Cloud Migration Platform: Azure Migrate, Site Recovery, App Service Migration, and Hybrid Cloud

Cloud Migration Platform: Azure Migrate, Site Recovery, App Service Migration, and Hybrid Cloud

Introduction

Cloud migration is a multi-dimensional program — not a one‑time technical project. Treat it like a product with iterative releases, measurable outcomes, stakeholder alignment, and continuous optimization. A successful platform creates paved paths that standardize assessment, landing zone readiness, migration execution, validation, and optimization while reducing ad hoc heroics and environment drift.

This deep dive goes beyond tooling walkthroughs and focuses on a structured migration operating model combining strategy, architecture patterns, governance, technical execution, resilience, cost management (FinOps), and post‑migration modernization. You will learn how to:

1. Establish a migration taxonomy (7Rs) and decision matrix for workload classification.
2. Build a repeatable assessment baseline using Azure Migrate dependency graphs and performance telemetry.
3. Enforce enterprise guardrails via Landing Zones (policy, identity, networking, tagging, security baseline).
4. Orchestrate rehost (VM), replatform (database/app), and refactor (container/serverless) paths concurrently without chaos.
5. Apply Site Recovery for lift+shift, Database Migration Service for stateful assets, App Service Migration for legacy IIS workloads, and data modernization patterns for analytics.
6. Implement rollback and contingency procedures (pre‑cutover snapshots, staged DNS, dual-write avoidance, incremental sync checkpoints).
7. Measure migration progress and business impact using KPIs (velocity, defect density, cost variance, performance delta, resiliency posture).
8. Transition from “migrate” to “optimize and modernize” — rightsizing, reservations, autoscale, refactoring monoliths into managed PaaS or container platforms.

Why Migrations Fail

Common anti‑patterns include: skipping dependency mapping leading to partial moves; underestimating network throughput windows; ignoring identity redesign (legacy domain joins vs Entra ID); deferring security until “after go-live”; failing to budget cutover rehearsal time; treating performance baselines as subjective recollection instead of empirical metrics; no clear exit criteria for “done.” This blueprint mitigates each with concrete artifacts (assessment report, wave plan, validation checklist, optimization backlog).

Strategic Framework

Adopt a wave-based execution model:

• Wave 0 (Foundations): Landing Zones, connectivity (ExpressRoute/VPN), identity synchronization (Entra Connect), baseline monitoring templates.
• Wave 1 (Pilot): Low-risk workloads to validate tooling, refine runbooks, collect performance before/after metrics.
• Wave 2 (Core Services): Business-critical but well-understood services; introduce DR patterns; refine rollback playbook.
• Wave 3 (Complex/Integrated): High-interdependency, latency-sensitive or compliance-heavy workloads; may require refactor or staged coexistence.
• Wave N (Modernization): Post-lift optimization (move from IaaS to PaaS/containers, implement autoscale, introduce event-driven decoupling).

Each wave maintains a backlog: assessment tasks, remediation items (unsupported OS, outdated TLS, capacity gaps), migration tasks, validation tests, optimization candidates. Use Kanban with explicit WIP limits to prevent overloading engineering teams.

Migration Patterns (7Rs + Extensions)

Augment with “Reinvest”: redirect saved cost into modernization backlog; “Rebalance”: adjust portfolio between IaaS/PaaS/SaaS for optimal TCO.

Governance & Guardrails

Landing Zones enforce: mandatory tags (Environment, CostCenter, Owner, DataClassification), Azure Policy for allowed SKUs, diagnostic settings auto-export, Defender for Cloud baseline, Key Vault for secrets, Private Endpoints for data stores, role assignments defined by least privilege (segregated subscription or management group RBAC). Implement blueprint versioning so changes (new policy assignments) are auditable.

Identity & Access Strategy

Consolidate authentication into Entra ID. For hybrid scenarios maintain AD DS only for legacy dependencies; adopt Cloud Kerberos trust for file shares where possible. Map service accounts to managed identities; rotate remaining secrets with Key Vault. Enforce Conditional Access for privileged operations (MFA, compliant device). Use entitlement management / PIM for just-in-time elevation. Migration runbooks must include role assignment verification per wave.

