Empower your migration decisions with negotiated agreements (EA/MCA) in Azure Migrate
Cost plays the most important part in cloud migration accelerating the decisions. Organizations often hesitate because retail pricing doesn’t reflect their reality. That’s where Microsoft Customer Agreement (MCA) comes in, offering discounts of up to 60% off retail prices, based on your negotiated contract. Now, with Azure Migrate’s support for MCA pricing, you can bring those negotiated rates directly into your assessments. The result? Accurate cost projections, faster decision-making, and a clear path to the cloud. What is MCA? The Microsoft Customer Agreement (MCA) is a modern, flexible purchasing agreement designed to simplify how organizations buy and manage Microsoft services. It replaces older, complex agreements like the Enterprise Agreement (EA) for many customers, offering: Simplified Terms: A single, digital agreement that covers all Microsoft services. Flexible Purchasing: Pay-as-you-go or commit to specific services based on your needs. Negotiated Discounts: Depending on your contract, MCA can offer up to 60% off retail pricing, making Azure more cost-effective. Centralized Billing: Consolidated invoices and transparent cost tracking across subscriptions. With MCA, customers gain predictability, transparency, and control over their cloud spend—critical for planning large-scale migrations. Why MCA Integration in Azure Migrate Matters Previously, Azure Migrate assessments used standard retail pricing, which often didn’t reflect your negotiated terms. This created uncertainty and slowed decision-making. Now, by integrating MCA pricing: No More Guesswork: Assessments reflect your actual negotiated rates. True Cost Visibility: Understand the real financial impact of your migration strategy. Better Planning: Prioritize workloads and optimize budgets with confidence. How It Works? It is very simple to create assessments with negotiated agreement. Just start from the overview click on Create Assessment, add all the required workloads to the assessment scope. Once you move ahead in general settings select Microsoft Customer Agreement (MCA) as Offer/License program and in the Subscription Id field select the appropriate subscription id. After the assessments are created visualize and compare the costs with retail pricing and MCA cost to compare. Key benefits Accuracy: Realistic cost projections based on your MCA. Flexibility: Model multiple migration scenarios with confidence. Speed: Eliminate manual adjustments and accelerate planning. Ready to Get Started? Don’t let cost ambiguity slow down your cloud journey. Start leveraging MCA-powered assessments in Azure Migrate today and move forward with confidence. 👉 Learn more and get started: Assessment Properties - Azure Migrate | Microsoft LearnAzure Migrate: Connected Experiences
Shiva Shastri Sr Product Marketing Manager, Azure Migrate—Product & Ecosystem. Modernization in motion: Evolving at the speed of change. Modernization is the process of transforming legacy IT systems into technologies and architectures that improve agility, scalability, performance and cost-efficiency. It enables businesses to stay competitive by aligning their capabilities with evolving customer and market demands. Modernization is not a one-time event with a finish-line but a continuous journey of evolution. As technology, customer expectations, and competitive landscapes shift, so must the systems and processes that support them. Cloud-native architectures are inherently aligned with modernization while providing access to innovations such as AI. By treating modernization as an ongoing discipline, organizations can stay ahead of disruption, adapt faster to change, and unlock new opportunities. This ability to move faster and smarter is fully realized in Azure — where modernization becomes both a technical upgrade and a strategic advantage. It enables organizations to refocus on core priorities, respond to market shifts in real time, and reduce operational costs. At the heart of this transformation is Azure Migrate — Microsoft’s free, unified platform for cloud migration and modernization. It offers comprehensive capabilities including IT resource discovery, assessment, business case analysis, planning, and execution — all in a workload-agnostic manner. From a single, secure portal, users can manage and monitor the entire journey and cut over to production in Azure with confidence. Today, we’re excited to introduce several impactful Azure Migrate features designed to help you move your on-premises workloads to Azure more efficiently: Accelerated migration and modernization to the cloud. Azure Migrate Agentic method offers an intuitive and insightful approach to cloud transformation. AI assistance assesses on-prem environments, identifies dependencies, and orchestrates workload transitions with minimal manual intervention. By continuously adapting and delegating activities to the appropriate persona, the agents streamline complex migration paths, reduce risk, and accelerate time-to-value. For organizations moving to Azure, the agentic method provides a fast, frictionless route, turning what was once a daunting task into a guided, efficient journey toward modernization. Infrastructure as Code (IaC) plays a pivotal role in cloud migration and modernization by enabling organizations to automate the provisioning and management of infrastructure through code. This approach ensures consistency, scalability, and repeatability across environments, reducing manual errors and accelerating deployment timelines. Azure Migrate now supports IaC, thus simplifying the transition from legacy systems to cloud-native architectures by codifying infrastructure configurations, making it easier to replicate and validate setups. Comprehensive coverage and consistent user experience for your IT estate. No single migration or modernization tool can address the full spectrum of enterprise scenarios and technologies. That’s why Azure Migrate takes a platform-centric approach — delivering a unified, intelligent experience that spans the entire IT estate. By seamlessly interoperating with specialized tools like Database Migration Service (DMS) and GitHub Copilot (GHCP), Azure Migrate empowers organizations to modernize with confidence, flexibility, and speed. Advanced capabilities like 6R analysis — Rehost, Refactor, Rearchitect, Rebuild, Replace, and Retire — empower organizations to tailor modernization strategies to each application, driving