The median cloud engineer salary in the US hit $142,000 in 2025, and job postings requiring AWS, Azure, or GCP skills grew 34% year-over-year. But the reason most self-taught candidates stall isn't effort—it's that they follow roadmaps built around certifications rather than around how infrastructure teams actually work. This cloud engineer roadmap is structured differently: skills first, certs as checkpoints, hands-on projects as proof.
What a Cloud Engineer Actually Does (Before You Map the Road)
The job title "cloud engineer" covers a wide range, from lift-and-shift migrations at enterprise banks to building Kubernetes-native platforms at Series B startups. Before you pick a cloud engineer roadmap, you need to know which end of that spectrum you're targeting, because the skill sets diverge early.
In practice, most entry-to-mid cloud engineer roles involve some combination of:
- Provisioning and managing compute, storage, and networking resources (EC2/GCE/VMs, S3/GCS, VPCs)
- Writing infrastructure-as-code (Terraform, Pulumi, or CloudFormation)
- Configuring CI/CD pipelines and container orchestration (Docker, Kubernetes)
- Monitoring, alerting, and incident response (CloudWatch, Prometheus, PagerDuty)
- Enforcing IAM policies and security baselines
Roles that lean DevOps add pipeline work and SRE responsibilities. Roles at larger firms lean toward governance, compliance, and multi-account architecture. Know which flavor you want before you start—otherwise you'll spend six months on content that never shows up in your interviews.
The Cloud Engineer Roadmap: Phase-by-Phase Breakdown
Phase 1: Foundations You Cannot Skip (Months 1–2)
Every working cloud engineer I've spoken to says the same thing: candidates who skip Linux and networking fundamentals wash out fast. You don't need to be a sysadmin, but you need to be comfortable with:
- Linux CLI: file system navigation, permissions, systemd, basic shell scripting (bash)
- Networking basics: IP addressing, subnetting, DNS resolution, TCP/UDP, HTTP/HTTPS, load balancing concepts
- Git: branching, pull requests, rebasing—infrastructure lives in version control now
- Python or Go basics: enough to write automation scripts and read SDK documentation
This phase has no flashy certification attached. That's fine. It's the difference between an engineer who can debug a broken VPC route and one who just re-provisions until something works.
Phase 2: Pick One Cloud, Go Deep (Months 2–5)
AWS has the largest market share (~32%), Azure is dominant in enterprise Microsoft shops, and GCP is the fastest-growing in AI/ML workloads. Pick based on where you want to work—not on which has the prettiest interface. If you're unsure, GCP is genuinely easier to learn because its networking model is more consistent and the free tier labs are well-designed.
In this phase, you should be able to:
- Deploy a multi-tier application (web server + database + load balancer) from scratch
- Configure VPC peering, firewall rules, and private subnets
- Set up IAM roles, service accounts, and least-privilege policies
- Store and retrieve objects from blob storage, configure lifecycle rules
- Use the cloud provider's managed Kubernetes service (GKE, EKS, AKS)
The Associate-level certification for your chosen cloud (Google Associate Cloud Engineer, AWS Solutions Architect Associate, AZ-104) should fall out naturally at the end of this phase—not as a destination, but as a byproduct of actually knowing the material.
Phase 3: Infrastructure as Code + CI/CD (Months 4–7)
This is where good candidates separate from great ones. Hiring managers for mid-level cloud roles now routinely ask for a Terraform module or a GitHub Actions workflow in the technical screen. Build these before you interview:
- A reusable Terraform module that deploys a VPC + subnets + NAT gateway + compute instance, parameterized by environment (dev/staging/prod)
- A GitHub Actions pipeline that builds a Docker image, pushes to a container registry, and deploys to a Kubernetes cluster
- A monitoring stack: metrics ingestion + dashboards + alerting rules (Prometheus + Grafana, or the cloud-native equivalent)
These don't need to be production-grade. They need to demonstrate that you understand state management in Terraform, that you've debugged a broken pipeline, and that you know what a rolling deployment is.
Phase 4: Specialization and Professional Certs (Months 6–12)
After you have the foundations, specialization is where the salary jumps happen. The three most hireable specializations in 2026 are:
- Cloud Security Engineering: compliance frameworks (SOC 2, CIS Benchmarks), secrets management, WAF configuration, SIEM integration
- Cloud DevOps / Platform Engineering: SLO/SLI definition, chaos engineering, GitOps workflows, Helm chart authoring
- Cloud Data Engineering: managed data pipeline services (Dataflow, Glue, ADF), warehouse integration (BigQuery, Redshift, Synapse), streaming vs batch architecture
Professional-level certifications (Google Professional Cloud Engineer, AWS DevOps Professional, etc.) are worth pursuing here because they're genuinely harder and signal specialization depth. They also map directly to the job descriptions for $130K+ roles.
Top Courses for This Cloud Engineer Roadmap
These are structured learning resources that cover specific phases of the roadmap above. They're not a substitute for building things, but they're the fastest way to develop systematic knowledge in areas where trial-and-error alone is inefficient (networking and security especially).
Essential Google Cloud Infrastructure: Foundation
Covers the GCP primitives that everything else builds on—VMs, networks, IAM, and storage—with hands-on Qwiklabs throughout. Best starting point for Phase 2 if you're going the GCP route; the labs force you to actually configure resources rather than just watch demos.
