Boost your growth and access more customers by replicating your AWS app to Azure and selling through Azure Marketplace. This post can help you understand the similarities and differences in security models and components to help you replicate your app to Azure faster.
This post is part of a series on replicating apps from AWS to Azure. View all posts in this series.
As an Independent Software Vendor (ISV), extending your Marketplace presence beyond AWS Marketplace by also offering on Azure Marketplace can unlock new opportunities to expand your customer base. With Azure's extensive network and diverse user base, it provides a vibrant platform to increase your application's visibility and capabilities.
To streamline your app replication, understanding how AWS and Azure treat Identity and Access Management, data protection, threat detection and monitoring, compliance and certifications, and network security can help you map and adjust the security components of your app more quickly as you replicate, and ensure your app and your customer's security are protected.
You can also join ISV Success to get access to over $126K USD in cloud credits, AI services, developer tools, and 1:1 technical consults to help you replicate your app and publish to Azure Marketplace.
Overview of cloud security models
When moving your app from AWS Marketplace to Azure Marketplace, it's important to understand the key differences between AWS and Azure security models to ensure a smooth transition. Here are the main points you should keep in mind:
- AWS: In AWS’s shared responsibility model, AWS handles infrastructure security (like physical security and network controls), while you are responsible for securing your applications, data, and access controls. This includes managing network security, identity and access management (IAM), and data encryption. AWS uses services like Amazon GuardDuty and Amazon Inspector for threat protection and threat detection and vulnerability monitoring.
- Azure: Azure’s shared responsibility model focuses on compliance and regulatory requirements. It offers integrated services to secure data, applications, and infrastructure, simplifying compliance. Azure natively integrates with third-party security tools like Palo Alto Networks, Check Point, CrowdStrike and McAfee via services like Microsoft Defender for Cloud and Microsoft Sentinel for centralized security and threat detection. Microsoft Entra ID works with third-party identity providers such as Okta and Ping Identity for flexible authentication and access management without being locked into a single vendor. The Azure Marketplace also offers pre-configured security solutions, simplifying deployment and integration of security tools while maintaining flexibility.
Understanding these differences can significantly ease the process and enhance the security of your cloud solutions, setting you up for success on both platforms.
Figure 1https://learn.microsoft.com/en-us/azure/architecture/guide/security/security-start-here
Identity and Access Management (IAM)
IAM ensures that only authorized users and services can access cloud resources. AWS and Azure differ in how they manage user identities and permissions. Understanding these differences will help you map your AWS app to Azure by leveraging Azure’s IAM services.
- AWS: AWS uses IAM to centrally manage user identities and access permissions, with roles and policies defined in JSON for granular control. It also offers AWS Cognito for user identity management in custom applications and AWS SSO to simplify authentication across AWS accounts. While AWS IAM provides flexibility, it requires more manual configuration for complex use cases.
- Azure: Azure uses Microsoft Entra ID (formerly Azure AD), a cloud-based identity and access management service that provides more integrated security, especially for enterprise environments. It supports Role-Based Access Control (RBAC), which simplifies permission management by assigning predefined roles to users or groups, and integrates seamlessly with Microsoft products like Office 365, Microsoft Entra ID Connect, and third-party applications. It also offers advanced features like multi-factor authentication (MFA) and conditional access policies for context-based authentication. For ISVs migrating from AWS to Azure, Entra ID offers a more unified, scalable solution, particularly for hybrid environments and organizations with existing Microsoft infrastructure.
Feature |
AWS IAM |
Azure Entra ID |
Core Access Model |
RBAC | |
Default Access |
Implicit Deny |
Implicit Deny |
Policy Granularity |
Fine-grained IAM policies |
Granular access through Azure RBAC |
MFA |
Included for basic features |
Basic MFA included; advanced with Microsoft Entra ID Premium |
Conditional Access |
Limited support |
Advanced with Microsoft Entra ID Premium |
Audit Logging |
CloudTrail, CloudWatch | |
Cross-Account Access |
IAM roles between AWS accounts |
Microsoft Entra ID B2B across tenants |
Federation |
Supports external identity providers | |
Role Delegation |
Delegation within/across accounts | |
Service Role |
IAM roles for services |
Managed identities for services |
Custom Roles |
Custom IAM policies | |
Access to Resources |
Fine-grained resource access |
Resource, subscription, management-group level |
Compliance |
AWS Artifact |
Azure Compliance Manager |
Risk Detection |
AWS GuardDuty |
Microsoft Entra ID Identity Protection through premium licenses |
Temporary Credentials |
IAM roles provide temporary credentials |
Microsoft Entra Id PIM for temporary privileges through premium licenses |
Cross-Service Permissions |
IAM policies across services |
Unified role model across services via Azure RBAC |
Data protection
Understanding the differences in data protection between AWS and Azure is crucial for you as an Independent Software Vendor (ISV) navigating the migration process. Recognizing these distinctions will help you make informed decisions and ensure a smoother transition.