smarter, scenario-specific decisions. Support for migration of Arc-enabled resources extends Azure Migrate’s management and governance capabilities to hybrid and multi-cloud environments, ensuring consistency and control regardless of where workloads reside. Additionally, support for Rocky Linux, PostgreSQL, and application awareness empowers teams to assess entire open-source application stacks with dependencies for readiness to migrate to Azure. Secure by design with human in-the-loop. Azure Migrate has recently introduced several security enhancements that reinforce Microsoft's commitment to a "secure by design" and "secure by default" approach. Among the key updates is the friction-free collector, which simplifies secure data collection for migration assessments while minimizing exposure risks. The friction-free discovery in Azure Migrate eliminates the need for deploying discovery appliances for initial assessments. As a result, it accelerates time-to-value, reduces setup complexity, and aligns well with security-conscious environments, making it an efficient and low-risk way to begin cloud migration planning. Azure Migrate supports Private Link and disabling public network access, ensuring that migration traffic remains within secure, private channels. Additionally, the platform enforces data encryption both in transit and at rest, with options for customer-managed keys, and integrates tightly with Azure Key Vault for secure credential and secret management. A security vulnerability report during migration and modernization identifies misconfigurations, outdated components, or exposed services, and the report provides actionable insights that align with Microsoft Defender for Cloud (MDC) threat protection and posture management capabilities. This allows teams to proactively remediate risks and apply MDC’s security controls ensuring the environment is secure from day-1 in Azure. As organizations navigate shifting markets, supply chains, and climate challenges, sustainability has become a strategic imperative. Azure’s carbon optimization capabilities provide clear visibility into potential emission reductions and cost savings, helping IT teams prioritize impactful actions. By unifying planning, execution, and continuity across infrastructure and applications, Azure delivers a consistent modernization experience. Ultimately, cloud-powered innovation enables businesses to drive efficiency, reduce environmental impact, and stay competitive in a rapidly evolving landscape. Learn more Start with a free Azure account if you are new. Sign up for previews of new capabilities and learn more about the workload agnostic method of Azure Migrate. For expert migration help, please try Azure Accelerate. You can also contact your preferred partner or Microsoft field for next steps. Get started in Azure today!Migrating Application Load Balancer from AWS to Azure Application Gateway
Accelerate Innovation and Business Growth with Azure In today’s digital-first world, organizations are reimagining their cloud architectures to drive agility, resilience, and growth. Migrating your application load balancing from AWS Application Load Balancer (ALB) to Azure Application Gateway is more than a technical upgrade—it’s a strategic move to future-proof your business. Azure Application Gateway delivers enterprise-grade performance, security, and flexibility, empowering you to unlock new opportunities and maximize your cloud investment. Key Insights for a Successful Migration 1. Strategic Assessment: Map Capabilities and Opportunities Begin your journey by evaluating your current AWS ALB environment. Identify critical features—path-based routing, health checks, SSL/TLS termination, autoscaling, and security integrations. Map these capabilities to Azure Application Gateway’s advanced features, including zone redundancy, integrated Web Application Firewall (WAF), and seamless certificate management with Azure Key Vault. This assessment is your blueprint for a migration that preserves business continuity and unlocks new value. 2. Preparation: Build a Foundation for Success Preparation is the cornerstone of a smooth migration. Document your existing configurations, export and convert SSL/TLS certificates, and update backend services to leverage Azure’s intelligent routing and monitoring. Reduce DNS TTL values to enable rapid cutover and minimize downtime. Leverage Infrastructure as Code to deploy Azure resources with speed and consistency, ensuring your environment is ready for transformation. 3. Migration Execution: Seamless Transition, Minimal Disruption Deploy Azure Application Gateway and backend resources in parallel with your AWS environment. Validate routing, security, and health probe configurations to ensure flawless operation. During DNS cutover, monitor propagation and service health to deliver a seamless experience for your users. Azure’s integrated diagnostics and monitoring tools provide real-time visibility, empowering you to resolve issues proactively and maintain peak performance. 4. Validation and Optimization: Drive Continuous Improvement Success is measured by outcomes—performance, reliability, and user satisfaction. Compare Azure metrics against your AWS baselines, validate routing accuracy, and test failover scenarios. Use Azure Monitor and Log Analytics to gain actionable insights and optimize your configuration. Embrace an iterative approach to refine your environment, ensuring it evolves with your business needs. Best Practices for Enterprise Migration Leverage Azure’s integrated ecosystem: Use Key Vault for secure certificate management, Monitor for deep observability, and WAF for robust protection. Automate and standardize: Adopt Infrastructure as Code for repeatable, error-free deployments. Test and validate: Employ automated and manual testing to ensure every capability meets your requirements. Minimize downtime: Plan cutover during low-traffic periods and prepare rollback strategies for business assurance. Monitor and optimize: Continuously improve with Azure’s analytics and alerting tools. The Azure Advantage: Empower Your Business Migrating to Azure Application Gateway is a catalyst for digital transformation. With Microsoft’s commitment to security, reliability, and innovation, your organization is equipped to thrive in a dynamic marketplace. Ready to unlock the full potential of your cloud strategy? Discover Azure Application Gateway best practices and join the leaders who are shaping the future of cloud networking.
