), ConfigMaps & Secrets, PersistentVolumes & PVCs, Namespaces. Learn Ingress controllers (nginx, Traefik) — routing external HTTP traffic. Study resource requests and limits — critical for stability and cost. Master kubectl inside-out: get, describe, logs, exec, apply, rollout. Learn Helm: the package manager for K8s — install and write charts. Study RBAC for access control. Understand Horizontal Pod Autoscaler (HPA) and cluster autoscaler. Learn managed K8s: EKS, GKE, AKS. Earn the CKA (Certified Kubernetes Administrator) — one of the most valuable certs in cloud engineering.

Clicking around the AWS console is not cloud engineering — it's a recipe for undocumented, irreproducible infrastructure. Infrastructure as Code is the professional standard. Master Terraform deeply: providers, resources, variables, outputs, data sources, locals, modules (reusable infrastructure components), and state management. Understand Terraform state: local vs remote (S3 + DynamoDB for locking), state locking, state import. Learn Terraform workspaces for multi-environment (dev/staging/prod) management. Study Terraform best practices: DRY modules, variable validation, sensitive outputs. Learn Terragrunt for managing Terraform at scale across many modules. Understand AWS CDK (Cloud Development Kit) — define infrastructure in TypeScript/Python. Study Pulumi as a modern IaC alternative. Also learn AWS CloudFormation basics for legacy system compatibility. Earn the HashiCorp Terraform Associate cert.

Manual deployments don't scale. CI/CD is how professional teams ship code safely and fast. Master GitHub Actions completely: workflows, triggers (push, PR, schedule), jobs, steps, matrix builds, secrets, environments, and reusable workflows. This is the most widely used CI tool in 2026. Learn GitLab CI/CD: .gitlab-ci.yml, stages, pipelines, runners, artifacts — common in enterprise. Study Jenkins for legacy enterprise environments: Jenkinsfile, declarative pipelines, agents, shared libraries. Understand pipeline stages: lint → test → build (Docker) → push (ECR) → deploy (kubectl/Helm/Terraform). Learn deployment strategies: rolling update, blue/green deployment, canary releases with traffic splitting. Master ArgoCD: GitOps for Kubernetes — sync K8s cluster state from Git automatically. Learn Flux CD as an alternative GitOps tool. Study SAST/DAST integration in pipelines for security.

Security breaches in cloud cost companies millions. Cloud security is a multiplier skill — good engineers know it, great engineers live by it. Master IAM best practices: principle of least privilege, no root access in production, IAM roles over static credentials, cross-account roles. Understand AWS security services: GuardDuty (threat detection), Security Hub (posture management), AWS Config (compliance), CloudTrail (API audit logs — always enable this), Macie (S3 data discovery), Inspector (vulnerability scanning), WAF & Shield (DDoS). Learn Secrets management: AWS Secrets Manager, HashiCorp Vault — never hardcode credentials. Understand encryption: KMS for key management, encryption at rest (S3 SSE, EBS encryption) and in transit (TLS). Study network security: private subnets, VPC endpoints (no internet for sensitive traffic), VPN vs Direct Connect. Learn container security: image scanning, Pod Security Standards, OPA/Gatekeeper policies. Study CSPM tools: Wiz, Prisma Cloud for cloud posture. Earn AWS Security Specialty cert for senior roles.

You can't manage what you can't measure. Build observability into everything. Learn the three pillars: Metrics (Prometheus + Grafana — the industry standard), Logs (ELK Stack / OpenSearch, Loki, CloudWatch Logs), Traces (Jaeger, Tempo, AWS X-Ray — distributed tracing for microservices). Understand alerting: Alertmanager with Prometheus, PagerDuty/OpsGenie for on-call. Study the OpenTelemetry (OTel) standard — vendor-neutral instrumentation that all modern tools support. Master Grafana dashboards: PromQL queries, panels, alerts. Learn FinOps (Cloud Cost Engineering): AWS Cost Explorer, Budgets and alerts, Reserved Instances vs Savings Plans vs Spot Instances (save 60–90%), right-sizing EC2 instances, S3 lifecycle policies to move to cheaper tiers, Compute Optimizer. Study Kubecost for K8s cost visibility. An unmonitored cloud bill will bankrupt a startup in weeks.

This is what separates a cloud operator from a cloud architect. Learn the AWS Well-Architected Framework: 6 pillars — Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability. Study serverless architecture patterns: event-driven systems with Lambda + SQS/SNS + EventBridge + API Gateway — zero servers to manage. Learn microservices patterns: service mesh (Istio, AWS App Mesh), sidecar pattern, API Gateway pattern. Understand database architecture: read replicas, Multi-AZ RDS, Aurora serverless, DynamoDB global tables, ElastiCache (Redis) for caching. Study messaging systems: SQS (queues), SNS (pub/sub), Kafka (MSK), Kinesis (real-time streaming). Learn high availability and disaster recovery: RTO vs RPO, active-active vs active-passive, multi-region deployments. Understand the 12-factor app methodology. Study cloud-native storage: EFS vs EBS vs S3 vs FSx — when to use each. Practice cloud system design interviews: design YouTube, design Twitter, design a URL shortener on AWS. This is what's tested at FAANG cloud interviews.