Are you currently experiencing an attack?

Are you currently experiencing an attack?

Securely Migrating to Microsoft Azure

In a previous post, we talked about the best practices to implement for securely migrating your on-premise workloads to a cloud service provider (AWS, Azure, or GCP). The post discussed the five-step secure migration process:

  • Assess migration opportunities.
  • Identify the scope.
  • Build a dependency plan between applications and components.
  • Build the infrastructure.
  • Migrate to and validate the target environment.

This migration process remains the same for any cloud service provider. However, the services and tools involved usually differ.

In this part of our series on secure cloud migration, we will focus specifically on securely migrating workloads to Microsoft Azure, applying the five steps listed above.

Opportunity Assessment

Before you start with a migration plan, it is important to complete a business and technical assessment of the given target environment as well as identify whether or not the existing applications (those being considered for migration) are good candidates. This assessment involves gathering necessary documents about both the infrastructure and the applications, along with a dependency map that provides vital information pertaining to the migration plan. The key goals of this assessment are to gather the proper objectives, identify possible challenges, and determine business and technical benefits that can lead to the reduction of debt (technical, business, and/or people) for the organization.

Azure, like many cloud providers, has numerous partners with years of expertise and experience migrating cloud infrastructure and data, both on-premises and with other cloud providers. Partners such as Carbonite, Cloudamize, Corent Technology, Device42, Turbonomic and UnifyCloud have built on the already comprehensive migration tools offered by Azure to assist you in planning how best to migrate your data. These partners can greatly simplify the migration process.

Determining the Scope of Change

After a business and technical assessment, the scope of change needs to be determined. There are many factors to consider here, but these can include cost, business requirements, and technical debt. As discussed in our previous post on secure cloud migration, there are four possible choices to define the amount of architectural refactoring required.

Rehost

Rehosting, often known as “lift-and-shift,” can be one of the easier ways to migrate. Azure offers its comprehensive Azure Migrate tool to provide a zero-cost migration tool fit for many scenarios. Using the Azure Site Recovery tool also allows for the replication of an existing host’s infrastructure easily.

If you need to support a more non-traditional operating system not natively supported by Azure Migrate, you can use a Microsoft Azure partner such as Zerto to support a broader range of OS options and scenarios.

Replatform

To migrate workloads with minimal changes, replatforming is an attractive option. For example, the Azure Database Migration service will easily migrate SQL databases. In the case of non-relational databases, such as MongoDB, the Data Migration Tool for Azure Cosmos DB supports migration scenarios to quickly get you up and running. Here you have many options to move over large amounts of your data, such as Data Box, simpler solutions like Azure Storage Explorer, and numerous Azure Storage REST API solutions for more scriptable automation.

Repurchase

Repurchasing refers to purchasing or licensing your application directly from the Azure Marketplace, which offers thousands of products built specifically for this platform. It frees you up from your license-management overhead and from the need to rewrite or redesign the application. In many cases, all you have to do is move over your data.

Redesign

Redesigning an entire platform architecture can be one of the most time-consuming and expensive efforts. However, it also delivers numerous benefits, especially since a redesign allows for the integration of the latest technologies surrounding microservices and serverless environments, including Azure Logic Applications for serverless architectures, Azure Cosmos DB for non-relational globally distributed databases, Azure Kubernetes Service (AKS) to support microservices, and Azure DevOps to include a fully integrated CI/CD development and deployment pipeline.

Map Dependencies and Plan

A comprehensive assessment and definition of scope is critical to determining how to proceed in migrating to the Azure cloud environment. But after the approach has been decided, identifying what assets to migrate and the order in which to do so will be equally crucial to your migration success. Finally, creating and following a proper plan to track the progress and accountability of the project will ensure its eventual success.

Planning for Security

Predicting and addressing potential security concerns are paramount to keeping data (yours and your customers’) protected and secure. Proper planning sets your organization up for success, and Azure offers many tools that can assist you in securing your network as well as help with security planning.