- AWS: AWS offers key management through KMS, data classification with Macie, and monitoring with CloudTrail. Key features include S3 Object Locking and robust encryption for data both at rest and in transit.
- Azure: Azure uses Key Vault for key management, Purview for data classification, and provides Blob Storage versioning and immutability. It also offers built-in data retention, comprehensive auditing features, and advanced security via Microsoft Sentinel.
Feature |
AWS Data Protection |
Azure Data Protection |
Data Encryption at Rest |
Encryption by Default on S3, EBS, RDS, etc. Encryption option of other services |
Encryption by Default on Blob Storage, Azure SQL DB, Azure Managed Disks, etc. Encryption options for other services |
Data Encryption in Transit |
SSL/TLS Encryption | |
Key Management |
AWS KMS (encryption key management), CloudHSM: hardware based key management) |
Azure Key Vault (encryption key management), Dedicated HSM (hardware based key management) |
Bring Your Own Key (BYOK) |
Supported |
Supported BYOK |
Key Rotation |
Automatic |
Automatic |
Data Classification |
Amazon Macie |
Azure Purview |
Data Masking |
RDS Column-Level Encryption |
Azure SQL Database and Azure Synapse Analytics offer Dynamic Data Masking |
Backup and Recovery |
AWS backup | |
Data Retention Policies |
AWS Data Lifecycle Manager | |
Compliance and Certifications |
Various Standards |
Various Standards |
Data Loss Prevention |
S3 Versioning | |
Data Integrity and Authenticity |
S3 Object Locking to enforce WORM protection for data immutability |
Immutable Blob Storage features WORM |
Network Data Protection |
VPC with encryption, security groups, and network ACLs to protect data in transit. AWS Shield and WAF provide additional network-level security |
VNet with encryption, network security groups (NSG), and private endpoints to secure data in transit. DDoS Protection and WAF for network security |
End-to-End Encryption |
KMS or CloudHSM |
Azure Key Vault, TLS |
Data Deletion and Wiping |
S3 Lifecycle Policies |
Blob Storage Secure Deletion policies |
File-Level Encryption |
EFS Encryption including file-level encryption using KMS |
Azure Files Encryption using Azure Key Vault |
Data Access Auditing |
CloudTrail, CloudWatch |
Azure Monitor, Security Center, Microsoft Sentinel for advanced threat detection and alerting |
Threat detection and monitoring
Both AWS and Azure offer robust tools for threat detection and monitoring, but Azure provides a more integrated approach, especially in hybrid and multi-cloud environments. Azure's services, such as Azure Security Center and Microsoft Sentinel, work seamlessly with third-party solutions like Palo Alto Networks, CrowdStrike, and McAfee, offering centralized management and easier threat detection.
- AWS: AWS provides Amazon GuardDuty for threat detection and AWS Security Hub for centralized security monitoring. Additionally, CloudTrail logs API activity, and AWS Config monitors resource configurations.
- Azure: Azure offers Azure Security Center for threat management and Microsoft Sentinel for SIEM and incident response. Microsoft Defender for Cloud protects various workloads across hybrid and multi-cloud environments.
Feature |
AWS |
Azure |
Core Threat Detection |
GuardDuty |
Security Center |
Real-Time Monitoring |
Amazon CloudWatch |
Azure Monitor |
Anomaly Detection |
GuardDuty |
Security Center & Microsoft Sentinel |
Advanced Threat Analytics |
GuardDuty |
Microsoft Sentinel |
Threat Intelligence |
GuardDuty |
Microsoft Sentinel |
Malware Detection |
AWS Maice |
Microsoft Defender for Cloud |
Log Management |
Amazon CloudWatch Logs, AWS CloudTrail |
Azure Monitor, Azure Log Analytics |
Incident Response |
Centralized Security Hub |
Security Center & Microsoft Sentinel integrated management |
Compliance Monitoring |
AWS Config |
Security Center |
Vulnerability Scanning |
AWS Inspector |
Microsoft Defender for Cloud for Servers |
Network Threat Detection |
VPC Flow Logs & AWS Network Firewall |
Azure Network Watcher & Azure Firewall |
DDoS Protection |
AWS Shield |
Azure DDoS Protection |
Behavioral Analytics |
GuardDuty |
Microsoft Sentinel |
Cloud & Hybrid Environment Support |
GuardDuty, AWS Security Hub & CloudWatch | |
Automation & Orchestration |
AWS Security Hub & Lambda |
Microsoft Sentinel & Azure Logic Apps |
External Threat Intelligence Integration |
GuardDuty |
Microsoft Sentinel |
Integrated Endpoint Protection |
AWS Endpoint Protection (via Amazon Macie, AWS Security Hub, and other services) |
Microsoft Defender for Cloud for Endpoint (integrated with Microsoft Sentinel) |
Compliance and certifications
Both AWS and Azure are highly compliant with international standards, offering a range of certifications to meet industry-specific requirements. However, they differ in their approach to compliance management. Azure integrates compliance into the platform via tools like Azure Policy, Microsoft Defender for Cloud and Compliance Manager, enabling continuous management and policy enforcement. Azure’s focus on hybrid and multi-cloud environments makes it a strong choice for complex compliance needs.
