switching software/cloud infrastructure

AWS to Azure Migration Overview

High-level migration guide for moving workloads and services from AWS to Microsoft Azure with minimal downtime.

1. Executive Summary

This guide outlines the strategic migration of infrastructure from AWS to Azure (UK South/West regions). The shift necessitates a paradigm change from AWS concepts (VPCs, Security Groups, IAM Roles) to Azure equivalents (VNets, Network Security Groups, Managed Identities/RBAC). Success relies on mapping service parity, establishing a robust landing zone, and ensuring data sovereignty compliance within the UK.

2. Why Businesses Migrate (Drivers, Anti-patterns)

  • Drivers: Strategic alignment with Microsoft 365/Enterprise Agreements, cost optimization via Azure Hybrid Benefit (reusing on-prem licenses), and superior integration with Windows-centric workloads.
  • Anti-patterns: "Lift-and-Shift" without rightsizing (leading to higher costs than AWS), ignoring the differences in networking latency, and failing to modernize IAM, resulting in "permission bloat" in the new environment.

3. The 6 Rs of Cloud Migration

  • Rehost (Lift & Shift): Using Azure Migrate to move AWS EC2 instances directly to Azure VMs with minimal changes.
  • Replatform (Lift, Tinker & Shift): Moving AWS RDS databases to Azure SQL Managed Instance, or AWS Elastic Beanstalk to Azure App Service, optimizing for managed services without full code rewrites.
  • Refactor (Re-architect): Decomposing AWS monolithic Java/Node apps into Azure Functions or AKS (Azure Kubernetes Service) containers.

4. Pre-Migration Assessment

  • Inventory: Utilize Azure Migrate to perform dependency mapping. Identify hidden dependencies (e.g., AWS SQS or SNS) that require service substitution (Azure Service Bus).
  • Network Mapping: Map AWS VPC CIDRs to Azure VNets. Note that Azure VNets are regional; AWS VPCs are regional but span subnets.
  • IAM: AWS IAM (User/Role-based) translates to Azure AD (Microsoft Entra ID) + RBAC. Map AWS Managed Policies to Azure Custom/Built-in Roles.
  • Data Transfer Calc: Estimate egress costs from AWS to the internet and ingress to Azure. Use Azure Data Box for multi-terabyte datasets to bypass internet bandwidth bottlenecks.

5. Step-by-Step Execution Plan

  1. Pilot: Select a low-criticality workload (e.g., a dev web server). Validate connectivity via Site-to-Site VPN or ExpressRoute.
  2. Foundation: Deploy the Azure Landing Zone. Implement Hub-and-Spoke topology. Configure Azure Firewall and Entra ID synchronization.
  3. Data Migration: Use Azure Database Migration Service for SQL workloads. Utilize AzCopy or Data Box for S3-to-Blob storage migration.
  4. Cutover: Implement DNS traffic shifting using Azure Traffic Manager or Azure Front Door. Perform a "Blue/Green" switch to ensure rollback capability.

6. Troubleshooting Common Issues

  • Networking: Azure VNets do not support broadcast/multicast. If legacy apps require these, consider overlay networks.
  • IAM: Entra ID uses "Object IDs" rather than AWS "ARNs." Scripts referencing ARNs will break.
  • Storage: Azure Blob Storage is not an exact API equivalent to S3. Use the Azure Storage Explorer or rclone to manage the abstraction layer.

7. UK-Specific Compliance

  • GDPR: Ensure data residency is strictly maintained in UK South or UK West.
  • Data Sovereignty: Leverage Azure's "UK Data Residency" documentation to ensure backups and logs (Log Analytics Workspaces) remain within UK borders, satisfying local regulatory requirements for financial and public sector entities.

8. Cost Modeling

  • Reserved Instances: Transition from AWS Savings Plans to Azure Reserved Instances (1 or 3-year terms).
  • Azure Hybrid Benefit: Apply existing Windows Server licenses to reduce VM costs significantly compared to AWS pay-as-you-go pricing.
  • Egress: Budget for AWS egress fees; they are the "hidden" cost of cloud-to-cloud migration.

9. Conclusion

Migrating from AWS to Azure requires more than a simple data copy; it demands an architectural alignment with Azure's unique resource management model. By focusing on the Hub-and-Spoke networking model and prioritizing Entra ID for identity governance, mid-market enterprises can achieve a secure, compliant, and cost-effective transition to the UK Azure regions.