Azure Virtual Network underpins the network offerings of Azure. By offering isolation, traffic filtering, multiple connectivity options, and traffic routing, Azure Virtual Network offers a secure infrastructure on which to host your platform. VNets, virtual networks offering logical isolation, are isolated from each other even within the same subscription. By default, virtual machines, can reach out but are not publicly addressable via the use of source network address translation (SNAT) unless a public IP address is assigned. Furthermore, using Network Security Groups allows for outbound and inbound security rules to be assigned even to individual NICs in a VM. Implementing user-defined routes enables you to control traffic routing within your network or, if you connect a VNet to your own on-premises control, you can propagate BGP routes to those connected VNets.

Azure Monitor helps to collect the various logs that provide comprehensive logging of operations and events performed within your Azure environment. For more comprehensive logging services, you can use partner SIEM services such as Splunk and then connect the SIEM service using the Azure Event Hub and connectors. Azure Policies allow for configuration as code and compliance scanning to stay compliant with standards and service level agreements.

Azure Active Directory (AD) is core to many service offerings. Leveraging decades of experience with enterprise-level directory services, Azure offers a centrally integrated IAM service. Additionally, Azure Security Center, Azure Network Watcher, and the newly available Azure Sentinel all provide comprehensive tracking of changes and security concerns.

With ever-increasing threats coming from the outside, protecting your web-accessible assets is crucial. Azure Application Gateway also provides an Azure WAF to protect you against a wide range of threats, and Azure DDoS Protection offers a turnkey solution as well. However, although these services are useful, they are not comprehensive. You should combine these services with an Azure partner such as Reblaze, which can serve as the “security engine” for Azure and will protect your sites, applications, services, and APIs from a myriad of Internet threats.

Create Infrastructure

Once the secure migration plan is solidified, it’s time to go ahead and provision the resources on Azure. This starts with setting up the foundation VNet layer, following all security best practices and services, and then provisioning VMs, Cosmos DB, Logic Apps, AKS, and other Azure services as required for the application.

Often, one of the goals of a cloud migration is to turn your company into a cloud-native or DevOps/DevSecOps organization. You can leverage infrastructure-as-code capability in Azure using Azure Blueprints and Azure Resource Manager (ARM) templates to configure nearly every aspect of your infrastructure. There is also an open-source alternative to ARM called Terraform.

Migrate and Validate

Once your Azure foundation resources are provisioned, you can migrate the data to Azure and validate the integrity and consistency of the data. For migrating your server images, especially for the Rehost approach, it is advisable to leverage Azure Site Recovery Manager. For database migration, it is advisable to leverage the Data Migration Assistant and Data Migration Service for continuous replication of the database, which makes the cut-over smoother and quicker.

If you are dealing with static files or data, it is advisable to migrate them using Azure Storage REST APIs or scriptable tools such as AzCopy. However, if you’re planning to move petabytes of data, you can leverage Data Box for such large data transfers. Also, if any of the Azure services don’t meet your requirements, one of the great things about Azure is its Marketplace. Here you can leverage any third-party product, usually on a pay-as-you-go model.

To ensure that your migration was successful, validating the resulting infrastructure will be necessary to verify the consistency and security of the data and configurations. Utilizing industry standard approaches, such as cryptographic hash functions and checksums of the data, will verify that what you intended to move did in fact migrate successfully. Of particular note is validating your security posture during and after the migration. With a new environment, it is prudent to make sure that the data is accessible only where you need it, that the correct accounts and access are in place, and that proper auditing and logging are configured.

Conclusion

Any organization migrating their workloads to Azure requires a solid understanding of their workloads and components as well as the dependencies between them. This understanding, followed by a complete secure migration plan, can help your organization leverage the benefits of the cloud and protect your workloads from new threats. Azure does fine work in providing services (such as Azure Web Application Firewall) and a partner ecosystem to support such a large and complex workload migration.

If you have questions regarding any of the above, feel free to contact us.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.