Networking & Connectivity

Design hub-spoke with centralized services (firewall, Bastion, DNS forwarders). For waves requiring coexistence reduce latency by placing initial target resources in nearest region, use proximity placement groups for tier collocation. Plan ExpressRoute bandwidth upgrade windows historically ahead of peak replication periods. Employ Private Link rather than public endpoints for PaaS; validate NSG & route tables for failover subnets.

Data Strategy & Sequencing

Categorize data stores: transactional (SQL, PostgreSQL), analytical (DW/Lake), files/unstructured (SMB/NFS), messaging (queues/bus), configuration (Redis). For each define migration method: online replication, bulk export/import, dual-write prohibition period, final delta sync window. Guard against drift using row-count & checksum validation scripts. For large analytics estates adopt parallel ingestion (Data Factory copy activities) followed by freeze window for final delta. Maintain lineage catalogue update in Purview pre-cutover.

Resilience & Rollback

Pre-cutover snapshot references: VM disk snapshots, database point-in-time restore markers, configuration state export (App Service settings JSON), infrastructure templates (Bicep). Rollback triggers: performance regression > X%, error rate sustained > Y%, security control misconfiguration (e.g., logging gap), critical dependency unreachable. Ensure rollback path symmetrical: DNS TTL reduction (e.g., 300s), maintain replication not yet broken until validation completed, preserve original state for defined rollback window (24–72h) before committing decommission.

Observability & KPIs

KPIs: Migration Velocity (servers migrated / week), Readiness Remediation Rate, Performance Delta (CPU% on‑prem vs Azure), Cost Variance (actual vs projected), Incident Rate (sev 1–2 / wave), Optimization Yield (% cost reduction post-rightsizing), Automation Coverage (% infra defined by IaC). Build workbook with baseline vs current for each workload; highlight >10% variance requiring investigation.

FinOps Integration

Embed cost estimation into assessment review (reserved instance opportunity, savings plans, storage tiering). Tag workloads early to avoid post-migration attribution chaos. Implement anomaly detection (spending spike > 2× rolling 14‑day average). Maintain optimization backlog: rightsizing, ephemeral environment scheduling (dev/test shutdown), storage lifecycle rules (blob tier transitions), reservation purchases tied to stability threshold (runtime variance <15% for 30 days).

Operational Excellence Transition

Post-migration Day 2 tasks: enable autoscale rules, enforce backup and retention policies, configure update management for patching, onboard to Defender for Cloud advanced features, finalize DR drills schedule, document runbooks in a central wiki. Adopt change management workflow: every optimization tied to ticket referencing baseline metrics and projected gain.

Adoption & Change Management

Stakeholders: Business owners (value realization), Finance (cost tracking), Security (control posture), Operations (runbooks), Application teams (refactoring). Provide weekly migration scorecard. Host “migration clinic” office hours. Early wins (e.g., faster deployment times, improved reliability) publicized to build momentum.

Advanced Troubleshooting Patterns

Decision Matrix (Illustrative)

Use this matrix in steering committee reviews to align resource allocation.

With strategic foundations clarified, the remainder of this article drills into technical execution phases and concrete scripts already present below.

Prerequisites

Figure: Solution architecture integrating cloud migration platform—component interactions, data flows, authentication boundaries, and scalability patterns.

Figure: Implementation roadmap for cloud migration platform—phased delivery, dependency management, risk mitigation, and success criteria.

Figure: Operational model for cloud migration platform—monitoring dashboards, incident response, capacity planning, and continuous improvement.

Enterprise cloud migration requires comprehensive planning, assessment, migration execution, and ongoing optimization. This deep dive builds a complete cloud migration platform leveraging Azure Migrate for discovery and assessment, Azure Site Recovery for VM migration and disaster recovery, App Service Migration Assistant for web apps, Azure Arc for hybrid cloud management, and post-migration cost optimization with Azure Advisor.

