Architecture
Dr Migrate’s architecture varies depending on your deployment type.
As part of Dr Migrate’s solution, the Azure Migrate appliance is used to discover servers in a customer’s environment. All data collected by the Azure Migrate appliance is securely sent via HTTPS and encrypted at rest within the customer’s Azure tenant, ensuring it remains within customer network boundaries.
Dr Migrate is deployed directly into the customer’s Azure tenant via the Azure Marketplace. During the automated deployment, Dr Migrate synchronizes with Azure Migrate using the provided limited access SPN and begins data analysis. Near-real-time insights are accessible through the Dr Migrate web interface.
Key Points:
- The Azure Migrate appliance requires read-only access to target hypervisors, VMs, and servers.
- Data is encrypted at rest and in transit.
- Data is sent from the Azure Migrate appliance to the Azure Migrate Project over port 443.
- Dr Migrate ingests data from the Azure Migrate Project via REST API.
Key Architecture Components
| Component | Purpose |
|---|---|
| Customer’s Azure Subscription | Hosting of required infrastructure |
| Customer On-premise environment | Infrastructure to be scanned |
| Azure Migrate Appliance | Data collection on-premises |
| Azure Migrate Project | Data hosting within customers Azure |
| Dr Migrate deployed via Azure Marketplace | Controlled secure availability of product |
| Power BI | Enables the automatic creation of Executive Reports |
Dr Migrate Manage Resource Group
As a part of the Azure Marketplace deployment, a Managed Resource Group is automatically setup, with the following services deployed.
| Resource | Description |
|---|---|
| Managed Resource Group | Central container and RBAC boundary for required resources |
| Windows Virtual Machine | The VM hosting the Dr Migrate solution. Includes a disk and a NIC. All required software packages and configurations are included in the image. |
| Azure Key Vault | A key vault to securely store the credentials used by the Dr Migrate solution. |
| Azure Storage Account | The storage account will be restricted and accessible only by the Dr Migrate virtual machine using the SPN created. No storage account keys are required. It will be used to store assessment information |
| Azure Service Principal Account | Used to query data from the Azure Migrate Project and to update the Azure resources within the resource group |
| Azure Bastion | A fully managed service used to provide a more secure and seamless RDP and SSH access to the Dr Migrate Virtual Machine |
| Virtual Network | The vnet that Dr Migrate solution sits on |
| Network Security Group x 2 | One for the Dr Migrate server and one for Bastion |
VM Specifications
| Environment Size | Operating System | Azure Machine Profile | CPU | Memory | C Drive | Region |
|---|---|---|---|---|---|---|
| Under 1,000 VMs | Windows Server 2016/2019 Standard | Standard_B4ms | 4 vCPU | 16 GB | 128 GB | Any supported Azure region |
| Over 1,000 VM’s | Windows Server 2016/2019 Standard | Standard_B8ms | 8 vCPU | 32 GB | 128 GB | Any supported Azure region |
Data Flow
Data is synchronized between Azure Migrate Appliance > Azure Migrate Project > Dr Migrate.
| From | To | To |
|---|---|---|
| Azure Migrate Appliance (on-premises) | Azure Migrate Project (Customer’s Azure subscription) | Dr Migrate (Customer’s Azure subscription) |
| On-premises servers are scanned and non-PII data is collected by the Azure Migrate Appliance and sent to the target Azure Migrate Project. | The Azure Migrate Project securely stores the collected data as it is sent by the Azure Migrate Appliance | Dr Migrate uses a limited access SPN to synchronize data with the Azure Migrate Project. The synchronized data is securely stored within the customer’s subscription |
Azure Marketplace Hosted Architecture FAQ
Does Dr Migrate require access to on-premises servers? Dr Migrate does not require access to any on-premises devices, Azure Migrate is used as the data collection source, securely dealing with both data in transit and at rest.
Does Dr Migrate and Azure Migrate need to be in the same Resource Group or Subscription? No, it is not essential, but they must be in the same Azure Tenant.
Does the Azure Migrate appliance analysis affect on-premises performance? The Azure Migrate appliance profiles on-premises servers continuously to measure performance data. This means that Azure Migrate will only collect telemetry when there is a low load on the target host. This profiling has almost no performance impact on profiled servers.
How much data is uploaded during continuous profiling? On average a server sends approximately 5 MB of data per day. This value is approximate; the actual value varies depending on the number of data points for the disks and NICs.
What network connectivity is required? The Azure Migrate appliance needs access to Azure URLs. Review the URL list here.
What data points should Azure Migrate be setup to collect? It is essential that Azure Migrate is configured to collect Software Inventory, Application Dependency, SQL Inventory and network data. This will allow Dr Migrate to provide comprehensive insights.
How many Azure Migrate Appliances do I need? As a rule of thumb:
- one per discovery method needed (i.e. one for VMware, Hyper-V, Physical).
- one per 500 to 1000 machines within the discovery method.
See Microsoft’s Online Common Questions regarding Azure Migrate for more information.
Whitelisting Remote Service Connections
In the event that an existing vnet is selected during installation as opposed to creating a new one then certain network comms will need to be whitelisted.
