Platform-as-a-Service sits one layer above IaaS. The provider runs the operating system, the runtime, and the orchestration. You bring the application and its configuration.
NIST SP 800-145 defines PaaS as the capability “to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.” The consumer does not manage the underlying servers, storage, or network, but controls deployed applications and possibly configuration settings for the application-hosting environment.
The trade is simple: you give up control over the runtime, and in return you ship faster.
The trade-off, named honestly
PaaS removes work. You stop patching kernels, configuring TLS termination, and writing systemd units. You push code, and the platform handles the rest.
PaaS also removes options. The platform decides which language versions are supported, which add-ons are available, and how logs are shipped. If your workload needs a kernel module, a custom scheduler, or a tuned filesystem, you are back on IaaS.
Reference points are useful here. Heroku popularized the “git push to deploy” model with an opinionated slug-based runtime. Cloud Foundry generalized it for enterprises with buildpacks. OpenShift layered a developer platform on top of Kubernetes. Managed Kubernetes services (EKS, GKE, AKS, and ZCP Managed Kubernetes) are themselves a form of PaaS: the control plane and node provisioning are the provider’s problem, while you write manifests and Helm charts.
Each abstraction level is a deliberate trade. The further up the stack, the less you operate and the more you depend on the platform’s roadmap.
ZCP’s PaaS, available today
Managed Kubernetes. Control plane at $99/mo, worker plans from $53/mo (2 vCPU, 4 GB) up to $173/mo (16 vCPU, 32 GB). It is standard Kubernetes, CNCF-certified through the conformance program, with no forked distribution. Certified Kubernetes means workloads, operators, and Helm charts you run elsewhere run here unchanged, verified by the open-source Sonobuoy conformance suite.
Managed Observability. Prometheus, Grafana, and Alertmanager as a service. Starter at $299/mo (5 ETL pipelines, 30-day retention), Standard at $699/mo (25 pipelines, 90 days, the recommended tier), Enterprise at $1,499/mo (unlimited pipelines, 365 days). No DataDog-scale invoices, no proprietary query language to learn.
Coming next. A broader Serverless/PaaS layer is on the roadmap: git push deploys, custom domains, and integrated object storage. We will ship it when it is honest about what it does and does not do, not before.
When to pick which
Pick IaaS when you need control: regulated workloads with specific kernel or hypervisor requirements, custom networking, or anything outside a generic runtime. The IEEE analysis of cloud service models frames this as the control-vs-abstraction spectrum, and the right answer depends entirely on the workload.
Pick PaaS when shipping speed is the constraint. A small team running standard web services on Kubernetes does not need to operate etcd, rotate certificates, or write upgrade runbooks. Hand platform operations to the provider and write features instead.
Most production environments end up with both. ZCP gives you the option.