Solution Architecture

}``` } }

**Enable Replication (PowerShell):**

```powershell
## Get vault
$vault = Get-AzRecoveryServicesVault -Name "vault-migration-asr" -ResourceGroupName "rg-migration"
Set-AzRecoveryServicesAsrVaultContext -Vault $vault





## Get protection container
$protectionContainer = Get-AzRecoveryServicesAsrProtectionContainer -Fabric (Get-AzRecoveryServicesAsrFabric)





## Get replication policy
$replicationPolicy = Get-AzRecoveryServicesAsrPolicy -Name "replication-policy-24hr"





## Enable replication for VM
$vm = Get-AzVM -ResourceGroupName "rg-onprem" -Name "web-server-01"
$replicationProtectedItem = New-AzRecoveryServicesAsrReplicationProtectedItem `
```text
-VMwareToAzure `
-ProtectionContainer $protectionContainer `
-Name "web-server-01" `
-Policy $replicationPolicy `
-RecoveryAzureStorageAccountId "/subscriptions/.../storageAccounts/stmigration" `
-ProcessServer "process-server-1" `
-Account "vmware-credentials" `
-RecoveryResourceGroupId "/subscriptions/.../resourceGroups/rg-migrated-vms" `
-RecoveryAzureNetworkId "/subscriptions/.../virtualNetworks/vnet-prod" `
-RecoveryAzureSubnetName "subnet-web"

**Test Failover:**

```powershell
## Start test failover
$testFailoverJob = Start-AzRecoveryServicesAsrTestFailoverJob `
```text
-ReplicationProtectedItem $replicationProtectedItem `
-Direction PrimaryToRecovery `
-AzureVMNetworkId "/subscriptions/.../virtualNetworks/vnet-test"

Monitor job

while ($testFailoverJob.State -ne "Succeeded") {

$testFailoverJob = Get-AzRecoveryServicesAsrJob -Job $testFailoverJob
Start-Sleep -Seconds 30```
}





## Cleanup test failover
Start-AzRecoveryServicesAsrTestFailoverCleanupJob -ReplicationProtectedItem $replicationProtectedItem

Production Failover:

## Planned failover (graceful shutdown)
$failoverJob = Start-AzRecoveryServicesAsrPlannedFailoverJob `
```text
-ReplicationProtectedItem $replicationProtectedItem `
-Direction PrimaryToRecovery

Commit failover

Update-AzRecoveryServicesAsrProtectionDirection `

-ReplicationProtectedItem $replicationProtectedItem `
-Direction RecoveryToPrimary

## Phase 3: Database Migration Service

**DMS Instance Setup:**





```bash
## Create DMS instance
az dms create \
  --name dms-sql-migration \
  --resource-group rg-migration \
  --location eastus \
  --sku-name Premium_4vCores \
  --subnet /subscriptions/.../subnets/subnet-dms





## Create migration project
az dms project create \
  --name project-sql-migration \
  --service-name dms-sql-migration \
  --resource-group rg-migration \
  --location eastus \
  --source-platform SQL \
  --target-platform SQLDB

Online Migration Task:

## Create online migration task
az dms project task create \
  --name task-migrate-salesdb \
  --project-name project-sql-migration \
  --service-name dms-sql-migration \
  --resource-group rg-migration \
  --task-type Migrate.SqlServer.AzureSqlDb.Sync \
  --source-connection-json '{
```text
"userName": "sa",
"password": "<password>",
"dataSource": "sql-onprem.contoso.com",
"encryptConnection": true,
"trustServerCertificate": false```
  }' \




  --target-connection-json '{
```text
"userName": "sqladmin",


"password": "<password>",
"dataSource": "sqlserver-prod.database.windows.net",
"encryptConnection": true,
"trustServerCertificate": false```
  }' \
  --database-options-json '[
```json
{
  "name": "SalesDB",
  "targetDatabaseName": "SalesDB",
  "makeSourceDbReadOnly": false,
  "tableMap": {
    "dbo.Customers": "dbo.Customers",
    "dbo.Orders": "dbo.Orders"
  }
}```
  ]'

Cutover Script:

## Monitor migration progress
$task = az dms project task show `
```text
--name task-migrate-salesdb `
--project-name project-sql-migration `
--service-name dms-sql-migration `
--resource-group rg-migration | ConvertFrom-Json

