Azure Landing Zone · VMware Migration · Hybrid Cloud

Server & Cloud Migration
On-Premises to Azure

Migrate physical servers, VMware VMs, and Hyper-V workloads to Azure with proper landing zone architecture, security hardening, and cost optimisation. Ogma handles assessment, migration, and post-migration operations.

Migration Strategies

Why Migrate Servers to the Cloud

On-premises infrastructure demands capital expenditure on hardware refresh every 4-5 years, 24/7 data centre operations, cooling, power redundancy, and dedicated sysadmin teams. A single rack of servers can cost more annually in power and cooling than the equivalent Azure compute.

Azure provides global availability with 60+ regions, built-in disaster recovery, pay-as-you-go pricing, and the ability to scale compute up or down in minutes. Compliance certifications (SOC 2, ISO 27001, PCI DSS, HIPAA) are inherited from the platform — no additional audits for infrastructure controls.

But a poorly planned migration leads to cloud sprawl, runaway costs, and security gaps. That is why we start with a proper landing zone and right-sized assessment before moving a single workload.

30-50%
Cost Savings (Optimised)
99.99%
Azure VM SLA Uptime
60+
Azure Regions Worldwide
Minutes
Scale Up/Down Time

Migration Strategies — The 5 Rs

Every workload gets the right strategy based on business value, complexity, and modernisation potential.

Strategy Description Best For Effort Cloud Benefit
Rehost (Lift & Shift) Move VMs as-is to Azure IaaS Stable workloads, quick wins Low Medium
Replatform Minor changes to use managed services SQL Server to Azure SQL, IIS to App Service Medium High
Refactor Re-architect for cloud-native patterns Strategic apps needing scale, microservices High Maximum
Replace Switch to SaaS equivalent Email (O365), CRM (Dynamics), ERP Medium High
Retire Decommission workloads no longer needed Legacy apps, redundant systems Low Cost savings

Migration Methodology

1

Discovery & Assessment

Deploy Azure Migrate appliance to discover all on-premises servers (VMware, Hyper-V, physical). Map application dependencies — which servers communicate, on what ports, and with what latency requirements. Assess cloud readiness, right-size Azure VM SKUs, and estimate monthly costs. Produce a migration backlog prioritised by business value and complexity.

2

Landing Zone Design

Design Azure landing zone following Cloud Adoption Framework: management group hierarchy, subscription structure (prod/dev/staging), hub-spoke VNet topology with Azure Firewall or FortiGate NVA, Azure AD integration, RBAC role assignments, Azure Policy for governance, and cost management budgets and alerts.

3

Network Architecture

Deploy hub-spoke VNet topology. Hub VNet hosts Azure Firewall/NVA, VPN Gateway or ExpressRoute, and shared services (DNS, AD DS). Spoke VNets for each workload class are peered to the hub. NSGs enforce micro-segmentation. Private endpoints for PaaS services eliminate public internet exposure. DNS forwarding to on-prem resolvers.

4

Pilot Migration

Migrate 3-5 representative workloads to validate the landing zone, network connectivity, DNS resolution, authentication, and application functionality. Test backup, monitoring, and alerting. Measure performance against on-prem baselines. Refine Azure VM sizing, disk types (Premium SSD vs Standard), and network configuration based on findings.

5

Wave-Based Migration

Migrate workloads in waves grouped by application dependency. Each wave includes pre-migration testing, replication (continuous sync via Azure Migrate), cutover during maintenance window, post-cutover validation, and rollback plan. We migrate 10-20 servers per wave, with 1-2 waves per week at scale.

6

Optimise & Operate

Post-migration: right-size VMs based on actual Azure metrics, purchase Reserved Instances for steady-state workloads, enable Azure Hybrid Benefit, configure auto-scaling, set up Azure Monitor alerts, implement Azure Backup policies, and deploy Azure Site Recovery for DR. Hand over with runbooks, architecture documentation, and operational procedures.

Azure Landing Zone — What We Build

Hub-Spoke Networking

Central hub VNet with Azure Firewall or FortiGate NVA for traffic inspection, VPN/ExpressRoute gateway, and shared services. Spoke VNets peered to hub for each workload. User Defined Routes force all traffic through the firewall. Private DNS zones for PaaS name resolution.

