This chapter covers the three primary cloud service models—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—as required by CompTIA Network+ N10-009 Objective 1.7. Understanding these models is critical because cloud services are ubiquitous in modern networks, and the exam tests your ability to distinguish them, their networking implications, and their security boundaries. Approximately 10-15% of the Networking Concepts domain questions relate to cloud service models and their characteristics.
Jump to a section
Imagine you want to have pizza for dinner. With traditional on-premises IT, you do everything from scratch: you grow wheat, mill flour, raise cows for cheese, grow tomatoes, make sauce, build an oven, and bake the pizza. That's like managing your own data center — you handle all hardware, software, networking, and cooling. With Infrastructure as a Service (IaaS), you buy a pre-made pizza kit: the dough, sauce, cheese, and toppings are provided, but you still need to assemble, bake, and serve it. This is like renting virtual machines — you control the OS, applications, and configuration, but the underlying hardware (oven) is managed by the provider. With Platform as a Service (PaaS), you order a frozen pizza — you just put it in the oven and bake. The provider gives you a runtime environment (like a web server or database) and you only focus on your code. With Software as a Service (SaaS), you go to a restaurant and eat pizza — you don't care about the ingredients or oven; you just consume the final product. Each model shifts responsibility from you to the provider: IaaS gives you the most control but also the most management, while SaaS gives you the least control but maximum convenience. In networking terms, IaaS lets you configure virtual networks and firewalls, PaaS abstracts the network layer, and SaaS requires only internet access.
What Are Cloud Service Models?
Cloud service models define the level of abstraction and responsibility between a cloud provider and a customer. The National Institute of Standards and Technology (NIST) Special Publication 800-145 defines three essential service models: IaaS, PaaS, and SaaS. Each model determines what the customer manages versus what the provider manages. This is commonly visualized using the 'shared responsibility model.' In traditional on-premises environments, the customer manages everything: physical hardware, networking, storage, virtualization, operating systems, middleware, runtime, data, and applications. In cloud models, the provider takes over increasing layers. For the Network+ exam, you must know which networking components fall under customer vs. provider responsibility for each model.
Infrastructure as a Service (IaaS)
IaaS provides virtualized computing resources over the internet. The provider manages physical hardware, hypervisors, storage, and network infrastructure (routers, switches, cabling). The customer manages the guest operating system (OS), applications, and optionally virtual networking components like virtual LANs (VLANs), subnets, firewalls, and load balancers. Examples: Amazon Web Services (AWS) EC2, Microsoft Azure Virtual Machines, Google Compute Engine. From a networking perspective, IaaS gives the customer control over IP addressing, routing tables, security groups, and VPN connections. The provider delivers the virtual network interface card (vNIC) and ensures physical connectivity. The customer is responsible for OS-level firewall rules (e.g., iptables, Windows Firewall) and application-level security. Common exam scenarios: You are given a scenario where a company needs full control over the OS and network configuration — choose IaaS.
Platform as a Service (PaaS)
PaaS provides a platform to develop, run, and manage applications without the complexity of building and maintaining the underlying infrastructure. The provider manages the runtime environment, middleware, OS, and often the network stack. The customer only manages the application code and data. Examples: AWS Elastic Beanstalk, Azure App Service, Google App Engine. Networking-wise, PaaS abstracts the network layer. The customer typically does not manage IP addresses, subnets, or firewalls at the OS level. Instead, the provider handles load balancing, scaling, and network security. However, some PaaS offerings allow limited network configuration, such as setting up a virtual private cloud (VPC) or defining inbound/outbound rules via a web console. The exam tests that PaaS is for developers who want to deploy code without managing servers. A common trap: Candidates think PaaS gives full network control — it does not. The provider manages the network infrastructure; the customer only configures application-level settings.
Software as a Service (SaaS)
SaaS delivers software applications over the internet on a subscription basis. The provider manages everything: infrastructure, platform, application, and data. The customer simply uses the application via a web browser or client. Examples: Microsoft 365, Google Workspace, Salesforce, Dropbox. From a networking perspective, SaaS requires only internet connectivity and a compatible browser. The customer has no control over the underlying network or server configurations. Security is the provider's responsibility, but the customer is still responsible for user access management and data classification. The exam emphasizes that SaaS is the most abstracted model — the customer does not manage anything except user accounts and data input. A common incorrect answer: Choosing SaaS when the scenario requires custom networking or OS control.