When ready, perform cutover

Figure: Power Apps form control – edit form with validation rules and error handling.

az dms project task cutover `

--name task-migrate-salesdb `
--project-name project-sql-migration `
--service-name dms-sql-migration `
--resource-group rg-migration `
--object-name SalesDB

## Phase 4: App Service Migration

**Migration Assistant Assessment:**





```powershell
## Download App Service Migration Assistant
Invoke-WebRequest -Uri "https://appmigration.microsoft.com/api/download/windows/AppServiceMigrationAssistant.msi" -OutFile "AppServiceMigrationAssistant.msi"





## Install
Start-Process msiexec.exe -ArgumentList "/i AppServiceMigrationAssistant.msi /quiet" -Wait





## Run assessment (CLI mode)
& "C:\Program Files\AppServiceMigrationAssistant\Migrate.exe" assess `
```text
--site-name "contoso-webapp" `
--output assessment-report.json

**Migration via Azure CLI:**

```bash
## Create App Service Plan
az appservice plan create \
  --name plan-migrated-apps \
  --resource-group rg-migration \
  --location eastus \
  --sku P1V3 \
  --is-linux





## Create web app
az webapp create \
  --name webapp-contoso-prod \
  --resource-group rg-migration \
  --plan plan-migrated-apps \
  --runtime "DOTNET|8.0"





## Deploy from on-prem (via zip)
az webapp deployment source config-zip \
  --resource-group rg-migration \
  --name webapp-contoso-prod \
  --src app-package.zip

Expected output:

{ "defaultHostName": "myapp-prod.azurewebsites.net", "state": "Running" }

Connection String Migration:

## Migrate connection strings
az webapp config connection-string set \
  --resource-group rg-migration \
  --name webapp-contoso-prod \
  --connection-string-type SQLAzure \
  --settings DefaultConnection="Server=tcp:sqlserver-prod.database.windows.net,1433;Database=SalesDB;User ID=sqladmin;Password=<password>;Encrypt=True;"





## Migrate app settings
az webapp config appsettings set \
  --resource-group rg-migration \
  --name webapp-contoso-prod \
  --settings \
```text
ASPNETCORE_ENVIRONMENT=Production \
ApplicationInsights__InstrumentationKey="<key>"

## Phase 5: Azure Arc Hybrid Management

**Arc-enabled Servers:**





```powershell
## Install Arc agent on on-premises server
$subscriptionId = "blog-subscription-id"
$resourceGroup = "rg-migration"
$location = "eastus"
$servicePrincipalClientId = "<sp-client-id>"
$servicePrincipalSecret = "<sp-secret>"
$tenantId = "<tenant-id>"





Invoke-WebRequest -Uri "https://aka.ms/azcmagent-windows" -OutFile "AzureConnectedMachineAgent.msi"
Start-Process msiexec.exe -ArgumentList "/i AzureConnectedMachineAgent.msi /quiet" -Wait

& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect `
```text
--service-principal-id $servicePrincipalClientId `
--service-principal-secret $servicePrincipalSecret `
--tenant-id $tenantId `
--subscription-id $subscriptionId `
--resource-group $resourceGroup `
--location $location `
--tags "Environment=Production" "DataCenter=OnPrem"

