Marketplace Architecture

As part of Dr Migrate’s solution, the Azure Migrate appliance is used to discover servers in a customer’s environment. All data collected by the Azure Migrate appliance is securely sent via HTTPS and encrypted at rest within the customer’s Azure tenant, ensuring it remains within customer network boundaries.

Dr Migrate is deployed directly into the customer’s Azure tenant via the Azure Marketplace. During the automated deployment, Dr Migrate synchronizes with Azure Migrate using the provided limited access SPN and begins data analysis. Near-real-time insights are accessible through the Dr Migrate web interface.

Key Points:

  • The Azure Migrate appliance requires read-only access to target hypervisors, VMs, and servers.
  • Data is encrypted at rest and in transit.
  • Data is sent from the Azure Migrate appliance to the Azure Migrate Project over port 443.
  • Dr Migrate ingests data from the Azure Migrate Project via REST API.

Marketplace

ℹ️
If a detailed Architecture document is required you can request one here.

Key Architecture Components

Component Purpose
Customer’s Azure Subscription Hosting of required infrastructure
Customer On-premise environment Infrastructure to be scanned
Azure Migrate Appliance Data collection on-premises
Azure Migrate Project Data hosting within customers Azure
Dr Migrate deployed via Azure Marketplace Controlled secure availability of product
Power BI Enables the automatic creation of Executive Reports

Dr Migrate Manage Resource Group

As a part of the Azure Marketplace deployment, a Managed Resource Group is automatically setup, with the following services deployed.

ℹ️
Dr Migrate’s Azure Marketplace offering is a privately hosted offering and must be made visible (available) to a specific Azure Subscription. This occurs as a part of the license request process.
Resource Description
Managed Resource Group Central container and RBAC boundary for required resources
Windows Virtual Machine The VM hosting the Dr Migrate solution. Includes a disk and a NIC. All required software packages and configurations are included in the image.
Azure Key Vault A key vault to securely store the credentials used by the Dr Migrate solution.
Azure Storage Account The storage account will be restricted and accessible only by the Dr Migrate virtual machine using the SPN created. No storage account keys are required. It will be used to store assessment information
Azure Service Principal Account Used to query data from the Azure Migrate Project and to update the Azure resources within the resource group
Azure Bastion A fully managed service used to provide a more secure and seamless RDP and SSH access to the Dr Migrate Virtual Machine
Virtual Network The vnet that Dr Migrate solution sits on
Network Security Group x 2 One for the Dr Migrate server and one for Bastion

VM Specifications

Environment Size Operating System Azure Machine Profile CPU Memory C Drive Region
Under 1,000 VMs Windows Server 2016/2019 Standard Standard_B4ms 4 vCPU 16 GB 128 GB Any supported Azure region
Over 1,000 VM’s Windows Server 2016/2019 Standard Standard_B8ms 8 vCPU 32 GB 128 GB Any supported Azure region
⚠️
These Azure Machine Profiles are a good general rule of thumb for the majority of Dr Migrate deployments. There are however cases where a larger machine may be required with less than 1,000 VM’s – for example where a large amount of network telemetry data (greater than 10 million records) is required to be analysed.

Data Flow

Data is synchronized between Azure Migrate Appliance > Azure Migrate Project > Dr Migrate.

Marketplace

From To To
Azure Migrate Appliance (on-premises) Azure Migrate Project (Customer’s Azure subscription) Dr Migrate (Customer’s Azure subscription)
On-premises servers are scanned and non-PII data is collected by the Azure Migrate Appliance and sent to the target Azure Migrate Project. The Azure Migrate Project securely stores the collected data as it is sent by the Azure Migrate Appliance Dr Migrate uses a limited access SPN to synchronize data with the Azure Migrate Project. The synchronized data is securely stored within the customer’s subscription

Azure Marketplace Hosted Architecture FAQ

Does Dr Migrate require access to on-premises servers? Dr Migrate does not require access to any on-premises devices, Azure Migrate is used as the data collection source, securely dealing with both data in transit and at rest.

Does Dr Migrate and Azure Migrate need to be in the same Resource Group or Subscription? No, it is not essential, but they must be in the same Azure Tenant.

Does the Azure Migrate appliance analysis affect on-premises performance? The Azure Migrate appliance profiles on-premises servers continuously to measure performance data. This means that Azure Migrate will only collect telemetry when there is a low load on the target host. This profiling has almost no performance impact on profiled servers.

How much data is uploaded during continuous profiling? On average a server sends approximately 5 MB of data per day. This value is approximate; the actual value varies depending on the number of data points for the disks and NICs.

What network connectivity is required? The Azure Migrate appliance needs access to Azure URLs. Review the URL list here.

What data points should Azure Migrate be setup to collect? It is essential that Azure Migrate is configured to collect Software Inventory, Application Dependency, SQL Inventory and network data. This will allow Dr Migrate to provide comprehensive insights.

How many Azure Migrate Appliances do I need? As a rule of thumb:

  • one per discovery method needed (i.e. one for VMware, Hyper-V, Physical).
  • one per 500 to 1000 machines within the discovery method.

See Microsoft’s Online Common Questions regarding Azure Migrate for more information.

Whitelisting Remote Service Connections

In the event that an existing vnet is selected during installation as opposed to creating a new one then certain network comms will need to be whitelisted.

Use the comms table below as a guide.

URL Requirement for Service
*.portal.azure.com Navigate to the Azure portal.
*.windows.net *.msftauth.net *.msauth.net *.microsoft.com *.live.com *.office.com Sign into Azure subscription.
*.microsoftonline.com *.microsoftonline-p.com Create Azure Active Directory (AD) apps for the appliance to communicate with Azure Migrate.
management.azure.com Create Azure AD apps for the appliance to communicate with the Azure Migrate.
prices.azure.com Retrieve the latest cloud pricing data from Azure
*.services.visualstudio.com Upload appliance logs used for internal monitoring.
*.vault.azure.net Manage secrets in the Azure Key Vault. Note: Ensure servers to replicate have access to this.
aka.ms/* Allow access to aka links; used to download and install the latest updates for appliance services.
download.microsoft.com/download Allow downloads from Microsoft download center.
*.discoverysrv.windowsazure.com *.migration.windowsazure.com Connect to Azure Migrate service URLs.
*.blob.core.windows.net Used for storage account access and data copy
psg-prod-eastus.azureedge.net az818661.vo.msecnd.net devopsgallerystorage.blob.core.windows.net *.powershellgallery.com go.microsoft.com nuget.org PowerShell Gallery access
api.powerbi.com *.azureedge.net *.osi.office.net *.msecnd.net store.office.com login.microsoftonline.com visualstudio.com *.analysis.windows.net *.pbidedicated.windows.net dc.services.visualstudio.com *.powerbi.com web.vortex.data.microsoft.com store-images.s-microsoft.com *.s-microsoft.com Access to the Power BI service (in instances where customers would like to publish the reports to a Power BI project). For the latest list of required URL allow list see: https://learn.microsoft.com/en-us/power-bi/admin/power-bi-allow-list-urls
catalogapi.azure.com catalogartifact.azureedge.net graph.microsoft.com marketplaceapi.microsoft.com portal.azure.com service.bmx.azure.com login.live.comgem management.core.windows.net azurewebsites.net Azure Marketplace
</rewritten_file>