The challenge

The customer was operating a legacy on-premises infrastructure consisting of aging physical servers, VMware-based virtual machines,and tightly coupled networking across sites. The environment had grown organically over time, resulting in:

  • Limited scalability and resilience Increasing hardware and support costs
  • Complex interdependencies between workloads
  • No clear disaster recovery capability
  • Difficulty supporting modern cloud-based applications

Additionally, the organisation wanted to adopt a cloud-first strategy to improve agility and enable future innovation, but lacked a structured approach to Azure adoption.

The objective

The primary goals of the project were:

  • Migrate all production workloads from on-premises to Microsoft Azure
  • Design and implement a bespoke Azure Landing Zone aligned to best practices
  • Introduce a Hub and Spoke network topology for secure, scalable connectivity
  • Minimise downtime and business disruption during migration
  • Establish a foundation for future cloud-native services

Our approach

1. Discovery and assessment

We began with a comprehensive discovery phase using Azure Migrate to:

  • Inventory all servers, applications and dependencies
  • Assess workload readiness for Azure
  • Right-size compute and storage requirements
  • Identify migration risks and sequencing

Dependency mapping was critical in understanding application relationships and ensuring workloads were migrated in the correct order.

2. Landing Zone design

A bespoke Azure Landing Zone was designed based on Microsoft Cloud Adoption Framework principles, tailored to the customer’s requirements.

Key components included:

  • Management groups and subscriptions aligned to business units Role-based access control (RBAC) for governance
  • Azure Policy for compliance enforcement Centralised logging and monitoring using Azure Monitor and Log Analytics

This ensured a secure, governed and scalable platform before any workloads were migrated.

A topological diagram of an Azure Landing Zone
Azure Landing Zone

3. Hub and Spoke network architecture

A Hub and Spoke topology was implemented to provide secure and scalable connectivity, with the entire network deployed using Azure Bicep templates and AzureDevOps pipelines. This infrastructure-as-code approach ensured the environment was fully repeatable, version-controlled and easy to deploy or extend in the future.

  • Hub network:
    • Azure Firewall for centralised security VPN Gateway for hybrid connectivity
    • Shared services (DNS, identity integration)
  • Spoke networks:
    • Segmented per workload or environment (e.g. production, test) Peered to the hub for controlled access

By leveraging Bicep and DevOps pipelines, the customer gained:

  • Consistent deployments across environments Reduced risk of configuration drift
  • Faster provisioning of new spokes or regions A reusable deployment framework for future projects

This design reduced lateral movement risk and simplified network management while enabling future expansion.

4. Migration execution with Azure Migrate

Workloads were migrated in phases using Azure Migrate:

  • Replication of on-premises virtual machines to Azure Test migrations to validate performance and configuration
  • Staged production cutovers to minimise downtime
  • Continuous monitoring throughout the process

A phased migration approach ensured minimal disruption.

5. Optimisation and modernisation

Post-migration, we worked with the customer to optimise the environment:

  • Rightsizing VMs to reduce costs
  • Implementing backup and disaster recovery with Azure Backup and Site Recovery
  • Introducing cost management and tagging strategies
  • Identifying candidates for PaaS modernisation

Results

Immediate outcomes

  • 100% of workloads successfully migrated to Azure
  • Zero unplanned downtime during cutover
  • Decommissioning of legacy on-premises infrastructure

Business benefits

  • Improved scalability:
    • Infrastructure can now scale on demand
  • Enhanced security:
    • Centralised controls via Azure Firewall and policies
  • Cost optimisation:
    • Reduced capital expenditure and improved visibility of operational costs
  • Resilience:
    • Built-in disaster recovery and high availability
  • Future readiness:
    • Platform ready for cloud-native services and automation

Key takeaways

  • Establishing a well-architected Landing Zone first is critical to long-term success
  • Hub and Spoke networking provides both security and scalability
  • Tools like Azure Migrate enable structured, low-risk transitions from legacy environments
  • A phased migration strategy significantly reduces business disruption