**Apply Azure Policy to Arc Servers:**

```bash
## Assign policy to enforce monitoring agent
az policy assignment create \
  --name "deploy-monitoring-agent-arc" \
  --policy "/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c" \
  --scope /subscriptions/<sub-id>/resourceGroups/rg-migration \
  --assign-identity --location eastus





## Remediation task
az policy remediation create \
  --name remediate-arc-monitoring \
  --policy-assignment deploy-monitoring-agent-arc \
  --resource-group rg-migration

Expected output:

{ "displayName": "Require tags on resources", "enforcementMode": "Default" }

Arc-enabled Kubernetes:

## Connect on-premises Kubernetes cluster
az connectedk8s connect \
  --name arc-k8s-onprem \
  --resource-group rg-migration \
  --location eastus \
  --kube-config ~/.kube/config





## Enable Azure Monitor for Arc K8s
az k8s-extension create \
  --name azuremonitor-containers \
  --cluster-name arc-k8s-onprem \
  --resource-group rg-migration \
  --cluster-type connectedClusters \
  --extension-type Microsoft.AzureMonitor.Containers

Phase 6: Post-Migration Optimization

Azure Advisor Recommendations:

## Get cost recommendations
az advisor recommendation list \
  --category Cost \
  --query "[].{Resource:resourceMetadata.resourceId, Recommendation:shortDescription.solution, Savings:extendedProperties.savingsAmount}" \
  -o table





## Enable automatic remediation
az advisor configuration create \
  --resource-group rg-migration \
  --low-cpu-threshold 10 \
  --exclude false

Cost Optimization Script:

## Identify idle VMs
$vms = Get-AzVM -ResourceGroupName "rg-migrated-vms"
foreach ($vm in $vms) {
```powershell
$metrics = Get-AzMetric -ResourceId $vm.Id -MetricName "Percentage CPU" -TimeGrain 01:00:00 -StartTime (Get-Date).AddDays(-7)
$avgCpu = ($metrics.Data | Measure-Object Average -Average).Average





if ($avgCpu -lt 5) {
    Write-Host "VM $($vm.Name) has low CPU usage: $avgCpu%. Consider resizing or deallocation."
}```
}

## Resize overprovisioned VMs
$vm = Get-AzVM -ResourceGroupName "rg-migrated-vms" -Name "web-server-01"
$vm.HardwareProfile.VmSize = "Standard_B2s"
Update-AzVM -ResourceGroupName "rg-migrated-vms" -VM $vm

Reserved Instances Purchase:

## Calculate reservation recommendations
az reservations reservation-order calculate \
  --reservation-order-id <order-id> \
  --sku-name Standard_D4s_v3 \
  --location eastus \
  --term P1Y \
  --quantity 10





## Purchase reservation
az reservations reservation-order purchase \
  --reservation-order-id <order-id> \
  --sku Standard_D4s_v3 \
  --location eastus \
  --quantity 10 \
  --term P3Y

Phase 7: Monitoring & Validation

Azure Monitor Workbook (KQL):

// Migration progress dashboard
AzureMigrateAssessment
| where TimeGenerated > ago(30d)
| summarize 
```text
TotalServers = dcount(MachineName),
ReadyToMigrate = dcountif(MachineName, AzureReadiness == "Ready"),
ReadyWithConditions = dcountif(MachineName, AzureReadiness == "ReadyWithConditions"),
NotReady = dcountif(MachineName, AzureReadiness == "NotReady")```
| extend ReadinessRate = (ReadyToMigrate * 100.0) / TotalServers

// Post-migration performance comparison
Perf
| where TimeGenerated > ago(7d)
| where ObjectName == "Processor" and CounterName == "% Processor Time"
| summarize 
```sql
AvgCPU_OnPrem = avgif(CounterValue, Computer startswith "onprem"),
AvgCPU_Azure = avgif(CounterValue, Computer startswith "az")```
| extend PerformanceGain = ((AvgCPU_OnPrem - AvgCPU_Azure) / AvgCPU_OnPrem) * 100