Networking in Google Cloud: Fundamentals
One of the few networking courses that actually explains VPC architecture, firewall rules, and load balancer types with enough depth to survive a technical interview. Pair this with Phase 1 networking study—it assumes you know what a subnet is, but teaches how GCP implements the concepts.
Networking in Google Cloud: Routing and Addressing
The follow-on to the fundamentals course, covering advanced routing (BGP, VPN, Cloud Interconnect) and IP addressing schemes for multi-region deployments. This is the content that separates engineers who can set up a VPC from engineers who can design a 50-region network topology.
Managing Security in Google Cloud
Security is the shortest path to a 20–30% salary premium in cloud roles. This course covers IAM, VPC Service Controls, Security Command Center, and compliance tooling—the exact controls that come up in enterprise interviews and security-focused job descriptions.
Elastic Google Cloud Infrastructure: Scaling and Automation
Covers autoscaling, managed instance groups, load balancing under load, and infrastructure automation—the operational side of cloud engineering that most intro courses skip. Good preparation for the Google Professional Cloud Engineer exam's infrastructure design scenarios.
Modernize Infrastructure and Applications with Google Cloud
Bridges the gap between "I can deploy a VM" and "I can migrate a legacy application to containers on GKE." Covers containerization, Kubernetes fundamentals, and modernization patterns. Directly relevant if you're targeting DevOps or platform engineering roles.
Realistic Timeline and Salary Checkpoints
Here's what a realistic progression looks like, based on people who followed structured paths rather than random tutorial hopping:
- Month 0–3: Foundations + cloud basics. Target: pass Associate-level cert. No job yet.
- Month 4–8: IaC + CI/CD projects. Target: 2–3 portfolio projects on GitHub, first cloud job applications. Entry-level cloud/DevOps roles ($75K–$95K) become accessible.
- Month 9–18: First role + specialization cert. Target: Professional-level cert in one specialization. Mid-level roles ($100K–$130K) within reach.
- Year 2–3: Deepen specialization, accumulate production war stories. Senior cloud engineer roles ($140K–$180K) require this—no shortcut exists.
The engineers who compress this timeline aren't skipping steps—they're doing the hands-on work faster by treating it like a second job, not a hobby.
FAQ: Cloud Engineer Roadmap
Do I need a CS degree to follow this cloud engineer roadmap?
No, and this is well-documented in the hiring data. Cloud certifications from Google, AWS, and Microsoft are explicitly designed to evaluate competency without requiring a degree, and many cloud engineering teams have explicitly moved away from degree requirements. What you do need: demonstrable Linux and networking fundamentals, and at least one substantial infrastructure project in a public repo. Hiring managers are screening GitHub profiles more than transcripts in this field.
How long does it realistically take to land a first cloud engineering job?
With consistent effort (20–30 hours/week), most people reach an employable baseline in 9–14 months. The wide range comes from starting point: someone with sysadmin experience can compress Phase 1 to a few weeks; someone starting from zero needs the full timeline. The bottleneck is almost never knowledge—it's not having projects that demonstrate applied knowledge to a hiring manager.
Is AWS, Azure, or GCP better for this roadmap?
For pure job volume, AWS wins. For AI/ML workloads and developer tooling, GCP has pulled ahead. For enterprise environments and Microsoft stack integration, Azure. If you have no constraints, GCP's learning materials (especially the Qwiklabs-integrated courses) are the most beginner-friendly, and the Professional Cloud Engineer certification is respected across cloud roles regardless of the provider you end up working on.
What's the order of certifications in a good cloud engineer roadmap?
Associate cert in your primary cloud → Professional cert in your specialization (Security, DevOps, or Data) → optionally a multi-cloud cert (HashiCorp Terraform Associate is provider-agnostic and widely respected for IaC work). Don't stack multiple Associate certs before going deep on one—breadth before depth is a common trap that keeps people at junior level.
Do I need to learn Kubernetes to become a cloud engineer?
Yes, at this point it's table stakes for most cloud roles above entry level. You don't need to administer a bare-metal cluster, but you should be able to write a Deployment manifest, configure a Service and Ingress, understand how resource requests/limits work, and debug a pod that won't start. The Certified Kubernetes Application Developer (CKAD) exam is worth pursuing after your cloud Associate cert if you're targeting DevOps or platform engineering roles.
Is Terraform worth learning or will AI tools replace it?
Terraform (or OpenTofu) is worth learning precisely because AI tools generate Terraform—you still need to review, debug, and maintain what gets generated. Infrastructure-as-code skills have become more important as AI coding assistants proliferate, not less. The engineers who can evaluate AI-generated Terraform for security issues and state management problems are the ones avoiding costly mistakes.
Where to Start if You're Still at Zero
The single highest-leverage first step is deploying something real in a cloud environment—not completing a course module, not watching a tutorial. Create a free GCP or AWS account, follow a "deploy a web app" tutorial end-to-end, and when it breaks (it will), debug it using the documentation. That debugging experience is more valuable than the first 20 hours of any course.
Once you can navigate the console and CLI without feeling lost, pick up the Essential Google Cloud Infrastructure: Foundation course to fill in the conceptual gaps systematically. From there, the roadmap phases above give you a sequenced path to your first professional cert and first cloud role.
The cloud engineer roadmap isn't complicated. The hard part is executing it consistently—building things, breaking them, and reading the documentation when you don't understand why.