- AWS: AWS offers a broad range of global compliance certifications, including ISO 27001, SOC 1/2/3, PCI-DSS, HIPAA, GDPR, and FedRAMP. Compliance is primarily managed via AWS Artifact, offering access to reports and documentation, with an emphasis on self-service tools for compliance across industries.
- Azure: Azure supports a variety of compliance certifications, including ISO 27001, SOC 1/2/3, PCI-DSS, HIPAA, GDPR, and FedRAMP, and places greater emphasis on proactive compliance management. It integrates compliance into the platform via tools like Azure Policy and Compliance Manager. These tools help you manage compliance and enforce policies. Azure’s focus on hybrid and multi-cloud environments, as well as industry-specific certifications, makes it a compelling choice for organizations with complex compliance needs.
Network security
Network security is crucial in any cloud environment, and both AWS and Azure provide tools to protect applications and data. While both offer strong security solutions, they differ in how they approach network security and integration. By understanding these differences, you can leverage Azure and its built-in services to build a robust and secure network.
- AWS: AWS focuses on network isolation and scalable connectivity through VPC (Virtual Private Cloud), allowing you to create isolated virtual networks in the AWS cloud. This gives you complete control over IP address ranges, subnets, and routing, allowing for granular control. AWS provides AWS Shield for DDoS protection, AWS WAF (Web Application Firewall) to protect web applications, and AWS Transit Gateway to facilitate secure connectivity across VPCs and on-premises environments. While these tools offer extensive customization, they require a higher level of setup and integration to ensure robust security across complex environments.
- Azure: Azure's approach to network security is centered around the Azure Virtual Network (VNet), which serves a similar purpose to Amazon VPC by allowing you to create isolated network environments in the Azure cloud. Azure simplifies network management by providing built-in features for connectivity, including VNet Peering for secure connections between VNets, as well as integration with Azure ExpressRoute for private connections to on-premises infrastructure. Azure also offers Azure DDoS Protection for safeguarding applications from large-scale attacks, Azure Firewall for filtering traffic, and Azure Network Security Groups (NSGs), which provide detailed control over inbound and outbound traffic to resources within a VNet. The integration of these security tools with other Azure management services makes it easier for you to manage and enforce security policies in hybrid cloud and multi-cloud environments.
Aspect |
AWS |
Azure |
Virtual Network Setup |
Amazon VPC for isolated networks with subnets, route tables, and private/public IPs |
Azure VNet with similar capabilities for isolated networks with segmented subnets and route tables |
Firewall Services |
AWS Network Firewall and AWS WAF for web app security |
Azure Firewall and Azure WAF for web app protection |
Private Connectivity |
AWS Direct Connect | |
Intrusion Detection |
AWS GuardDuty for threat detection and monitoring |
Azure Security Center with integrated threat protection and Microsoft Defender for Cloud |
VPN Support |
AWS VPN for secure site-to-site IPsec connections |
Azure VPN Gateway for secure IPsec/IKE site-to-site connections |
Network Segmentation |
AWS Security Groups at Instance level. NACLs at subnet level. |
Azure NSGs for instance traffic filtering and Application Security Groups for segmentation
|
DDoS Protection |
AWS Shield with Standard and Advanced DDoS protection |
Azure DDoS Protection with Standard and Basic plans |
Load Balancing |
AWS ELB for application and network load balancing |
Azure Load Balancer and Application Gateway for layer 7 load balancing and WAF |
Traffic Inspection |
AWS Traffic Mirroring | |
Private Link |
AWS PrivateLink |
Azure Private Link |
Bastion Hosts |
AWS EC2 Instance Connect for secure SSH/RDP without public IPs, AWS Systems Manager Session Manager for remote instance connection
|
Azure Bastion for secure RDP/SSH to Azure VMs without public exposure |
RDP/SSH Access |
AWS Systems Manager Session Manager for secure, auditable EC2 instance access with no bastion host |
Azure Bastion for secure, managed RDP/SSH VM access without open ports |
Key Resources:
- Publishing to commercial marketplace documentation
- Pricing Calculator | Microsoft Azure
- Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV Success
- Maximize your momentum with step-by-step guidance to publish and grow your app with App Advisor
- Accelerate your development with cloud ready deployable code through the ISV quick-start development toolkit
Updated Mar 20, 2025
Version 8.0Dileep-G
Microsoft
Joined May 03, 2023
Marketplace blog
Follow this blog board to get notified when there's new activity