Forum Discussion
Move on-prem environment to Azure migration
Ivarious90, well it all depends, however it's a little bit too small number of details.
Putting VMs directly in Azure as lift-and-shift without preparing some infrastructure might expose you to risk.
First of all you should review a Landing Zone recommended architecture in Azure as it seems that you will be using multiple services:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/
This documentation will help you to understand:
- basic (and advanced) architecture of Azure,
- networking in Azure,
- connectivity to resources in Azure,
- foundation services potentially required (identity, management etc.),
- security requirements,
- and many others,
- services onboarding,
- and many others.
I would suggest to start from:
- Determining your OPEX... well getting some services might be costly 🙂
- checking how many VMs is about to be migrated and what are their requirements, how they are separated from each other, how sensitive is the data etc. More VMs will require a bit more configuration.
- checking what are the requirements for reaching the resources. Is it internal network or connections over the internet? This will help you to determine the connectivity services required.
- determine requirements for internet facing. Should the resources face the internet? If yes - you definitely wants to secure them.
- determine if you need Domain Controllers / Identity services for mentioned VMs - this will help you to decide if you need Identity Subscription with identity services or not. Maybe moving the DC to the cloud, together with AD connect is something which you would like to do.
- get requirements for Azure Files access. We are getting back here to to connectivity - should it be available through internal network or Internet? If internal - configuration of Private Endpoints would be required.
However... for smaller configuration and cost saving you might want to split it into 2 separate streams:
- For VMs:
- Create a VNET + required subnets: https://docs.microsoft.com/en-gb/azure/virtual-network/
- Create Azure Bastion for secure connectivity to those VMs: https://azure.microsoft.com/en-gb/services/azure-bastion/
- Use Azure Migrate to migrate VMs: https://azure.microsoft.com/pl-pl/services/azure-migrate/
- For Azure Files, just set it up and secure, granting connectivity over internet but with some best practices: https://blog.cloudboost.io/azure-files-security-best-practices-1c4e6afd145b
KonradWrobel something to add on.
You might want to take a look at the best practices in Management Group management as well as that will help to simplify the way you organize your customer's Subscriptions/Workloads in Azure as things can start to get messy when their subscriptions/workloads increase significantly in future.
I would suggest to create a "Management Group Design" and "Subscription Design" by using Microsoft CAF "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-principles" as the basis for your designs.
You can find the list of design considerations in the following articles:
- https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups
- https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions
Lastly, do take note on the https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits for Management Group and Subscription as that may affect your design and planning in organizing the workloads too.
Hope that helps and do feel free to share the challenges that you experienced along the way too! 😃
