Pentesting against own web service hosted on 3rd party platform
In general, you're correct you'll need the permission of the hosting company where you are scanning services deployed on their infrastructure. This is partially so that their Intrusion Detection Systems are aware that it's an authorised scan.
Both AWS and Azure have policies detailing the process and what's acceptable to test. The AWS one is here and the Azure one is here . If a hosting company doesn't have a published policy, it's worth contacting them to check.
Also it can depend on the exact service that you're using from the cloud hosting provider. So for example for AWS, they allow you to test IAAS style offerings such as AWS EC2 where the customer is responsible for the operating system and not SAAS offerings like AWS S3 where Amazon are responsible for the operating system and associated software. However Azure appears to have a more wide ranging policy where you can test any services you own.
Also test types can be restricted, for example DoS testing may well not be allowed as obviously that can have an affect on the cloud provider.
For "traditional" hosting it generally depends on the type of service you have. If you're using shared hosting where you just have access to the webroot you may well be restricted from testing, as obviously there's a risk of affecting other users on the same server, however where you have a full OS image (e.g. Digital Ocean Droplets) you tend to be ok as long as you've notified them (in the case of digital Ocean, via a support ticket).
There's also a longer list of where to go for different companies here
You should also check with your ISP. Depending on government regulations and their own operating policies, they could be required to block your pentest actions if detected, or cancel your service completely. They may even be required to report you to law enforcement agencies.
Additional to the ISP consideration as per the answer of "Mike Lane", put in mind that also you are going to pentest over networks that are properties of a different entities that belong to the state in general; so you are not automatically granted permission for such kind of activity.
If you could rent another share or VPS within the same infrastructure as your services, from there you are safe to pentest under one single entity's policies.