How long does an AWS to Azure migration take?

For a mid-size enterprise with 20-50 workloads, expect 12-16 weeks for the core migration with an additional 4-8 weeks for optimisation and decommissioning. Complex enterprises with 100+ workloads, strict compliance requirements, or heavy data gravity may need 6-12 months. The 12-week playbook in this guide covers the structured phase; actual timelines depend on workload complexity and team capacity.

What are the biggest risks when migrating from AWS to Azure?

The top risks are identity and access model differences (IAM policies do not translate directly to Azure RBAC), networking architecture changes (VPC to VNet with different subnet and security group models), data migration downtime (especially for large databases), and the learning curve for operations teams. Mitigate these by running parallel environments during migration and investing in team training early.

Can I run AWS and Azure simultaneously during migration?

Yes, and you should. A parallel-run period of 2-4 weeks is essential for validating the Azure environment before cutting over. Use site-to-site VPN or ExpressRoute with AWS Direct Connect to connect both environments during the transition. Budget for double infrastructure costs during this period.

Migrating from AWS to Azure: A 12-Week Enterprise Playbook

Migrating from one cloud provider to another is one of the hardest infrastructure projects an enterprise can undertake. It is harder than the initial cloud migration because you are replacing a running system, not building from scratch. Teams must learn a new platform while keeping the existing one operational.

This playbook provides a structured 12-week plan for enterprises migrating from AWS to Azure. It is not theoretical — it is based on migrations we have executed for European enterprises. The timeline assumes a mid-size deployment (20-50 workloads) with a dedicated migration team of 4-6 engineers.

Why Enterprises Migrate from AWS to Azure

Before the playbook, a note on motivation. Common drivers:

Microsoft 365 consolidation: Unified identity, security, and compliance across Office and cloud infrastructure
EU compliance requirements: Azure's EU Data Boundary and broader EU region coverage
License economics: Azure Hybrid Benefit makes Windows/SQL workloads 40-80 % cheaper
Enterprise Agreement simplification: One vendor for Microsoft 365 + Azure + Dynamics
Hybrid strategy: Azure Arc for managing on-premises alongside cloud

These are rational reasons. "AWS is bad" is not a reason — it is an excellent platform. If your motivation is simply frustration with cost or complexity, optimise first before migrating.

AWS to Azure Service Mapping

This table covers the most common services encountered in enterprise migrations:

AWS Service	Azure Equivalent	Migration Notes
EC2	Virtual Machines	Direct mapping. Use Azure Migrate for assessment.
ECS / Fargate	Container Apps / ACI	Container Apps is closer to Fargate in philosophy.
EKS	AKS	Kubernetes manifests are portable. Infrastructure config is not.
Lambda	Azure Functions	Runtime and trigger model differences. Rewrite triggers.
S3	Blob Storage	AzCopy for data transfer. API differences require code changes.
RDS (PostgreSQL/MySQL)	Azure Database for PostgreSQL/MySQL	Native replication tools for online migration.
RDS (SQL Server)	Azure SQL Database	DMS for migration. Check feature parity.
DynamoDB	Cosmos DB (Table API or NoSQL)	Data model mapping required. Not a 1:1 migration.
Aurora	Azure SQL / Cosmos DB	Architecture decision — no direct equivalent.
SQS	Azure Service Bus / Storage Queues	Service Bus for enterprise features, Storage Queues for simple.
SNS	Event Grid / Service Bus Topics	Event Grid for event routing, Service Bus for messaging.
CloudWatch	Azure Monitor + Log Analytics	Different query language (KQL vs CloudWatch Insights).
CloudFormation	Bicep / ARM Templates	Full rewrite required. No automated conversion.
IAM	Entra ID + Azure RBAC	Fundamental model difference. Most complex migration area.
Route 53	Azure DNS + Traffic Manager	Zone file migration. Update registrar NS records.
CloudFront	Azure Front Door / CDN	Feature parity is close. Configuration rewrite.
VPC	Virtual Network	Subnet model differs. Security groups vs NSGs.
Direct Connect	ExpressRoute	Provider coordination required. 4-8 week lead time.
KMS	Azure Key Vault	Key rotation policies and access models differ.
Secrets Manager	Azure Key Vault	Consolidation opportunity (keys + secrets in one service).
CodePipeline / CodeBuild	Azure DevOps / GitHub Actions	Pipeline rewrite. Opportunity to modernise.
GuardDuty	Microsoft Defender for Cloud	Different detection models. Parallel run recommended.
Config	Azure Policy + Azure Resource Graph	Compliance rule translation required.
Organizations	Management Groups	Hierarchical mapping. Policy inheritance differs.

Migration Phases Overview

Loading diagram...

Week-by-Week Playbook

Weeks 1-2: Discovery and Assessment

Objective: Understand everything that exists in AWS and build a migration inventory.