Security Baseline

Defender for Cloud enabled on all subscriptions. Azure Policy enforces CIS Benchmark for Azure. NSGs on every subnet with deny-all default. Azure Bastion for admin access (no public RDP/SSH). Key Vault for secrets and certificates. DDoS Protection Standard for public IPs.

Identity & Access

Azure AD integration with on-premises AD via Azure AD Connect. RBAC roles assigned at management group and subscription level. Privileged Identity Management (PIM) for just-in-time admin access. Conditional Access policies for cloud app access. Break-glass emergency accounts.

Governance & Tagging

Azure Policy enforces mandatory tags (cost centre, environment, owner, application). Naming conventions for all resource types. Management groups organise subscriptions by business unit. Cost management budgets with alerts at 80% and 100% thresholds.

Monitoring & Alerting

Azure Monitor with Log Analytics workspace for centralised logging. VM Insights for performance monitoring (CPU, memory, disk, network). Application Insights for web app telemetry. Action groups for email, SMS, and Teams alerts. Azure Workbooks for custom dashboards.

Backup & DR

Azure Backup with Recovery Services Vault for VM, SQL, and file share backup. Geo-redundant storage (GRS) for backup data. Azure Site Recovery for cross-region DR replication. Recovery plans with automated failover sequencing. Monthly DR drill schedule.

On-Premises to Azure Connectivity

Secure, reliable connectivity between your data centre and Azure workloads.

Site-to-Site VPN

IPsec VPN tunnel over public internet between on-prem firewall and Azure VPN Gateway. Up to 1.25 Gbps per tunnel. Cost-effective for moderate bandwidth needs. Active-active VPN Gateway for redundancy. BGP for dynamic routing.

Azure ExpressRoute

Dedicated private connection via connectivity provider. 50 Mbps to 100 Gbps. Does not traverse public internet. SLA-backed latency and availability. Required for bandwidth-intensive workloads (database replication, large data transfers, real-time applications).

Azure Virtual WAN

Microsoft-managed hub for connecting branches, VPNs, and ExpressRoute. Automated spoke VNet peering. Integrated with Azure Firewall and SD-WAN partners (FortiGate). Ideal for multi-branch organisations migrating to hybrid cloud.

Azure Cost Optimisation

Reserved Instances

1-year or 3-year VM reservations save 40-72% versus pay-as-you-go. We identify steady-state workloads that qualify and automate reservation purchases.

Azure Hybrid Benefit

Use existing Windows Server and SQL Server licenses with Software Assurance in Azure. Saves up to 85% on Windows VMs and 55% on Azure SQL.

Right-Sizing

Most on-prem servers are over-provisioned. We size Azure VMs based on actual utilisation data from Azure Migrate, not on-prem specs. Review and resize quarterly.

Auto-Shutdown & Scaling

Dev/test VMs auto-shutdown outside business hours (save 65%+ on compute). Production workloads use auto-scaling to match demand. Spot VMs for fault-tolerant batch processing.

Workloads We Migrate

Windows Server & Active Directory

Domain controllers to Azure VMs or Azure AD Domain Services. File servers to Azure Files with AD integration. Print servers, DHCP, and DNS. Windows Server 2012 R2 through 2022. Extended security updates included for older versions in Azure.

SQL Server Databases

SQL Server to Azure SQL Database (PaaS), Azure SQL Managed Instance, or SQL Server on Azure VMs. Data Migration Assistant assesses compatibility. Azure Database Migration Service handles schema and data migration with minimal downtime.

Linux & Web Applications

RHEL, CentOS, Ubuntu, and SUSE Linux VMs. Apache/Nginx web servers rehosted or replatformed to Azure App Service. MySQL/PostgreSQL to Azure Database for MySQL/PostgreSQL. Containerised applications to Azure Kubernetes Service (AKS).

VMware & Hyper-V Infrastructure

Full VMware vSphere environments to Azure VMs (agentless migration) or Azure VMware Solution (AVS) for VMware-native operations in Azure. Hyper-V VMs via Azure Migrate replication. Physical servers via agent-based replication.

Cloud Security — Defence in Depth

Network Security

Azure Firewall or FortiGate NVA in hub VNet. NSGs with deny-all default on all subnets. Private endpoints for Storage, SQL, Key Vault. No public IPs on VMs (Azure Bastion for admin access). DDoS Protection Standard for public-facing services.