Shared Responsibility Model Details
For N10-009, you must understand the specific responsibilities for each model: - IaaS: Provider = Physical security, hardware, virtualization, network infrastructure (routers, switches, cabling), storage. Customer = OS, applications, data, virtual network configuration (subnets, security groups, route tables), OS-level firewall, identity and access management (IAM). - PaaS: Provider = Physical security, hardware, virtualization, OS, middleware, runtime, network infrastructure, load balancing, scaling. Customer = Application code, data, user access management (some IAM). - SaaS: Provider = Everything except user data and access. Customer = User accounts, data input, device security (endpoint protection). The exam loves to ask: 'In which model does the customer manage the operating system?' Answer: IaaS only. 'In which model does the provider manage the operating system?' Answer: PaaS and SaaS.
Networking Implications
IaaS: You can create virtual networks (VPCs), subnets, route tables, internet gateways, NAT gateways, VPN connections, load balancers, and security groups. You control IP addressing (private and public), DNS settings, and firewall rules. You must understand concepts like CIDR for subnetting, default routes, and network ACLs.
PaaS: Networking is largely abstracted. You typically configure a 'deployment slot' with a URL. The provider assigns a public IP and manages DNS. You may be able to restrict access via IP address whitelisting or enable HTTPS. For example, in Azure App Service, you can configure 'Access Restrictions' to allow only certain IP ranges.
SaaS: No network configuration. The provider handles all networking. You simply access the service via a URL (e.g., https://outlook.office.com). The exam may ask about connectivity requirements: SaaS requires outbound internet access and appropriate firewall rules (e.g., allow HTTP/HTTPS).
Hybrid and Multi-Cloud Considerations
Many enterprises use a combination of models. For example, a company might run a custom application on IaaS (EC2), use a PaaS database (Amazon RDS), and use SaaS for email (Office 365). The exam tests your ability to identify which model fits a given requirement. Also, know that cloud service models can be deployed in public, private, or hybrid clouds. The service model (IaaS/PaaS/SaaS) is independent of the deployment model (public/private/hybrid).
Common Exam Numbers and Terms
NIST SP 800-145: Defines cloud computing essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service) and service models.
IaaS: 'Infrastructure as a Service' — provides virtual machines, storage, networks.
PaaS: 'Platform as a Service' — provides runtime environment for applications.
SaaS: 'Software as a Service' — provides ready-to-use software.
Shared Responsibility Model: Visualized as a layered cake — the provider manages layers below the customer's responsibility boundary.
Hypervisor: In IaaS, the provider uses a hypervisor (e.g., VMware ESXi, KVM) to virtualize hardware.
VPC: Virtual Private Cloud — a logically isolated network in IaaS (e.g., AWS VPC, Azure VNet).
Security Group: Stateful firewall at the instance level in IaaS.
Network ACL: Stateless firewall at the subnet level in IaaS.
Configuration and Verification Commands (IaaS focus)
In IaaS, you would use cloud provider CLIs or web consoles. For example, in AWS:
- Create VPC: aws ec2 create-vpc --cidr-block 10.0.0.0/16
- Create subnet: aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.1.0/24
- Create security group: aws ec2 create-security-group --group-name my-sg --description "My SG" --vpc-id vpc-xxx
- Add rule: aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 0.0.0.0/0
The Network+ exam does not require you to memorize cloud CLI commands, but you should understand the concepts behind these operations. For PaaS and SaaS, there are no such commands because the customer does not manage the network.
Interaction with Related Technologies
VPN: IaaS often connects to on-premises networks via site-to-site VPN. The customer configures VPN gateway and customer gateway.
Direct Connect: Dedicated private connection from on-premises to IaaS (e.g., AWS Direct Connect, Azure ExpressRoute).
DNS: IaaS allows custom DNS settings (e.g., Route 53). PaaS typically provides a default domain (e.g., myapp.azurewebsites.net). SaaS uses provider's DNS.
Load Balancing: IaaS offers configurable load balancers (e.g., AWS ELB). PaaS often includes built-in load balancing. SaaS uses provider's load balancing.
CDN: Content Delivery Network can be used with all models, but configuration is usually in IaaS/PaaS (e.g., AWS CloudFront).
Summary of Exam Focus
Memorize the three models and their definitions.
Know the shared responsibility boundaries for each.
Recognize scenario-based questions: If a company needs full OS control → IaaS. If developers just need to deploy code → PaaS. If users need ready-made software → SaaS.
Understand that PaaS abstracts networking; IaaS gives network control; SaaS gives none.
Be aware that the service model is separate from the deployment model (public/private/hybrid).