Pre-Migration Vulnerability Scans:
Migrating applications to the cloud or modernizing infrastructure requires thorough preparation. Whether it’s a cloud platform, a new data center, or a hybrid infrastructure — is a complex process. While organizations focus on optimizing performance, costs, and scalability, security often takes a backseat, leading to potential risks post-migration. One crucial step before migration is conducting a pre-migration scan to identify security vulnerabilities, licensing risks, and code quality issues. Several tools help in pre-migration scanning, including Blackduck, Coverity, Gitleaks, and Semgrep. In this article, we will explore the role of these tools in migration readiness. Why Perform a Pre-Migration Scan? When an application moves from an on-premises environment to the cloud, it interacts with new infrastructures, security models, and compliance regulations. Security scanning tools analyze various aspects of an application, including: Source Code: Detects insecure coding practices, injection vulnerabilities, and logic flaws. Third-Party Dependencies: Identifies vulnerabilities in open-source libraries and software components. Secrets & Credentials: Scans for hardcoded passwords, API keys, and authentication tokens. Infrastructure as Code (IaC): Checks for misconfigurations in Terraform, Kubernetes, Docker, and cloud resources. Compliance Risks: Ensures adherence to security standards like SOC 2, GDPR, HIPAA, and NIST. A pre-migration scan helps in: Identifying Security Vulnerabilities — Detecting potential security threats before moving to the cloud. Ensuring License Compliance — Avoiding open-source license violations. Code Quality Assurance — Identifying issues that could lead to performance degradation post-migration. Reducing Migration Risks — Understanding potential blockers early in the process. Optimizes Performance: Detecting inefficiencies early reduces technical debt. What to use? One of the biggest challenges organizations face during migration is understanding where vulnerabilities exist within their application. This is where scanning tools come into play, each addressing a specific aspect of security and compliance. Take BlackDuck, for instance. Many applications rely on open-source components, but these dependencies come with risks. BlackDuck helps teams analyze these libraries, identifying outdated dependencies and ensuring compliance with licensing policies. If an application heavily relies on open-source libraries, it should be prioritized to check for outdated or vulnerable dependencies. Key Features: Detects Open-Source Vulnerabilities: Identifies known CVEs (Common Vulnerabilities and Exposures) in third-party libraries. License Compliance Management: Ensures adherence to open-source licenses like GPL, MIT, Apache, etc. Integration with DevOps: Works seamlessly with CI/CD pipelines to automate security checks. Then there’s Coverity, which tackles security flaws hidden in the source code. A migration process should not only move applications but also ensure they are stable and secure in the new environment. Coverity, a Static Application Security Testing (SAST) tool, scans code for potential weaknesses — whether it’s SQL injection, cross-site scripting (XSS), or memory leaks. By fixing these defects before migration, teams can prevent costly failures post-deployment. Key Features: Deep Code Analysis: Identifies issues such as buffer overflows, SQL injection, cross-site scripting (XSS), and memory leaks. Supports Multiple Languages: Works with C, C++, Java, JavaScript, Python, Go, and more. Seamless CI/CD Integration: Can be integrated into GitHub, GitLab, and Azure DevOps workflows. Another key concern is secrets management. Hardcoded API keys, passwords, and tokens often find their way into repositories, creating a massive security risk. Gitleaks scans Git repositories to detect and eliminate these vulnerabilities before they can be exploited. Imagine pushing an application to the cloud, only to realize that an exposed API key is granting unauthorized access to critical services. By integrating Gitleaks into the pre-migration process, organizations can avoid such missteps. Key Features: Scans for Hardcoded Secrets: Detects sensitive information in commits, branches, and history. Pre-Commit Hooks: Prevents secrets from being pushed to Git repositories. Customizable Rulesets: Allows teams to define their own secret detection policies. Compatible with GitHub & GitLab: Easily integrates with popular version control platforms. Finally, Semgrep provides a flexible approach to enforcing security best practices. Unlike traditional scanning tools, it allows teams to define custom security rules to catch coding patterns that may lead to vulnerabilities. Whether it’s identifying misconfigurations or enforcing secure coding standards, Semgrep adds an extra layer of protection, ensuring applications follow best practices before going live in the cloud. Comparing the Tools: Tool Primary Use Case Best for CI/CD Integration BlackDuck Open-source security & license compliance Dependency scanning Yes Coverity Static code analysis Code vulnerabilities Yes Gitleaks Secret & credential scanning Preventing secret leaks Yes Semgrep Customizable code analysis Secure coding & policy enforcement Yes Intergration with the code: Automation is key to ensuring that security scans are not overlooked or treated as one-time activities. To streamline the process, organizations integrate these scanning tools directly into their Continuous Integration/Continuous Deployment (CI/CD) pipeline, ensuring security checks are part of every development cycle. A typical setup involves defining a pipeline configuration that automates the execution of each tool at various stages: Once the scans are complete, the results are typically stored as JSON reports in pipeline artifacts or logging systems, making it easy to track, analyze, and prioritize issues before proceeding with the migration. By integrating these tools into the CI/CD pipeline, security becomes an automated and continuous process, rather than a last-minute checkpoint. Challenges in Pre-Migration Security Scanning False Positives: Some tools generate excessive alerts, requiring manual verification. Lack of Security Awareness: Developers may not be trained to interpret