Secure migration to Microsoft Azure (2025): in-depth step-by-step guide with landing zones, hybrid networking, security, costs and operations

Migration to Microsoft Azure: context, objectives and outcomes

Migrating to the cloud is no longer just about moving virtual machines. It is about reorganising architecture, responsibilities and controls so that day-to-day operations become more predictable. Azure provides managed services, native automation and integrated observability; but those benefits appear when the platform is well designed and the change is executed in waves with tests and metrics.

The first objective is to reduce risk: less public exposure, identities with just-in-time privileges and data encrypted by default. The second is to guarantee continuity with immutable backups and drills. The third is to govern spend with budgets, tags and consumption commitments. At the same time, the aim is to improve experience: repeatable deployments, clear diagnostics and less manual work.

Cloud Adoption Framework (CAF) and 8R strategies for migrating to Azure

CAF structures the journey into six phases: strategy, plan, ready, adopt, govern and manage. It helps decide what to migrate, how success will be measured and which controls are mandatory. It is not just theory: it provides templates and decision trees that turn into real deliverables (policies, topologies, repositories).

The decision for each application relies on the “8Rs”: retire, retain, rehost, replatform, refactor, rearchitect, rebuild or replace. There is no single answer; several usually coexist. For example, an ERP with strong dependencies often starts as a rehost (IaaS) to free up the data centre, while portals or APIs with a good test suite can move directly to replatform (App Service, PostgreSQL Flexible).

Azure Landing Zones: platform, governance and security from day one

A landing zone is the “runway” for resources. It defines the management groups hierarchy, environment-based subscriptions, hub network, diagnostics, policies and automation. The advantage is that everything “is born” with the same guardrails: if public IPs for databases are forbidden, nobody will be able to create them by mistake.

The practical implementation uses infrastructure as code (Bicep/Terraform) in a repository with branches, reviews and versions. A pipeline deploys the platform into dev, pre-prod and prod. Changes are traceable and reversible. Beyond order, this brings speed: creating a new subscription with all policies and diagnostics configured becomes a matter of minutes.

• Management groups structure by domains and environments.
• Hub-and-spoke with Firewall/Azure Gateway, private DNS and controlled Internet egress.
• Assignment of security and compliance initiatives at the root management group.
• Mandatory logging to Log Analytics and baseline alert catalogues.
• Subscription templates and mandatory tags (cost center, owner, app, environment).

Principles and design areas of an Azure Landing Zone

CAF design areas work as a checklist. They let you make explicit decisions about identity, subscriptions, networks, security, operations, costs and automation. When everything is written down, teams do not depend on “how it was done last time”, but on published criteria.

This table becomes tasks in a backlog: creating policies, deploying private DNS, defining mandatory tags, writing operational runbooks. In this way, governance and platform evolve together.

Hybrid connectivity in Azure: ExpressRoute, VPN, Private Link and DNS

The network is the glue between what already works and what is deployed in the cloud. At a high level, there are two paths into Azure: VPN (IPsec) and ExpressRoute. VPN lets you get started in days and costs little; ExpressRoute provides private connections with bandwidth and latency guarantees. Many organisations use VPN to start with and leave ExpressRoute for when the load grows or stability is required.

For PaaS services, the big step forward comes with Private Link, which creates private endpoints in internal networks. The public name stops being exposed and traffic goes through the VNet. To make it work transparently, you use Private DNS and a split-horizon resolution strategy: the same name resolves to a private IP inside the network and to a public IP outside, if needed. This pattern prevents leaks and meets strict requirements.

The hub-and-spoke pattern centralises controls: the hub hosts the Firewall, gateways and DNS; the spokes are application spaces. Traffic is routed explicitly; you do not “allow everything”. If a team creates an insecure resource, the network path will not allow it to go to the Internet without passing through known rules.

Identity security: Entra ID, Conditional Access, PIM and Managed Identities

Identity is the front door to everything. The minimum security plan combines universal MFA, risk- and context-based Conditional Access, and PIM so that high-privilege roles are activated only when needed and with approval. It is advisable to start with Conditional Access in “report-only” mode, see what would break in production and adjust. Then move to “on” mode by groups.