Use the comms table below as a guide.
| URL | Requirement for Service |
|---|---|
| *.portal.azure.com | Navigate to the Azure portal. |
| *.windows.net *.msftauth.net *.msauth.net *.microsoft.com *.live.com *.office.com | Sign into Azure subscription. |
| *.microsoftonline.com *.microsoftonline-p.com | Create Azure Active Directory (AD) apps for the appliance to communicate with Azure Migrate. |
| management.azure.com | Create Azure AD apps for the appliance to communicate with the Azure Migrate. |
| prices.azure.com | Retrieve the latest cloud pricing data from Azure |
| *.services.visualstudio.com | Upload appliance logs used for internal monitoring. |
| *.vault.azure.net | Manage secrets in the Azure Key Vault. Note: Ensure servers to replicate have access to this. |
| aka.ms/* | Allow access to aka links; used to download and install the latest updates for appliance services. |
| download.microsoft.com/download | Allow downloads from Microsoft download center. |
| *.discoverysrv.windowsazure.com *.migration.windowsazure.com | Connect to Azure Migrate service URLs. |
| *.blob.core.windows.net | Used for storage account access and data copy |
| psg-prod-eastus.azureedge.net az818661.vo.msecnd.net devopsgallerystorage.blob.core.windows.net *.powershellgallery.com go.microsoft.com nuget.org | PowerShell Gallery access |
| api.powerbi.com *.azureedge.net *.osi.office.net *.msecnd.net store.office.com login.microsoftonline.com visualstudio.com *.analysis.windows.net *.pbidedicated.windows.net dc.services.visualstudio.com *.powerbi.com web.vortex.data.microsoft.com store-images.s-microsoft.com *.s-microsoft.com | Access to the Power BI service (in instances where customers would like to publish the reports to a Power BI project). For the latest list of required URL allow list see: https://learn.microsoft.com/en-us/power-bi/admin/power-bi-allow-list-urls |
| catalogapi.azure.com catalogartifact.azureedge.net graph.microsoft.com marketplaceapi.microsoft.com portal.azure.com service.bmx.azure.com login.live.comgem management.core.windows.net azurewebsites.net | Azure Marketplace |
Dr Migrate’s SaaS solution provides a secure, hosted instance for customers, simplifying setup on their side. However, the Azure Migrate appliance is still used to collect data from the customer’s target environment.
Dr Migrate SaaS Security Standards
The Dr. Migrate SaaS solution runs on the Altra Azure Tenant.
This solution is compliant to ISO27001. For more information on the standard please see here.
Additionally the Dr Migrate adheres to General Data Protection Regulation (GDPR). This regulation is designed to protect the privacy and personal data of individuals.
Architecture Summary
The customer’s Dr Migrate SaaS instance uses a limited access SPN to synchronize with the Azure Migrate Project. Once synchronized, near-real-time insights are accessible through the Dr Migrate web interface.
Key Points:
- The Azure Migrate appliance requires read-only access to target hypervisors, VMs, and servers.
- Data is encrypted at rest and in transit.
- Data is sent from the Azure Migrate appliance to the Azure Migrate Project over port 443.
- Dr Migrate ingests data from the Azure Migrate Project via REST API using a limited access SPN.
- Access to the SaaS instance is controlled via AD.
Key Architecture Components
| Component | Purpose |
|---|---|
| Customer’s Azure Subscription | Hosting of required infrastructure |
| Customer On-premise environment | Infrastructure to be scanned |
| Azure Migrate Appliance | Data collection on-premises |
| Azure Migrate Project | Data hosting within customers Azure |
| SaaS Hosted Dr Migrate | Secure customer instance of Dr Migrate |
| Active directory B2B | Secure authentication |
Data Flow
Data is synchronized between the customer’s Azure Migrate Appliance > Azure Migrate Project > Dr Migrate SaaS instance.
| From | To | To |
|---|---|---|
| Azure Migrate Appliance (on-premises) | Azure Migrate Project (Customer’s Azure subscription) | Dr Migrate (SaaS Hosted) |
| On-premises servers are scanned and non-PII data is collected by the Azure Migrate Appliance and sent to the target Azure Migrate Project. | The Azure Migrate Project securely stores the collected data as it is sent by the Azure Migrate Appliance | Dr Migrate uses a limited access SPN to synchronize data with the Azure Migrate Project. The synchronized data is securely stored within the customer’s subscription |
The data that passes between Azure Migrate and Dr Migrate is encrypted using SSL (https encryption) on port 443.
The Dr Migrate virtual machine sits in a dedicated resource group on an isolated network within the Dr Migrate tenan.
Data on the virtual machine is encrypted using Azure data disk encryption.
SaaS Architecture FAQ
Does the SaaS and Azure Marketplace versions of Dr Migrate have the same features Yes.
Does Dr Migrate require access to on-premises servers? Dr Migrate does not require access to any on-premises devices, Azure Migrate is used as the data collection source, securely dealing with both data in transit and at rest.
Does the Azure Migrate appliance analysis affect on-premises performance? The Azure Migrate appliance profiles on-premises servers continuously to measure performance data. This means that Azure Migrate will only collect telemetry when there is a low load on the target host. This profiling has almost no performance impact on profiled servers.
How much data is uploaded during continuous profiling? On average a server sends approximately 5 MB of data per day. This value is approximate; the actual value varies depending on the number of data points for the disks and NICs.
What network connectivity is required? The Azure Migrate appliance needs access to Azure URLs. Review the URL list.
What data points should Azure Migrate be setup to collect? It is essential that Azure Migrate is configured to collect Software Inventory, Application Dependency, SQL Inventory and network data. This will allow Dr Migrate to provide comprehensive insights.
How many Azure Migrate Appliances do I need? As a rule of thumb:
- one per discovery method needed (i.e. one for VMware, Hyper-V, Physical).
- one per 500 to 1000 machines within the discovery method.
See Microsoft’s Online Common Questions regarding Azure Migrate for more information.