scan results effectively. Integration with DevOps: Security scans must fit into existing CI/CD pipelines without slowing down deployments. Handling Legacy Code: Older applications may contain security issues that modern tools struggle to assess. Conclusion By proactively addressing these challenges and incorporating security scanning into the migration strategy, organizations can minimize risks and ensure a smooth, secure transition to their new environment. However, scanning alone is not enough. Following best practices — such as defining a security baseline, automating security checks in CI/CD pipelines, prioritizing remediation, and securing the migration process — ensures a smooth, risk-free transition. A secure migration is not just about moving workloads; it’s about ensuring that security remains a top priority at every stage. By taking a proactive security approach, organizations can prevent security incidents before they happen, making the migration process safer, smoother, and more resilient.Azure VMware Solution now available in Korea Central
We are pleased to announce that Azure VMware Solution is now available in Korea Central. Now in 34 Azure regions, Azure VMware Solution empowers you to seamlessly extend or migrate existing VMware workloads to Azure without the cost, effort or risk of re-architecting applications or retooling operations. Azure VMware Solution supports: Rapid cloud migration of VMware-based workloads to Azure without refactoring. Datacenter exit while maintaining operational consistency for the VMware environment. Business continuity and disaster recovery for on-premises VMware environments. Attach Azure services and innovate applications at your own pace. Includes the VMware technology stack and lets you leverage existing Microsoft licenses for Windows Server and SQL Server. For updates on current and upcoming region availability, visit the product by region page here. Streamline migration with new offers and licensing benefits, including a 20% discount. We recently announced the VMware Rapid Migration Plan, where Microsoft provides a comprehensive set of licensing benefits and programs to give you price protection and savings as you migrate to Azure VMware Solution. Azure VMware Solution is a great first step to the cloud for VMware customers, and this plan can help you get there. Learn MoreMigration planning of MySQL workloads using Azure Migrate
In our endeavor to increase coverage of OSS workloads in Azure Migrate, we are announcing discovery and modernization assessment of MySQL databases running on Windows and Linux servers. Customers previously had limited visibility into their MySQL workloads and often received generalized VM lift-and-shift recommendations. With this new capability, customers can now accurately identify their MySQL workloads and assess them for right-sizing into Azure Database for MySQL. MySQL workloads are a cornerstone of the LAMP stack, powering countless web applications with their reliability, performance, and ease of use. As businesses grow, the need for scalable and efficient database solutions becomes paramount. This is where Azure Database for MySQL comes into play. Migrating from on-premises to Azure Database for MySQL offers numerous benefits, including effortless scalability, cost efficiency, enhanced performance, robust security, high availability, and seamless integration with other Azure services. As a fully managed Database-as-a-Service (DBaaS), it simplifies database management, allowing businesses to focus on innovation and growth. What is Azure Migrate? Azure Migrate serves as a comprehensive hub designed to simplify the migration journey of on-premises infrastructure, including servers, databases, and web applications, to Azure Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) targets at scale. It provides a unified platform with a suite of tools and features to help you identify the best migration path, assess Azure readiness, estimate the cost of hosting workloads on Azure, and execute the migration with minimal downtime and risk. Key features of the MySQL Discovery and Assessment in Azure Migrate The new MySQL Discovery and Assessment feature in Azure Migrate (Preview) introduces several powerful capabilities: Discover MySQL database instances: The tool allows you to discover MySQL instances within your environment efficiently. By identifying critical attributes of these instances, it lays the foundation for a thorough assessment and a strategic migration plan. Assessment for Azure readiness: The feature evaluates the readiness of your MySQL database instances to migrate to Azure Database for MySQL – Flexible Server. This assessment considers several factors, including compatibility and performance metrics, to ensure a smooth transition. SKU recommendations: Based on the discovered data, the tool recommends the optimal compute and storage configuration for hosting MySQL workloads on Azure Database for MySQL. Furthermore, it provides insights into the associated costs, enabling better financial planning. How to get started? To begin using the MySQL Discovery and Assessment feature in Azure Migrate, follow this five-step onboarding process: Create an Azure Migrate Project: Initiate your migration journey by setting up a project in the Azure portal. Configure the Azure Migrate Appliance: Use a Windows-based appliance to discover the inventory of servers and provide guest credentials for discovering the workloads and MySQL credentials to fetch database instances and their attributes. Review Discovered Inventory: Examine the detailed attributes of the discovered MySQL instances. Create an Assessment: Evaluate the readiness and get detailed recommendations for migration to Azure Database for MySQL. For a detailed step-by-step guidance check out the documentation for discovery and assessment tutorials. Documentation: Discover MySQL databases running in your datacenter Assess MySQL database instances for migration to Azure Database for MySQL Share your feedback! In summary, the MySQL Discovery and Assessment feature in Azure Migrate enables you to effortlessly discover, assess, and plan your MySQL database migrations to Azure. Try the feature out in public preview and fast-track your migration journey! If you have any queries, feedback or suggestions, please let us know by leaving a comment below or by directly contacting us at AskAzureDBforMySQL@service.microsoft.com. We are eager to hear your feedback and support you on your journey to Azure.Forward Azure VMware Solution logs anywhere using Azure Logic Apps