For applications and automation, Managed Identities remove passwords. The application authenticates against Azure and obtains tokens that let it talk to Key Vault, Storage or SQL without plaintext credentials. This change reduces incidents and simplifies audits.

Governance and compliance: Azure Policy + Microsoft Cloud Security Benchmark

Microsoft’s security benchmark gathers cross-cutting controls (identity, data, networking, logging, response). Defender for Cloud calculates a security score, suggests remediations and lets you track improvement. Azure Policy is the engine that applies configuration: it audits, remediates and can even block the creation of non-compliant resources.

An effective approach is to work in two-week sprints. Select ten high-impact recommendations (for example, closing public IPs on databases, enforcing current TLS, enabling mandatory diagnostics), create policies or assignments and measure the gains. Exceptions are approved with an owner and an end date; when the deadline is reached, the exception is reviewed or closed.

Data protection: Key Vault, CMEK, secret management and storage

Key Vault stores secrets, certificates and keys with access control and logging. A common recommendation is one Key Vault per application and per environment; if something happens, the impact is limited. With Private Endpoint, the vault stops depending on public access.

When services support it, CMEK lets you use your own keys to encrypt data, meeting regulated customer requirements. Keys are rotated and the rotation cadence is documented. In Storage, the redundancy choice (LRS, ZRS, GRS, GZRS) is made with RTO/RPO objectives and budget on the table; sensitive containers are exposed through private networking and the use of long-lived SAS tokens is minimised.

Azure Migrate: inventory, assessment and wave-based migration

Azure Migrate discovers what is there, measures how it behaves and proposes realistic sizes. The appliance collects CPU, memory, disk and network data for several weeks. With enough data, performance-based assessments recommend VM series and disks that fit actual usage. This simple technical decision (sizing based on performance instead of old spreadsheets) often saves costs without impacting service.

How to implement it in an orderly way

1. Create the Migrate project and deploy the appliance where workloads run (VMware, Hyper-V or physical).
2. Verify credentials and ports; start collection and review dependencies between servers.
3. Run performance-based assessments with realistic headroom for peaks.
4. Select three representative workloads for the pilot: a web app, a database and a batch process.
5. Define waves by business domain with windows, smoke tests and rollback plans.

Replication prepares the final cutover with minimal downtime. After a month in Azure, run rightsizing and decide on the use of reservations and savings plans. That is the right time to fine-tune cost with real data.

Data and databases: SQL Managed Instance, SQL Database and PostgreSQL/MySQL

For SQL Server, Managed Instance provides broad compatibility with on-prem features (agents, Linked Servers in certain scenarios) without the overhead of OS patching. SQL Database fits when the application can adopt a PaaS model with elastic scale and managed high availability. In the open-source world, PostgreSQL/MySQL Flexible Server offers zone-redundant high availability and control over version and maintenance.

Private connectivity with Private Link and the use of Azure AD authentication (when available) reduce exposure and simplify the retirement of local credentials. Before cutover, it is advisable to run A/B tests with heavy queries, capture execution plans and tune service tiers.

Application modernisation: App Service, AKS, containers and WAF

App Service simplifies the lifecycle of web apps and APIs: repeatable deployments, slots for blue/green, rich diagnostics and autoscale. When the application is already containerised or needs finer control over resources, AKS enables node pools by workload type, WAF-enabled ingress and metric-based autoscaling.

In both cases, use Managed Identity to reach dependencies and Private Link to access data without going out to the Internet. The CI/CD pipeline includes dependency analysis, image scanning and real health checks; if something fails, the deployment is stopped before it affects customers.

Disaster Recovery: immutable Azure Backup and Azure Site Recovery

Backups must withstand human error and attacks. The enhanced soft delete option in Azure Backup prevents disabling protection and makes malicious deletions harder. Combined with vault lock and segregated roles, it provides a real barrier.

Azure Site Recovery replicates machines to another region and enables controlled failover tests. Drills are executed in isolated networks and produce a report with timings and results. That evidence is worth more than any promise in a document: it proves recoverability.

