Digital TransformationIntermediate8 min read

Public vs Private Cloud Strategy

Public vs Private Cloud is the foundational placement decision: do workloads run on AWS/Azure/GCP (public, shared infrastructure, OpEx pricing) or on dedicated infrastructure you control (private, in your own DC or via colocation, mostly CapEx)? Public cloud wins on elasticity, breadth of managed services, time-to-value, and innovation pace. Private cloud wins on predictable cost at very high steady-state utilization, regulatory/sovereignty requirements, and specialized hardware. The 2026 reality is that 'pure public cloud' and 'pure private cloud' are both rare in large enterprises — the real strategic decision is workload placement: which workloads go where, and why.

Also known asCloud ChoicePublic CloudPrivate CloudHybrid DecisionCloud Operating ModelSovereign Cloud

Challenge a friend Browse library

The Trap

Two opposite traps. (1) 'Cloud-first absolutism' — everything goes to public cloud regardless of fit. Result: 30-50% over-spend on stable, predictable workloads where reserved capacity in a colo would cost half. The famous Dropbox case: by repatriating from AWS to private infrastructure, they saved ~$75M over 2 years. (2) 'Private cloud nostalgia' — keep building data centers because 'we know how.' Result: missing out on managed AI/ML, serverless, and global edge — capabilities you cannot economically replicate in-house. The right strategy is workload-level: stable + predictable + cost-sensitive workloads can win in private; bursty + new + service-rich workloads belong in public.

What to Do

Build a workload placement framework with 5 axes: (1) Variability — bursty workloads → public, stable → private may win. (2) Strategic Service Dependency — heavy on managed services (Lambda, BigQuery, Cosmos DB) → public; commodity compute → either. (3) Data Sovereignty — regulated data residency → may force private or sovereign cloud. (4) Steady-State Utilization — >70% sustained utilization → private TCO can beat public. (5) Innovation Pace — rapidly evolving workloads → public for service breadth. Score each major workload, place accordingly. Walmart famously runs hybrid for competitive (anti-AWS) reasons; Capital One went all-in public for service breadth.

Formula

Workload TCO Crossover (years) = Private CapEx ÷ (Public Annual OpEx − Private Annual OpEx). Below crossover → public wins; above → private wins.

In Practice

Capital One went all-in on AWS public cloud, closing all 8 data centers by 2020 to access AWS's managed services and innovation pace. They explicitly chose public over private despite being a regulated bank — proof that compliance is solvable in public cloud. Walmart took the opposite approach: hybrid with Azure + Google Cloud + private infrastructure, deliberately avoiding AWS (their primary retail competitor). Both are 'right' for their strategic context. Dropbox famously repatriated 600PB+ of storage from AWS to its own infrastructure (Project Magic Pocket) and saved $75M over 2 years — proving that at extreme scale and steady-state, private wins on TCO.

Pro Tips

01
Run the TCO model honestly with reserved instances and savings plans — comparing public on-demand pricing to private TCO is the #1 way to make public cloud look more expensive than it is. AWS Compute Savings Plans + Reserved Capacity can cut public cost 50-60% on steady-state.
02
The hidden cost of private cloud is talent and pace, not hardware. The team to run a modern private cloud (compute, storage, network, security, automation) is typically $2M-$5M/year. Below ~$15M of stable workload, private rarely beats public on full TCO.
03
Sovereign cloud (AWS European Sovereign Cloud, Azure for Sovereignty, OVHcloud) is the new third option for regulatory-driven workloads. Don't conflate 'must be in country' with 'must be private' — sovereign public cloud often solves the requirement at lower cost than DIY private.

Myth vs Reality

Myth

“Private cloud is always cheaper at scale”

Reality

Only true for stable, predictable workloads at very high utilization. For bursty workloads, dev/test environments, or workloads heavy on managed services, public cloud wins on TCO even at extreme scale. Dropbox repatriated commodity storage at 600PB; they did NOT repatriate their compute or analytics workloads.

Myth

“Public cloud means losing control”

Reality

Modern public cloud offers more granular control over network (VPCs), security (IAM, KMS, dedicated tenancy), and data location than most private clouds. The control loss is real for hardware-level customization — irrelevant for 95% of workloads.

Try it

Run the numbers.

Pressure-test the concept against your own knowledge — answer the challenge or try the live scenario.

🧪

Knowledge Check

A retailer's workload profile: 60% steady-state e-commerce traffic, 30% seasonal Black Friday burst, 10% experimental AI/ML projects. Right cloud strategy?

Industry benchmarks

Is your number good?

Calibrate against real-world tiers. Use these ranges as targets — not absolutes.

Workload Placement by Profile (Industry Average, 2024-2025)

Enterprise workload placement reference (excludes startups, born-cloud SaaS)

Public Cloud (best fit)

AI/ML, dev/test, bursty, new SaaS workloads

Public — strong fit

Web apps, mobile backends, analytics

Hybrid sweet spot

ERP, large databases, mixed utilization

Private — strong fit

HPC, very steady high-utilization, regulated

Private/Sovereign required

Air-gapped, defense, certain EU/CN data

Source: Flexera 2025 State of the Cloud Report / IDC Cloud Tracker 2025

Real-world cases

Companies that lived this.