Overview As enterprises scale their infrastructure in Microsoft Azure using Azure VMware Solution, gaining real-time visibility into the operational health of their private cloud environment becomes increasingly critical. Whether troubleshooting deployment issues, monitoring security events, or performing compliance audits, centralized logging is a must-have. Azure VMware Solution offers flexible options for exporting syslogs from vCenter Server, ESXi Hosts, and NSX components. While many customers already use Log Analytics or third-party log platforms for visibility, some have unique operational or compliance requirements that necessitate forwarding logs to specific destinations outside the Microsoft ecosystem. With the advent of VMware Cloud Foundation on Azure VMware Solution, customers can now have more choices and can leverage tools like VCF Operations for Logs to monitor, analyze, and troubleshoot their logs. In this post, we’ll show you how to use Azure Logic Apps, Microsoft’s low-code, serverless integration platform, to forward Azure VMware Solution private cloud logs to any log management tool of your choosing. With a newly released workflow template tailored for Azure VMware Solution, you can set this up in minutes—no custom code required. Figure 1. Architectural flow of syslog data from an Azure VMware Solution private cloud to a log management server via Azure Logic Apps Background The Azure VMware Solution and Azure Logic Apps product teams have partnered to deliver a built-in integration that allows Azure VMware Solution customers to forward logs to any syslog-compatible endpoint—whether in Azure, on-premises, or another cloud. This new Logic Apps template is purpose-built for Azure VMware Solution and dramatically simplifies log forwarding. Figure 2. Azure VMware Solution template in Azure Logic Apps template catalog Historically, forwarding logs from Azure VMware Solution required customers to develop custom code or deploy complex workarounds, often involving multiple services and significant manual configuration. These methods not only introduced operational overhead but also made it difficult for platform teams to standardize logging across environments. With this new integration, customers who previously spent days in frustration trying to get their private cloud logs have now done so in under an hour, a massive improvement in both speed and simplicity. This new capability is particularly timely given recent industry changes. Following VMware’s announcement to discontinue the SaaS versions of Aria Operations, including Aria Operations for Logs, many customers have begun exploring alternative solutions for their log management needs. For those looking to use the on-premises alternative of Aria Operations for Logs, the ability to send Azure VMware Solution logs directly from Azure to their self-managed VCF Operations for Logs servers is now possible—with zero custom code. Using Azure Logic Apps, customers can seamlessly bridge their hybrid cloud monitoring environments and avoid gaps in visibility or compliance. This solution empowers Azure VMware Solution customers with more flexibility, shorter time-to-value, and a consistent logging strategy across both legacy and modernized environments. Why Azure Logic Apps? Azure Logic Apps is a powerful, low-code integration platform that enables IT administrators and platform teams to automate workflows and connect services—without having to manage any infrastructure. With over 1,400 connectors to Azure services, popular SaaS applications, and on-premises APIs, and more, Logic Apps provides a flexible and reliable foundation for routing log data across infrastructure environments. For Azure VMware Solution users, this means you can now easily forward logs from your Azure VMware Solution private cloud to any log management solution—on-premises or in the cloud—without writing custom code. Logic Apps acts as a dynamic “translator” or “dispatcher” in your architecture, listening for logs streamed to Event Hubs and securely forwarding them to your target syslog endpoint with the required formatting, headers, and authentication. This new capability not only accelerates time-to-value for log forwarding but also gives Azure VMware Solution customers the freedom to integrate with the logging platform of their choice—improving visibility, operational efficiency, and compliance in hybrid cloud environments. Future iterations of this integration will include support with Azure Blob Storage as well, another common method Azure VMware Solution customers use to retain and forward their logs. How to get started In addition to this blog, check out the links below to learn more about this integration, understand how Azure Logic Apps work, and use the pricing calculator to cost and size Azure Logic Apps. With large enterprise solutions for strategic and major customers, an Azure VMware Solution Architect from Azure, Broadcom, or a Broadcom Partner should be engaged to ensure the solution is correctly sized to deliver business value with the minimum of risk. If you are interested in using Logic Apps with Azure VMware Solution, please use the resources to learn more about the service: Detailed instructions on sending logs via Logic Apps: Send VMware syslogs to log management server using Azure Logic Apps - Azure VMware Solution | Microsoft Learn An overview of Logic Apps: Overview - Azure Logic Apps | Microsoft Learn Pricing calculator: Pricing - Logic Apps | Microsoft Azure -- Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. Author Bio Varun Hariharan is a Senior Product Manager on the Azure VMware Solution team at Microsoft, where he is focusing on observability and workload strategies for customers. His background is in Infrastructure as a Service (IaaS), log management, enterprise software, and DevOps. Kent Weare is a Principal PM Manager on the Azure Logic Apps team at Microsoft, where he is focusing on providing enterprise integration and automation capabilities for customers.Essentials of Azure and AI project performance and security | New training!
