What is Infrastructure as a Service (IaaS)?
Infrastructure as a Service (IaaS) is a cloud computing delivery model in which the provider supplies on-demand compute, storage, networking, and virtualization resources — without the customer owning physical hardware. Customers pay for what they use, scale up/down dynamically, and retain full control over operating systems and application stacks running on the infrastructure.
IaaS vs PaaS vs SaaS
| Layer | Customer manages | Examples |
|---|---|---|
| IaaS | OS, runtime, app, data | AWS EC2, Azure VMs, GCP Compute Engine, DigitalOcean Droplets |
| PaaS | App + data only | Heroku, Vercel, Railway, Render |
| SaaS | Data only (configuration) | Salesforce, HubSpot, Notion, Slack |
Major IaaS providers (2025)
- AWS: ~31% market share; broadest service catalog (EC2, S3, RDS, Lambda, EKS)
- Microsoft Azure: ~25%; strong enterprise + hybrid cloud
- Google Cloud (GCP): ~11%; AI/ML strengths (Vertex AI, TPUs)
- Alibaba Cloud: ~7% (Asia dominant)
- Oracle Cloud Infrastructure (OCI): ~3% (enterprise database focus)
- Türk providers: Türk Telekom Bulut, Turkcell GSM Bulut — daha küçük, yerel data residency için
IaaS service categories
- Compute: Virtual machines, bare metal, containers, serverless
- Storage: Block (EBS), object (S3), file (EFS), archive (Glacier)
- Networking: VPC, load balancers, DNS, CDN, VPN
- Database: Managed RDS, NoSQL (DynamoDB), data warehouse (Redshift)
- Security: IAM, KMS, secrets manager, WAF
IaaS pricing models
- On-demand: Per-hour/per-second usage
- Reserved instances: 1-3 year commitment, 30-72% discount
- Spot instances: Excess capacity at 60-90% discount; can be reclaimed
- Savings plans: Hourly commitment across instance types
Cost optimization (FinOps)
Average enterprise wastes 30%+ of cloud spend. FinOps discipline addresses:
- Right-sizing (unused capacity)
- Reserved instance / Savings plan coverage
- Spot instance use for fault-tolerant workloads
- Storage tiering (S3 Standard → IA → Glacier)
- Auto-scaling configuration
- Idle resource decommissioning
Data residency + KVKK considerations
Turkish companies storing personal data on IaaS face KVKK Article 9 cross-border transfer rules:
- AWS, Azure, GCP have Türkiye regions (Istanbul) — preferred for KVKK-sensitive data
- Veri sorumlusu — IaaS provider veri işleyen relationship → DPA imzası şart
- 2024 7499 sayılı Kanun değişikliği SCC/BCR mekanizmalarını getirdi
- Sağlık + biyometrik + finansal veri için ek tedbir (encryption at rest, KMS key in Türkiye)
IaaS vendor lock-in
Risk: Building on proprietary IaaS services (DynamoDB, Lambda, Bedrock) makes migration expensive. Mitigation strategies:
- Use multi-cloud abstraction (Terraform, Kubernetes)
- Prefer open-source alternatives where possible
- Negotiate exit clauses in enterprise contracts
- Budget for periodic migration assessments
Practical implications for founders
For Turkish startups: (1) Start with Türkiye region for KVKK simplicity; expand internationally as needed; (2) Reserved instance commits valuable at $20k+ monthly spend; (3) Use spot for batch processing, fine-tuning, dev environments; (4) Implement basic FinOps from $5k/month spend. Vircon Legal advises on IaaS DPA review + Turkish data residency compliance.