Posture and detection: Defender for Cloud, Azure Monitor and Microsoft Sentinel

Defender for Cloud provides a cross-platform view of posture and exploitable risks. High-impact actions are prioritised and improvement is measured. Azure Monitor and the modern agent (AMA) collect metrics and logs into Log Analytics; data collection rules normalise what each resource sends. Sentinel connects those signals, applies analytics and automates responses.

SigninLogs
| where ResultType == 0
| where Identity matches regex ".*(admin|adm).*"
| where hour_of_day(TimeGenerated) < 7 or hour_of_day(TimeGenerated) > 20
| summarize attempts = count() by Identity, bin(TimeGenerated, 1h)

With rules like the one above you detect administrative sign-ins outside working hours and trigger a playbook to enforce additional MFA or revoke tokens. A short library of well-built responses resolves most recurring incidents.

FinOps: Cost Management, budgets, reservations and savings plans

Cost Management lets you create budgets per subscription or resource group, threshold-based alerts and views by tag (cost center, owner, environment). After stabilising consumption, you apply reservations for specific resources (for example, a database tier) and savings plans for compute across multiple services. The rule of thumb: first rightsize, then commit to spend.

Every month it is worth reviewing reservation and savings plan utilisation, identifying orphaned resources and refining auto-shutdown policies in non-production environments. With that discipline, spend stops being a surprise.

Project plan and wave completion criteria

An orderly migration is rolled out in waves with exit conditions. It is not about “hitting the date”, but about meeting criteria that protect the business: minimum posture, tested backups, active alerts and budget under control. That way, every promotion to production has guarantees.

1. Discovery: inventory with Migrate, dependencies, criticality and requirements.
2. Ready: landing zone as code and policies assigned at the root management group.
3. Pilot: a varied sample of workloads to measure latency, security and DR.
4. Security and BCDR: Conditional Access, PIM, immutable Backup and ASR in place.
5. Waves: by business domain, with runbooks and documented rollback plans.

Step-by-step — from zero to production

1) Platform

Deploy the landing zone with Bicep/Terraform, assign security initiatives at the root management group, create the network hub with Firewall and DNS, and enable diagnostics to Log Analytics with the modern agent. Publish the tagging guide and subscription templates in the internal repository.

2) Identity

Configure Conditional Access in “report-only” mode, review impact and then switch to “on” by groups. Enable PIM, document emergency accounts and migrate automation to Managed Identities. Move secrets to Key Vault and rotate them.

3) Migration

Use Azure Migrate for inventory and performance-based assessments. Run a pilot with three workloads and then roll out by waves. Measure latency, adjust sizes and document results.

4) Continuity

Enable Backup with enhanced soft delete and lock the vault. Configure Site Recovery between regions and run regular failover tests with reports. Define RTO/RPO per service and review them annually.

5) Operations

Enable Defender for Cloud and Sentinel, create key alerts and response playbooks. Set budgets, review monthly spend and adjust reservations/savings. Close the loop with retrospectives and improvements.

Typical risks and mitigation

• Exposed PaaS services: enable Private Link and private DNS; review egress routes.
• Weak governance: assign initiatives at the root management group; manage exceptions with expiry dates and owners.
• Identity without controls: phased Conditional Access and PIM on critical roles; controlled emergency accounts.
• Vulnerable backups: enhanced soft delete and vault lock; segregated roles.
• Unexpected costs: mandatory tags and budgets, regular rightsizing and monthly reservations/savings review.

Frequently asked questions

Official resources

• Cloud Adoption Framework (CAF) — overview
• Azure Landing Zone — principles and guidance
• Landing zone design areas
• Microsoft Cloud Security Benchmark
• Azure Migrate — assessments
• Performance-based rightsizing
• Azure Backup — enhanced soft delete
• Site Recovery — test failover
• Cost Management and billing

Conclusion and next steps

Migrating to Azure thoughtfully means designing a consistent platform, moving workloads based on data rather than intuition, and closing the loop with security, continuity and costs under control. With a landing zone as code, private connectivity, inherited policies, immutable backups and unified observability, the organisation reduces risk, gains speed and can prove it with evidence.