Are you ready to elevate your cloud skills and master the essentials of reliability, security, and performance of Azure and AI project? Join us for comprehensive training in Microsoft Azure Virtual Training Day events, where you'll gain the knowledge and tools to adopt the cloud at scale and optimize your cloud spend. Event Highlights: Two-Day Agenda: Dive deep into how-to learning on cloud and AI adoption, financial best practices, workload design, environment management, and more. Expert Guidance: Learn from industry experts and gain insights into designing with optimization in mind with the Azure Well-Architected Framework and the Cloud Adoption Framework for Azure. Hands-On Learning: Participate in interactive sessions and case studies to apply essentials of Azure and AI best practices in real-world scenarios, like reviewing and remediating workloads. FinOps in the Era of AI: Discover how to build a culture of cost efficiency and maximize the business value of the cloud with the FinOps Framework, including principles, phases, domains, and capabilities. Why Attend? Build Reliable and Secure Systems: Understand the shared responsibility between Microsoft and its customers to build resilient and secure systems. Optimize Cloud Spend: Learn best practices for cloud spend optimization and drive market differentiation through savings. Enhance Productivity: Improve productivity, customer experience, and competitive advantage by elevating the resiliency and security of your critical workloads. Don't miss the opportunity to transform your cloud strategy and take your skills to the next level. Register now and join us for an insightful and engaging virtual training experience! Register today! Aka.ms/AzureEssentialsVTD Eager to learn before the next event? Dive into our free self-paced training modules: Cost efficiency of Azure and AI Projects | on Microsoft Learn Resiliency and security of Azure and AI Projects | on Microsoft Learn Overview of essential skilling for Azure and AI workloads | on Microsoft LearnAzure VMware Solution Availability Design Considerations
Azure VMware Solution Design Series Availability Design Considerations Recoverability Design Considerations Performance Design Considerations Security Design Considerations VMware HCX Design with Azure VMware Solution Overview A global enterprise wants to migrate thousands of VMware vSphere virtual machines (VMs) to Microsoft Azure as part of their application modernization strategy. The first step is to exit their on-premises data centers and rapidly relocate their legacy application VMs to the Azure VMware Solution as a staging area for the first phase of their modernization strategy. What should the Azure VMware Solution look like? Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. In this post, I will introduce the typical customer workload availability requirements, describe the Azure VMware Solution architectural components, and describe the availability design considerations for Azure VMware Solution private clouds. In the next section, I will introduce the typical availability requirements of a customer’s workload. Customer Workload Requirements A typical customer has multiple application tiers that have specific Service Level Agreement (SLA) requirements that need to be met. These SLAs are normally named by a tiering system such as Platinum, Gold, Silver, and Bronze or Mission-Critical, Business-Critical, Production, and Test/Dev. Each SLA will have different availability, recoverability, performance, manageability, and security requirements that need to be met. For the availability design quality, customers will normally have an uptime percentage requirement with an availability zone (AZ) or region requirement that defines each SLA level. For example: SLA Name Uptime AZ/Region Gold 99.999% (5.26 min downtime/year) Dual Regions Silver 99.99% (52.6 min downtime/year) Dual AZs Bronze 99.9% (8.76 hrs downtime/year) Single AZ Table 1 – Typical Customer SLA requirements for Availability A typical legacy business-critical application will have the following application architecture: Load Balancer layer: Uses load balancers to distribute traffic across multiple web servers in the web layer to improve application availability. Web layer: Uses web servers to process client requests made via the secure Hypertext Transfer Protocol (HTTPS). Receives traffic from the load balancer layer and forwards to the application layer. Application layer: Uses application servers to run software that delivers a business application through a communication protocol. Receives traffic from the web layer and uses the database layer to access stored data. Database layer: Uses a relational database management service (RDMS) cluster to store data and provide database services to the application layer. Depending upon the availability requirements for the service, the application components could be many and spread across multiple sites and regions to meet the customer SLA. Figure 1 – Typical Legacy Business-Critical Application Architecture In the next section, I will introduce the architectural components of the Azure VMware Solution. Architectural Components The diagram below describes the architectural components of the Azure VMware Solution. Figure 2 – Azure VMware Solution Architectural Components Each Azure VMware Solution architectural component has the following function: Azure Subscription: Used to provide controlled access, budget and quota management for the Azure VMware Solution. Azure Region: Physical locations around the world where we group data centers into Availability Zones (AZs) and then group AZs into regions. Azure Resource Group: Container used to place Azure services and resources into logical groups. Azure VMware Solution Private Cloud: Uses VMware software, including vCenter Server, NSX software-defined networking, vSAN software-defined storage, and Azure bare-metal ESXi hosts to provide compute, networking, and storage resources. Azure NetApp Files, Azure Elastic SAN, and Pure Cloud Block Store are also supported. Azure VMware Solution Resource Cluster: Uses VMware software, including vSAN software-defined storage, and Azure bare-metal ESXi hosts to provide compute, networking, and storage resources for customer workloads by scaling out the Azure VMware Solution private cloud. Azure NetApp Files, Azure Elastic SAN, and Pure Cloud Block Store are also supported. VMware HCX: Provides mobility, migration, and network extension services. VMware Site Recovery: Provides Disaster Recovery automation, and storage replication services with VMware vSphere Replication. Third party Disaster Recovery solutions Zerto DR and JetStream DR are also supported. Dedicated Microsoft Enterprise Edge (D-MSEE): Router that provides connectivity between Azure cloud and the Azure VMware Solution private cloud instance. Azure Virtual Network (VNet): Private network used to connect Azure services and resources together. Azure Route Server: Enables