// Cost tracking
AzureActivity
| where OperationNameValue contains "Microsoft.Compute/virtualMachines/write"
| join kind=inner (
```text
Usage
| where TimeGenerated > ago(30d)
| summarize TotalCost = sum(Quantity * UnitPrice) by ResourceId```
) on $left.ResourceId == $right.ResourceId
| project TimeGenerated, ResourceName = split(ResourceId, '/')[8], TotalCost
| order by TotalCost desc

Validation Checklist:

Pre-Cutover Validation:
  - [ ] Application functionality tests pass
  - [ ] Performance benchmarks meet baselines
  - [ ] Database replication lag < 5 minutes
  - [ ] SSL certificates configured
  - [ ] DNS records prepared (not yet updated)
  - [ ] Backup/DR tested and verified

Cutover Execution:
  - [ ] Graceful shutdown of on-premises services
  - [ ] Finalize database synchronization
  - [ ] Update DNS records to Azure IPs
  - [ ] Verify application startup in Azure
  - [ ] Test authentication/authorization
  - [ ] Confirm monitoring/alerts active

Post-Cutover Validation:
  - [ ] User acceptance testing completed
  - [ ] No critical errors in Application Insights
  - [ ] Performance SLAs met
  - [ ] Cost tracking dashboards operational
  - [ ] Decommission on-premises infrastructure

Best Practices

• Pilot Migration: Start with non-critical workloads to validate process
• Dependency Mapping: Use Azure Migrate dependency analysis to identify interdependencies
• Network Planning: Design VNet architecture with hub-spoke for hybrid connectivity
• Security: Apply Azure Security Center recommendations immediately post-migration
• Automation: Use Infrastructure as Code (Bicep/Terraform) for consistency
• Cost Management: Enable budgets and alerts before migration begins
• Skills Enablement: Train operations team on Azure management tools

Troubleshooting

Issue: ASR replication fails with network connectivity error
Solution: Verify ExpressRoute/VPN connectivity; check NSG rules allow ports 443, 9443; validate proxy settings

Issue: Database migration timeout during cutover
Solution: Reduce transaction log size; disable non-clustered indexes temporarily; increase DMS SKU

Issue: Arc agent registration fails
Solution: Check firewall allows outbound HTTPS to *.guestconfiguration.azure.com; verify service principal permissions

Architecture Decision and Tradeoffs

When designing integrated solutions solutions with Azure + Power Platform, consider these key architectural trade-offs:

Recommendation: Start with the managed approach for most workloads and move to custom only when specific requirements demand it.

Validation and Versioning

• Last validated: April 2026
• Validate examples against your tenant, region, and SKU constraints before production rollout.
• Keep module, CLI, and SDK versions pinned in automation pipelines and review quarterly.

Security and Governance Considerations

• Apply least-privilege access using RBAC roles and just-in-time elevation for admin tasks.
• Store secrets in managed secret stores and avoid embedding credentials in scripts or source files.
• Enable audit logging, data protection policies, and periodic access reviews for regulated workloads.

Cost and Performance Notes

• Define budgets and alerts, then monitor usage and cost trends continuously after go-live.
• Baseline performance with synthetic and real-user checks before and after major changes.
• Scale resources with measured thresholds and revisit sizing after usage pattern changes.

Official Microsoft References

• https://learn.microsoft.com/azure/architecture/
• https://learn.microsoft.com/azure/well-architected/
• https://learn.microsoft.com/power-platform/guidance/

Public Examples from Official Sources

• These examples are sourced from official public Microsoft documentation and sample repositories.
• Documentation examples: https://learn.microsoft.com/azure/well-architected/
• Sample repositories: https://github.com/Azure/ArchitectureCenter
• Prefer adapting these examples to your tenant, subscriptions, and governance requirements before production use.

Key Takeaways

• Azure Migrate provides comprehensive assessment for informed migration planning
• Azure Site Recovery enables seamless VM migration with minimal downtime
• Database Migration Service supports online migration for near-zero RTO
• Azure Arc extends Azure management to on-premises and multi-cloud environments
• Post-migration optimization with Advisor ensures cost efficiency

Next Steps

• Implement Azure Landing Zones for enterprise-scale governance
• Deploy Azure Sentinel for unified security operations
• Explore Azure VMware Solution for VMware workload migration without refactoring
• Implement Azure Backup for comprehensive data protection

Additional Resources

• Azure Migration Center
• Azure Migrate Documentation
• Azure Site Recovery
• Azure Arc Overview

Ready to accelerate your cloud migration journey?