Identify Business Requirements
The first step is to determine what the organization needs. Is it a custom application that requires specific OS configurations? Or is it a standard business application like email? This step involves gathering requirements from stakeholders: control over the OS, need for custom networking (subnets, firewalls), scalability expectations, and compliance constraints. For the Network+ exam, you must map these requirements to the appropriate service model. For example, if the requirement is 'full control over the operating system,' that points to IaaS. If the requirement is 'just deploy code without managing servers,' that points to PaaS. If the requirement is 'use a ready-made application,' that points to SaaS.
Evaluate Network Responsibility
Once requirements are clear, evaluate who will manage the network. In IaaS, the customer manages virtual networks (VPCs, subnets, routing, security groups). In PaaS, the provider manages the network stack, but the customer may configure access restrictions (e.g., IP whitelisting). In SaaS, the provider manages everything; the customer only needs internet access. This step is critical for the exam because questions often ask: 'Which model allows the customer to configure a firewall at the OS level?' Answer: IaaS. 'Which model requires the customer to manage VLANs?' Answer: IaaS. Candidates often confuse PaaS with IaaS regarding network control.
Assess Security and Compliance
Security and compliance requirements influence model choice. In IaaS, the customer is responsible for OS patching, application security, and data encryption. In PaaS, the provider patches the OS, but the customer secures the application code. In SaaS, the provider handles most security, but the customer must manage user access and data classification. For exam scenarios, if the organization has strict compliance requiring physical control of hardware, they may choose on-premises or private cloud with IaaS. If compliance is less stringent, PaaS or SaaS may be acceptable. A common trap: Candidates think PaaS is always more secure because the provider manages the OS — but the customer still has application-level vulnerabilities.
Select Service Model
Based on the previous steps, select the appropriate service model. This is a decision point. For example, a startup that wants to deploy a web app quickly without managing servers would choose PaaS (e.g., AWS Elastic Beanstalk). An enterprise that needs to run a legacy application with specific OS requirements would choose IaaS (e.g., AWS EC2). A company that wants email and collaboration tools would choose SaaS (e.g., Microsoft 365). The exam will present scenarios and ask you to pick the model. Remember: IaaS gives maximum control and responsibility; PaaS balances control and convenience; SaaS gives minimum control.
Implement and Manage
After selection, implementation differs. For IaaS, you provision virtual machines, configure VPCs, set up security groups, and manage the OS. For PaaS, you deploy code via a web console or CLI, and the provider handles scaling and load balancing. For SaaS, you simply sign up and configure user accounts. Ongoing management: In IaaS, you must patch the OS and applications; in PaaS, you update your code; in SaaS, you manage user licenses. The exam may ask about ongoing responsibilities: 'Who is responsible for patching the OS in PaaS?' Answer: The provider. 'Who manages the hypervisor in IaaS?' Answer: The provider.
Enterprise Scenario 1: Legacy Application Migration to IaaS
A financial services company runs a legacy Java application on physical servers in their data center. The application requires a specific OS version (Windows Server 2016) and custom network configurations (multiple VLANs for security zones). They want to migrate to the cloud to reduce hardware costs but need full control over the OS and network. They choose IaaS (AWS EC2). They create a VPC with public and private subnets, set up security groups to restrict traffic, and configure a site-to-site VPN to connect to their on-premises network. The OS is managed by their IT team, who apply patches monthly. The provider handles physical security and hypervisor maintenance. The migration takes six months and involves re-architecting the network to use cloud-native constructs. A common issue: Misconfiguration of security groups leads to open ports, which is a security risk. The team uses AWS Config to monitor compliance.
Enterprise Scenario 2: Web Application Development with PaaS
A mid-sized e-commerce company wants to build a new web application using Node.js. They have a small development team and want to avoid managing servers and network infrastructure. They choose PaaS (Azure App Service). The developers push code via Git, and Azure automatically builds and deploys the application. Azure handles load balancing, auto-scaling, and SSL termination. The team only needs to configure a few settings: custom domain, IP restrictions for admin access, and environment variables. The networking is abstracted — they don't manage subnets or firewalls at the OS level. However, they must ensure their application code is secure (e.g., input validation). A challenge: When the application needs to connect to a legacy database on-premises, they use Azure Hybrid Connections to bypass the abstraction. The exam would classify this as PaaS because the provider manages the platform.