network appliances to exchange dynamic route information with Azure networks. Azure Virtual Network Gateway: Cross premises gateway for connecting Azure services and resources to other private networks using IPSec VPN, ExpressRoute, and VNet to VNet. Azure ExpressRoute: Provides high-speed private connections between Azure data centers and on-premises or colocation infrastructure. Azure Virtual WAN (vWAN): Aggregates networking, security, and routing functions together into a single unified Wide Area Network (WAN). In the next section, I will describe the availability design considerations for the Azure VMware Solution. Availability Design Considerations The architectural design process takes the business problem to be solved and the business goals to be achieved and distills these into customer requirements, design constraints and assumptions. Design constraints can be characterized by the following three categories: Laws of the Land – data and application sovereignty, governance, regulatory, compliance, etc. Laws of Physics – data and machine gravity, network latency, etc. Laws of Economics – owning versus renting, total cost of ownership (TCO), return on investment (ROI), capital expenditure, operational expenditure, earnings before interest, taxes, depreciation, and amortization (EBITDA), etc. Each design consideration will be a trade-off between the availability, recoverability, performance, manageability, and security design qualities. The desired result is to deliver business value with the minimum of risk by working backwards from the customer problem. Design Consideration 1 – Azure Region and AZs: Azure VMware Solution is available in 30 Azure Regions around the world (US Government has 2 additional Azure Regions). Select the relevant Azure Regions and AZs that meet your geographic requirements. These locations will typically be driven by your design constraints. Design Consideration 2 – Deployment topology: Select the Azure VMware Solution topology that best matches the uptime and geographic requirements of your SLAs. For very large deployments, it may make sense to have separate private clouds dedicated to each SLA for cost efficiency. The Azure VMware Solution supports a maximum of 12 clusters per private cloud. Each cluster supports a minimum of 3 hosts and a maximum of 16 hosts per cluster. Each private cloud supports a maximum of 96 hosts. VMware vSphere HA provides protection against ESXi host failures and VMware vSphere DRS provides distributed resource management. VMware vSphere Fault Tolerance is not supported by the Azure VMware Solution. These features are preconfigured as part of the managed service and cannot be changed by the customer. VMware vCenter Server, VMware HCX Manager, VMware SRM and VMware vSphere Replication Manager are individual appliances and are protected by vSphere HA. VMware NSX Manager is a cluster of 3 unified appliances that have a VM-VM anti-affinity placement policy to spread them across the hosts of the cluster. The VMware NSX Edge cluster is a pair of appliances that also use a VM-VM anti-affinity placement policy. Topology 1 – Standard: The Azure VMware Solution standard private cloud is deployed within a single AZ in an Azure Region, which delivers an infrastructure SLA of 99.9%. Figure 3 – Azure VMware Solution Private Cloud Standard Topology Topology 2 – Multi-AZ: Azure VMware Solution private clouds in separate AZs per Azure Region. VMware HCX is used to connect private clouds across AZs. Application clustering is required to provide the multi-AZ availability mechanism. The customer is responsible for ensuring their application clustering solution is within the limits of bandwidth and latency between private clouds. This topology will deliver an SLA of greater than 99.9%, however it will be dependent upon the application clustering solution used by the customer. The Azure VMware Solution does not support AZ selection during provisioning. This is mitigated by having separate Azure Subscriptions with quota in each separate AZ. You can open a ticket with Microsoft to configure a Special Placement Policy to deploy your Azure VMware Solution private cloud to a particular AZ per subscription. Figure 4 – Azure VMware Solution Private Cloud Multi-AZ Topology Topology 3 – Stretched: The Azure VMware Solution stretched clusters private cloud is deployed across dual AZs in an Azure Region, which delivers a 99.99% infrastructure SLA. This also includes a third AZ for the Azure VMware Solution witness site. Stretched clusters support policy-based synchronous replication to deliver a recovery point objective (RPO) of zero. It is possible to use placement policies and storage policies to mix SLA levels within stretched clusters, by pinning lower SLA workloads to a particular AZ, which will experience downtime during an AZ failure. This feature is GA and is currently only available in Australia East, West Europe, UK South and Germany West Central Azure Regions. Figure 5 – Azure VMware Solution Private Cloud with Stretched Clusters Topology Topology 4 – Multi-Region: Azure VMware Solution private clouds across Azure regions. VMware HCX is used to connect private clouds across Azure Regions. Application clustering is required to provide the multi-region availability mechanism. The customer is responsible for ensuring their application clustering solution is within the limits of bandwidth and latency between private clouds. This topology will deliver an SLA of greater than 99.9%, however it will be dependent upon the application clustering solution used by the customer. An additional enhancement could be using Azure VMware Solution stretched clusters in one or both Azure Regions. Figure 6 – Azure VMware Solution Private Cloud Multi-Region Topology Design Decision 3 – Shared Services or Separate Services Model: The management and control plane cluster (Cluster-1) can be shared with customer workload VMs or be a dedicated cluster for management and control, including customer enterprise services, such as Active Directory, DNS, and DHCP. Additional resource clusters can be added to support customer workload demand. This also includes the option of using separate clusters for each customer SLA. Figure 7 – Azure VMware Solution Shared Services Model Figure 8 – Azure VMware Solution Separate Services Model Design Consideration 4 – SKU type: Three SKU types can be selected for provisioning an Azure VMware Solution private cloud. The smaller AV36 SKU can be used to minimize the impact radius of a failed node. The larger AV36P and AV52 SKUs can be used to run more workloads with less nodes which increases the impact radius of a failed node. The AV36 SKU is widely available in most Azure regions and the AV36P and AV52 SKUs are limited to certain Azure regions. Azure VMware Solution does not support mixing different SKU types within a private cloud (AV64 SKU is the exception). You can check Azure VMware Solution SKU availability by Azure Region here. The AV64 