They can see the traffic if you're using one of their load balancers. And even if not, snooping on VMs is pretty trivial. For example this project https://github.com/KVM-VMI/kvm-vmi makes it easy to look at memory / processes on a VM.
> They can see the traffic if you're using one of their load balancers.
Only if you let them manage the SSL connection. Load balancers can easily relay individual TCP connections that are encrypted - load balancing doesn't require decryption.
> And even if not, snooping on VMs is pretty trivial.
They'd have to go out of their way to do this, and this would probably be the end of them if it were ever found out. So it's safe to assume any provider who wants to continue existing will not be doing this.
It's not that hard for VMI and harder than you think for network.
I did work for a public cloud and we did think of VMI for diagnostics and malware checks. Once deployed and automated, it would be trivial to reuse for other purposes. I don't expect public cloud to use that daily, but I'd be surprised if they didn't have the process ready.
On the other hand, you want to process the LB traffic as fast as you can and any monitoring/reporting delay would have bad effects. Reconfiguring the filters / sinks at runtime takes effort too.
With experience in both areas, I can tell you they're comparable overall. You have to go out of your way to do it, but it's not too far.