Defender for Cloud

Cloud Security Posture Management (CSPM) with Secure Score. Defender for Servers (vulnerability assessment, file integrity monitoring). Defender for SQL (threat detection). Defender for Storage (malware scanning). Regulatory compliance dashboard for PCI, ISO, CIS.

Identity & Secrets

Azure Key Vault for certificates, encryption keys, and connection strings. Managed Identity for VM-to-PaaS authentication (no credentials in code). Privileged Identity Management for just-in-time admin elevation. Conditional Access for all cloud app access.

Frequently Asked Questions

We use Azure Migrate to discover all on-premises servers, map dependencies, and assess cloud readiness. Each server gets a suitability rating (ready, conditionally ready, not ready, unknown) based on OS version, boot type, disk configuration, and application compatibility. We also measure actual resource utilisation over 30 days to right-size Azure VM SKUs — most on-prem servers run at 10-20% CPU utilisation and can be downsized significantly in the cloud.

We support all five Cloud Adoption Framework strategies: Rehost (lift-and-shift to Azure VMs), Replatform (move to managed services like Azure SQL, App Service), Refactor (re-architect for cloud-native patterns), Replace (switch to SaaS alternatives), and Retire (decommission workloads no longer needed). Each server gets a recommended strategy based on business criticality, modernisation benefit, and migration complexity. Most enterprise migrations use a mix — 60-70% rehost, 20-30% replatform, and 5-10% refactor.

For VMware environments, we use Azure Migrate with the agentless VMware appliance for discovery and assessment. Migration uses Azure Migrate Server Migration which replicates VMs directly from vCenter to Azure without installing agents on each VM. For Azure VMware Solution (AVS), we do a vMotion-based migration that preserves the VMware stack in Azure. The choice depends on whether you want to exit VMware licensing or maintain VMware operational familiarity.

An Azure landing zone is the foundational architecture that your workloads sit on — management groups, subscriptions, resource groups, networking (hub-spoke VNet topology), identity (Azure AD integration), security baselines (Azure Policy, Defender for Cloud), and governance (cost management, tagging, RBAC). Without a proper landing zone, you end up with sprawling, ungovernable cloud infrastructure. We design and deploy your landing zone before migrating any workloads.

We implement defence-in-depth: Network Security Groups (NSGs) with least-privilege rules, Azure Firewall or FortiGate NVA for centralised inspection, Azure Bastion for secure admin access (no public RDP/SSH), Defender for Cloud for posture management and threat detection, Azure Key Vault for secrets, and Azure DDoS Protection for public-facing workloads. We also configure Azure Policy to enforce compliance standards (CIS Benchmark, PCI DSS, ISO 27001) and prevent non-compliant resource creation.

Cost optimisation starts during assessment — we right-size VMs based on actual utilisation, not on-prem specs. Post-migration, we implement Reserved Instances (1-year or 3-year commitments for 40-72% savings), Azure Hybrid Benefit (use existing Windows Server and SQL Server licenses), auto-shutdown for dev/test VMs, and Azure Spot VMs for fault-tolerant workloads. We set up Azure Cost Management alerts, budgets, and advisor recommendations. Most customers save 30-50% versus pay-as-you-go within 3 months of optimisation.

Yes. Hybrid cloud is the most common architecture. Latency-sensitive applications, legacy systems that cannot be migrated, and workloads with data residency requirements stay on-premises. Azure ExpressRoute or VPN provides secure connectivity between on-prem and Azure. Azure Arc extends Azure management to on-prem servers — policy, monitoring, and updates from a single Azure portal. We design the hybrid topology based on your specific constraints.

We configure Azure Site Recovery (ASR) for automated DR replication of critical workloads. VMs replicate continuously to a secondary Azure region with RPO as low as 30 seconds. Failover is automated via recovery plans that sequence VM startup order and execute custom scripts. We conduct DR drills quarterly to validate RTO/RPO targets. For databases, we use native replication (SQL Always On, PostgreSQL streaming replication) to the DR region.

Ready to Migrate to Azure?

Get a free migration assessment with Azure Migrate discovery, right-sizing recommendations, cost estimates, and a phased migration plan tailored to your infrastructure.

Azure Cloud Services