SKU is currently only available for mixed SKU deployments in certain regions. Figure 9 – AV64 Mixed SKU Topology Design Consideration 5 – Placement Policies: Placement policies are used to increase the availability of a service by separating the VMs in an application availability layer across ESXi hosts. When an ESXi failure occurs, it would only impact one VM of a multi-part application layer, which would then restart on another ESXi host through vSphere HA. Placement policies support VM-VM and VM-Host affinity and anti-affinity rules. The vSphere Distributed Resource Scheduler (DRS) is responsible for migrating VMs to enforce the placement policies. To increase the availability of an application cluster, a placement policy with VM-VM anti-affinity rules for each of the web, application and database service layers can be used. Alternatively, VM-Host affinity rules can be used to segment the web, application, and database components to dedicated groups of hosts. The placement policies for stretched clusters can use VM-Host affinity rules to pin workloads to the preferred and secondary sites, if needed. Figure 10 – Azure VMware Solution Placement Policies – VM-VM Anti-Affinity Figure 11 – Azure VMware Solution Placement Policies – VM-Host Affinity Design Consideration 6 – Storage Policies: Table 2 lists the pre-defined VM Storage Policies available for use with VMware vSAN. The appropriate redundant array of independent disks (RAID) and failures to tolerate (FTT) settings per policy need to be considered to match the customer workload SLAs. Each policy has a trade-off between availability, performance, capacity, and cost that needs to be considered. The storage policies for stretched clusters include a designation for the dual site (synchronous replication), preferred site and secondary site policies that need to be considered. To comply with the Azure VMware Solution SLA, you are responsible for using an FTT=2 storage policy when the cluster has 6 or more nodes in a standard cluster. You must also retain a minimum slack space of 25% for backend vSAN operations. Deployment Type Policy Name RAID Failures to Tolerate (FTT) Site Standard RAID-1 FTT-1 1 1 N/A Standard RAID-1 FTT-2 1 2 N/A Standard RAID-1 FTT-3 1 3 N/A Standard RAID-5 FTT-1 5 1 N/A Standard RAID-6 FTT-2 6 2 N/A Standard VMware Horizon 1 1 N/A Stretched RAID-1 FTT-1 Dual Site 1 1 Site mirroring Stretched RAID-1 FTT-1 Preferred 1 1 Preferred Stretched RAID-1 FTT-1 Secondary 1 1 Secondary Stretched RAID-1 FTT-2 Dual Site 1 2 Site mirroring Stretched RAID-1 FTT-2 Preferred 1 2 Preferred Stretched RAID-1 FTT-2 Secondary 1 2 Secondary Stretched RAID-1 FTT-3 Dual Site 1 3 Site mirroring Stretched RAID-1 FTT-3 Preferred 1 3 Preferred Stretched RAID-1 FTT-3 Secondary 1 3 Secondary Stretched RAID-5 FTT-1 Dual Site 5 1 Site mirroring Stretched RAID-5 FTT-1 Preferred 5 1 Preferred Stretched RAID-5 FTT-1 Secondary 5 1 Secondary Stretched RAID-6 FTT-2 Dual Site 6 2 Site mirroring Stretched RAID-6 FTT-2 Preferred 6 2 Preferred Stretched RAID-6 FTT-2 Secondary 6 2 Secondary Stretched VMware Horizon 1 1 Site mirroring Table 2 – VMware vSAN Storage Policies Design Consideration 7 – Network Connectivity: Azure VMware Solution private clouds can be connected using IPSec VPN and Azure ExpressRoute circuits, including a variety of Azure Virtual Networking topologies such as Hub-Spoke and Azure Virtual WAN with Azure Firewall and third-party Network Virtualization Appliances. Multiple Azure ExpressRoute circuits can be used to provide redundant connectivity. VMware HCX also supports redundant Network Extension appliances to provide high availability for Layer-2 network extensions. For more information, refer to the Azure VMware Solution networking and interconnectivity concepts. The Azure VMware Solution Cloud Adoption Framework also has example network scenarios that can be considered. And, if you are interested in Azure ExpressRoute design: Understanding ExpressRoute private peering to address ExpressRoute resiliency ExpressRoute MSEE hairpin design considerations In the following section, I will describe the next steps that would need to be made to progress this high-level design estimate towards a validated detailed design. Next Steps The Azure VMware Solution sizing estimate should be assessed using Azure Migrate. With large enterprise solutions for strategic and major customers, an Azure VMware Solution Solutions Architect from Azure, VMware, or a VMware Partner should be engaged to ensure the solution is correctly sized to deliver business value with the minimum of risk. This should also include an application dependency assessment to understand the mapping between application groups and identify areas of data gravity, application network traffic flows, and network latency dependencies. Summary In this post, we took a closer look at the typical availability requirements of a customer workload, the architectural building blocks, and the availability design considerations for the Azure VMware Solution. We also discussed the next steps to continue an Azure VMware Solution design. If you are interested in the Azure VMware Solution, please use these resources to learn more about the service: Homepage: Azure VMware Solution Documentation: Azure VMware Solution SLA: SLA for Azure VMware Solution Azure Regions: Azure Products by Region Service Limits: Azure VMware Solution subscription limits and quotas Stretched Clusters: Deploy vSAN stretched clusters SKU types: Introduction Placement policies: Create placement policy Storage policies: Configure storage policy VMware HCX: Configuration & Best Practices GitHub repository: Azure/azure-vmware-solution Well-Architected Framework: Azure VMware Solution workloads Cloud Adoption Framework: Introduction to the Azure VMware Solution adoption scenario Network connectivity scenarios: Enterprise-scale network topology and connectivity for Azure VMware Solution Enterprise Scale Landing Zone: Enterprise-scale for Microsoft Azure VMware Solution Enterprise Scale GitHub repository: Azure/Enterprise-Scale-for-AVS Azure CLI: Azure Command-Line Interface (CLI) Overview PowerShell module: Az.VMware Module Azure Resource Manager: Microsoft.AVS/privateClouds REST API: Azure VMware Solution REST API Terraform provider: azurerm_vmware_private_cloud Terraform Registry Author Bio René van den Bedem is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in enterprise architecture with extensive experience across all facets of the enterprise, public cloud, and service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. René works backwards from the problem to be solved and designs solutions that deliver business value with the minimum of risk. In addition to being the first quadruple VMware Certified Design Expert (VCDX), he is also a Dell Technologies Certified Master Enterprise Architect, a Nutanix Platform Expert (NPX), and a VMware vExpert. Link to PPTX Diagrams: azure-vmware-solution/azure-vmware-master-diagrams