Verified narratives with the numbers that prove (or break) the concept.

🏦

Capital One

2014-2020

success

Capital One committed to all-in AWS public cloud in 2014, completing the migration and closing all 8 data centers by November 2020 — becoming the first major US bank fully on public cloud. The strategic rationale: access to AWS's managed services pace (SageMaker for fraud ML, EMR for analytics, Lambda for event processing) was unreplicable in-house. Despite being a heavily regulated bank, they solved compliance through architectural design (encryption, tenancy isolation, network controls) rather than private infrastructure. The 2019 data breach was unrelated to AWS architecture — it was a misconfigured WAF, fixable in any environment.

Data Centers Closed

8 → 0

Migration Duration

~6 years

Strategic Driver

Managed services pace

Industry First

First major US bank fully on public cloud

Regulation and compliance are solvable in public cloud. The decision is rarely 'can we be on public cloud?' — it's 'do we want the service breadth and innovation pace it offers?'

Source ↗

🛒

Walmart

2018-Present

success

Walmart took the explicitly opposite approach: hybrid cloud across Microsoft Azure (5-year strategic agreement signed 2018), Google Cloud (added 2022), and large private infrastructure — deliberately avoiding AWS, their primary retail competitor. Walmart's strategy is workload placement-driven: public cloud (Azure + GCP) for AI/ML, customer-facing apps, and elastic capacity; private infrastructure for steady-state retail systems and supply chain. The competitive avoidance angle is real — Walmart's vendor agreements with software companies often require deployment off AWS to win Walmart's business.

Strategic Cloud Partners

Azure + GCP

Explicitly Avoided

AWS (competitive reasons)

Private Footprint

Substantial steady-state workloads

Approach

Workload placement-driven hybrid

Cloud strategy is also competitive strategy. Walmart chose not to feed AWS revenue (and by extension Amazon retail) — a valid strategic reason that has nothing to do with technology fit.

Source ↗

📦

Dropbox

2015-2017

success

Dropbox executed Project Magic Pocket: repatriating 600+ petabytes of user storage from AWS S3 to its own custom-built private storage infrastructure. Over 2 years (2015-2017), they built dedicated facilities, custom hardware, and a software stack optimized for their specific access pattern. Reported savings: $74.6M over the following 2 years according to S-1 filings. Critically, they did NOT repatriate compute, analytics, or new product workloads — those stayed on AWS. The lesson is workload-specific: at 600PB+ of steady-state storage with predictable growth, private TCO crushed public.

Storage Repatriated

600+ PB

Savings (2-year)

$74.6M

Compute Workloads

Stayed on AWS

Project Duration

~2 years

Repatriation is workload-specific, not company-wide. Dropbox repatriated commodity storage; they kept everything else on public cloud. That's the right model.

Source ↗

Decision scenario

The Cloud Repatriation Question

You are CTO of a $1.2B SaaS company. Annual AWS spend has grown from $8M to $42M over 4 years as the customer base scaled. The CFO is asking pointed questions about cloud costs. Engineering proposes repatriating to private cloud to save 40% — projected $2.5M CapEx + $4M/year OpEx vs $42M/year on AWS. The board wants a recommendation.

Annual AWS Spend

$42M

Repatriation CapEx Estimate

$2.5M

Repatriation Annual OpEx

$4M

Projected 'Savings'

$38M/yr

Workload Mix

65% compute, 25% storage, 10% managed services

Decision 1

The $4M OpEx estimate looks suspiciously low. Realistic operating cost for a private cloud at this scale (data center lease, power, cooling, hardware refresh, network, 25-40 person ops team) is likely $18M-$25M/year. Engineering's estimate also assumes you can replicate AWS's managed services (RDS, ElastiCache, SQS, Lambda) — you can't, and the 10% spent on managed services is delivering massive engineering productivity.

Approve full repatriation — projected $38M/year savings is too compelling to ignoreReveal

18 months in, reality hits: actual private cloud OpEx is $22M/year (5x estimate). The team can't replicate Lambda, SQS, or DynamoDB — workloads built around these services have to be re-architected at $15M cost. Outage incidents triple in year 1 as the new ops team learns. Total realized savings vs AWS: $5M/year, not $38M. Engineering pace slows because the team is now running infrastructure instead of shipping product.

Realized Savings: $38M projected → $5M actualRe-Architecture Cost: +$15MEngineering Productivity: Down 25% (running infra)

Reject blanket repatriation. Instead, run a workload-by-workload TCO analysis: repatriate the 25% storage + 30% steady compute (Dropbox-style); aggressively right-size and reserve the rest; keep managed services on AWS. Project: $12M annualized savings, lower risk.Reveal

Workload analysis identifies $14M of steady-state compute and $9M of storage that win on private TCO. These move to a colo over 12 months ($1.8M CapEx + $5M/year OpEx replacing $14M AWS). Right-sizing + 3-year savings plans on the remainder cut the rest from $19M to $13M. Total new run rate: $13M (AWS) + $5M (private) = $18M vs original $42M. Realized annualized savings: $24M with managed services preserved and engineering pace intact.

Annual Run Rate: $42M → $18MEngineering Productivity: PreservedRisk Profile: Workload-specific, manageable

Related concepts