Enterprise Scenario 3: SaaS for Email and Collaboration
A non-profit organization with 200 employees needs email, document sharing, and video conferencing. They have no IT staff and limited budget. They choose SaaS (Google Workspace). Users access Gmail, Google Drive, and Google Meet via web browsers. The provider manages all infrastructure, platform, and software. The organization only needs to configure user accounts, set up security policies (e.g., two-factor authentication), and manage data retention. Network-wise, employees need internet access and appropriate firewall rules to allow traffic to Google's servers (ports 80, 443). A common problem: Users complain about slow access due to ISP throttling; the solution is to ensure sufficient bandwidth. The exam tests that SaaS requires no server management — the provider handles everything.
Exactly What N10-009 Tests
Objective 1.7 states: 'Given a scenario, use appropriate cloud service models.' The exam expects you to:
Differentiate between IaaS, PaaS, and SaaS based on a scenario.
Identify the shared responsibility model for each.
Understand networking implications: which model allows customer control over virtual networks, firewalls, and IP addressing.
Recognize examples of each model (e.g., AWS EC2 = IaaS, Google App Engine = PaaS, Salesforce = SaaS).
Know that the service model is independent of the deployment model (public/private/hybrid).
Top 3 Wrong Answers and Why Candidates Choose Them
Choosing IaaS when the scenario says 'deploy a web app without managing servers.' Candidates see 'cloud' and think IaaS because it's the most familiar. But the key phrase 'without managing servers' points to PaaS. The exam includes distractors like 'AWS EC2' for IaaS vs. 'AWS Elastic Beanstalk' for PaaS.
Choosing PaaS when the scenario requires 'full control over the OS.' Candidates know PaaS abstracts the OS, but they confuse 'platform' with 'infrastructure.' The correct answer is IaaS because only IaaS gives OS control.
Choosing SaaS when the scenario mentions 'custom application development.' Candidates think SaaS is for any cloud service. But SaaS is for ready-made software, not development. The correct answer is PaaS (for development) or IaaS (if more control needed).
Numbers and Terms That Appear Verbatim
'Infrastructure as a Service (IaaS)'
'Platform as a Service (PaaS)'
'Software as a Service (SaaS)'
'Shared responsibility model'
'Virtual private cloud (VPC)' — associated with IaaS
'Security group' and 'network ACL' — IaaS networking
'Runtime environment' — PaaS
'On-premises' vs. 'cloud' — often in scenarios
Edge Cases and Exceptions
Hybrid scenarios: A company might use IaaS for some workloads and SaaS for others. The exam may ask which model is used for a specific workload within a hybrid environment.
Private cloud: Service models still apply. A private cloud can offer IaaS, PaaS, or SaaS. The exam tests that the service model is not tied to public/private.
Community cloud: Rarely tested, but know it's a shared infrastructure for several organizations.
Function as a Service (FaaS): Not explicitly in N10-009, but it's a subset of PaaS (serverless). If asked, it's closer to PaaS.
How to Eliminate Wrong Answers
Identify the key responsibility: If the customer manages the OS → IaaS. If the customer manages only code → PaaS. If the customer manages nothing but usage → SaaS.
Look for networking control keywords: 'subnets,' 'firewall rules,' 'IP addressing' → IaaS. 'URL,' 'deployment' → PaaS. 'Browser access' → SaaS.
Eliminate models that don't match the level of control described. For example, if scenario says 'no server management,' eliminate IaaS and often PaaS (if it mentions server management). Actually, PaaS still eliminates server management, so it could be correct. But if it says 'no management of anything,' it's SaaS.
IaaS provides virtualized computing resources; customer manages OS and virtual networks.
PaaS provides a platform for application development; provider manages OS and runtime.
SaaS provides ready-to-use software; provider manages everything except user data and access.
In IaaS, the customer is responsible for OS patching; in PaaS, the provider patches the OS.
Networking control: IaaS gives full control (VPCs, subnets, security groups); PaaS abstracts networking; SaaS requires no networking management.
Examples: AWS EC2 = IaaS; Google App Engine = PaaS; Salesforce = SaaS.
The service model is independent of the deployment model (public/private/hybrid).
Shared responsibility model: the provider manages the physical infrastructure; the customer manages data and access (varies by model).
These come up on the exam all the time. Here's how to tell them apart.
IaaS
Customer manages OS and applications
Customer configures virtual networks (VPCs, subnets, security groups)
Examples: AWS EC2, Azure Virtual Machines, Google Compute Engine
Provider manages physical hardware, hypervisor, and network infrastructure
Higher flexibility and control, but more management overhead
PaaS
Provider manages OS and runtime environment
Customer does not manage virtual networks; networking is abstracted
Examples: AWS Elastic Beanstalk, Azure App Service, Google App Engine
Provider manages the platform (OS, middleware, runtime)
Lower management overhead; customer focuses on code
IaaS
Customer manages OS, applications, and data
Customer configures networking (firewalls, load balancers, VPNs)
Scalability managed by customer (auto-scaling groups)
Billed per VM or resource usage (compute, storage, network)
Used for custom applications requiring full control
SaaS
Provider manages everything including applications and data
Customer only needs internet access; no network configuration
Scalability handled by provider
Billed per user subscription or usage
Used for ready-made software (email, CRM, collaboration)
Mistake
IaaS means the provider manages everything including the OS.
Correct
In IaaS, the provider manages only the physical infrastructure (hardware, hypervisor, network fabric). The customer manages the OS, applications, and virtual network configuration. The OS is the customer's responsibility.
Mistake
PaaS gives you full control over the network stack.
Correct
PaaS abstracts the network layer. The customer cannot configure subnets, routing, or firewalls at the OS level. Some limited network settings (e.g., IP whitelisting) may be available, but overall the provider manages the network.
Mistake
SaaS is only for consumer applications like Gmail.
Correct
SaaS is used extensively in enterprises for business applications like Salesforce, Microsoft 365, and Workday. It is a valid model for any software delivered over the internet.
Mistake
The cloud service model determines whether it's public or private.
Correct
Service models (IaaS, PaaS, SaaS) are independent of deployment models (public, private, hybrid, community). A private cloud can offer IaaS, PaaS, or SaaS.
Mistake
In PaaS, the customer is responsible for patching the operating system.
Correct
In PaaS, the provider patches the OS and runtime environment. The customer is only responsible for application code and data. This is a key differentiator from IaaS.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
IaaS (Infrastructure as a Service) provides virtualized computing resources like VMs, storage, and networks. The customer manages the OS and applications. PaaS (Platform as a Service) provides a platform for developing and running applications; the provider manages the OS and runtime. SaaS (Software as a Service) delivers ready-to-use software; the provider manages everything. The key difference is the level of control and responsibility: IaaS gives most control, PaaS balances control, SaaS gives least control. For the exam, remember that IaaS = customer manages OS, PaaS = provider manages OS, SaaS = provider manages everything.
Only IaaS requires the customer to manage the operating system. In PaaS, the provider manages the OS; in SaaS, the provider manages everything including the OS. This is a common exam question. For example, if you use AWS EC2 (IaaS), you must patch the Windows or Linux OS. If you use Azure App Service (PaaS), Microsoft patches the OS. Always associate OS management with IaaS.
Generally, no. PaaS abstracts the network layer. The customer does not configure subnets, routing, or firewalls at the OS level. However, some PaaS offerings allow limited network controls, such as IP whitelisting or VPC integration (e.g., Azure App Service can be integrated with a VNet). But for the exam, consider PaaS as having no network management by the customer. If the scenario requires custom networking (e.g., setting up a VPN), choose IaaS.
The shared responsibility model defines which security and management tasks are handled by the cloud provider versus the customer. In IaaS, the provider secures the physical infrastructure, while the customer secures the OS, applications, and network configurations. In PaaS, the provider secures the platform (OS, runtime), and the customer secures the application and data. In SaaS, the provider secures everything, but the customer is responsible for user access and data classification. The model helps clarify who is responsible for what in each service model.
Common examples: IaaS: Amazon EC2, Microsoft Azure Virtual Machines, Google Compute Engine. PaaS: AWS Elastic Beanstalk, Azure App Service, Google App Engine, Heroku. SaaS: Microsoft 365, Google Workspace, Salesforce, Dropbox. The exam may list these or similar services. Know that EC2 is IaaS because you manage the OS; App Service is PaaS because you just deploy code; Office 365 is SaaS because you just use the application.
No, the Network+ exam does not test specific cloud CLI commands. You need to understand the concepts, such as what a VPC is, what a security group does, and how to distinguish service models. However, being familiar with common cloud terminology (e.g., VPC, subnet, security group) will help you answer scenario-based questions. Focus on the shared responsibility model and networking implications.
Choose IaaS if you need full control over the OS, custom software installations, or specific network configurations (e.g., VLANs, VPN). Choose PaaS if you want to focus on writing code without managing servers, and if the platform supports your programming language and frameworks. PaaS is faster to deploy and scales automatically, but limits control. The exam will give clues: 'manage servers' points to IaaS, 'deploy code quickly' points to PaaS.
You've just covered Cloud Service Models for Network+: IaaS, PaaS, SaaS — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?