Activities:

Automated discovery

Bash

# AWS resource inventory
aws resourcegroupstaggingapi get-resources \
  --output json > aws-resource-inventory.json

# Detailed compute inventory
aws ec2 describe-instances \
  --query 'Reservations[*].Instances[*].{ID:InstanceId,Type:InstanceType,State:State.Name,AZ:Placement.AvailabilityZone,Name:Tags[?Key==`Name`]|[0].Value}' \
  --output table

# Database inventory
aws rds describe-db-instances \
  --query 'DBInstances[*].{ID:DBInstanceIdentifier,Engine:Engine,Size:DBInstanceClass,Storage:AllocatedStorage,MultiAZ:MultiAZ}' \
  --output table

# S3 bucket sizes
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
  size=$(aws s3 ls s3://$bucket --recursive --summarize | tail -1 | awk '{print $3}')
  echo "$bucket: $size bytes"
done

Dependency mapping: Use AWS X-Ray traces and VPC flow logs to map inter-service dependencies. Export to a dependency matrix.
Cost baseline: Export 12 months of AWS Cost Explorer data. This becomes the benchmark for Azure cost projections.
Compliance inventory: Document all AWS Config rules, GuardDuty findings categories, and IAM policies that enforce compliance. These must be replicated in Azure.

Deliverable: Migration inventory spreadsheet with every workload, its dependencies, data volumes, compliance requirements, and migration complexity rating (1-5).

Weeks 3-4: Architecture Mapping and Azure Design

Objective: Design the target Azure architecture for each workload.

Activities:

Landing zone deployment: Deploy Azure Landing Zone using the Cloud Adoption Framework accelerator. This provides the management group hierarchy, networking hub, policy baseline, and logging infrastructure.

Bicep

// Landing zone - Hub VNet
resource hubVnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: 'vnet-hub-westeurope'
  location: 'westeurope'
  properties: {
    addressSpace: { addressPrefixes: ['10.0.0.0/16'] }
    subnets: [
      {
        name: 'AzureFirewallSubnet'
        properties: { addressPrefix: '10.0.1.0/24' }
      }
      {
        name: 'GatewaySubnet'
        properties: { addressPrefix: '10.0.2.0/24' }
      }
      {
        name: 'snet-management'
        properties: { addressPrefix: '10.0.3.0/24' }
      }
    ]
  }
}

Workload architecture decisions: For each workload, decide the target Azure service based on the service mapping table. Document architectural changes required.
Network design: Map AWS VPC CIDR ranges to Azure VNet address spaces. Avoid overlaps with on-premises networks and the existing AWS environment (they will coexist during migration).
Cost projection: Use the Azure Pricing Calculator to estimate monthly costs for the target architecture. Compare against the AWS baseline.

Deliverable: Azure architecture document with VNet design, service selections, and cost projections per workload.

Weeks 5-6: Identity and Networking

Objective: Establish identity and network connectivity between AWS and Azure.

Activities:

Entra ID setup

Bash

# Create migration service principal
az ad sp create-for-rbac --name "sp-aws-migration" \
  --role "Contributor" \
  --scopes "/subscriptions/${SUBSCRIPTION_ID}"

# Configure conditional access baseline
az rest --method POST \
  --uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" \
  --body @conditional-access-baseline.json

IAM policy translation: This is the most complex step. AWS IAM and Azure RBAC are fundamentally different models.

AWS Concept	Azure Equivalent	Translation Complexity
IAM User	Entra ID User	Low (if using Entra ID already)
IAM Role	Managed Identity + RBAC	Medium (different trust model)
IAM Policy (inline)	Azure Role Assignment	High (different permission model)
SCP	Azure Policy	Medium (different enforcement)
Resource-based policy	Azure RBAC + Resource-level	High (Azure does not have resource policies)
AssumeRole	PIM / Managed Identity	Medium (different elevation model)

Network connectivity: Establish site-to-site VPN between AWS VPC and Azure VNet for the migration period.

Bicep

// VPN Gateway for AWS-Azure connectivity
resource vpnGateway 'Microsoft.Network/virtualNetworkGateways@2023-05-01' = {
  name: 'vpn-gw-hub'
  location: 'westeurope'
  properties: {
    gatewayType: 'Vpn'
    vpnType: 'RouteBased'
    sku: { name: 'VpnGw2', tier: 'VpnGw2' }
    ipConfigurations: [
      {
        name: 'default'
        properties: {
          publicIPAddress: { id: vpnPublicIp.id }
          subnet: { id: gatewaySubnet.id }
        }
      }
    ]
  }
}

DNS strategy: Plan DNS migration from Route 53 to Azure DNS. Lower TTLs on existing records to 60 seconds to prepare for cutover.

Deliverable: Identity mapping document, network connectivity verified, DNS migration plan.

Weeks 7-8: Data Migration

Objective: Migrate data stores from AWS to Azure with minimal downtime.

Activities:

Object storage migration (S3 to Blob)

Bash

# AzCopy for S3 to Azure Blob migration
azcopy copy \
  "https://s3.eu-central-1.amazonaws.com/my-bucket" \
  "https://mystorageaccount.blob.core.windows.net/my-container" \
  --s2s-preserve-access-tier=true \
  --recursive=true \
  --include-after "2026-01-01"

# Verify copy completeness
azcopy list "https://s3.eu-central-1.amazonaws.com/my-bucket" --running-tally > s3-inventory.txt
azcopy list "https://mystorageaccount.blob.core.windows.net/my-container" --running-tally > azure-inventory.txt
diff s3-inventory.txt azure-inventory.txt

Database migration

For SQL Server (RDS to Azure SQL):

Bash

# Azure Database Migration Service
az dms project task create \
  --resource-group rg-migration \
  --service-name dms-migration \
  --project-name rds-to-azure-sql \
  --task-name migrate-orders-db \
  --task-type MigrateSqlServerSqlDb \
  --source-connection-json @source-rds.json \
  --target-connection-json @target-azure-sql.json \
  --database-options-json @db-options.json

For PostgreSQL (RDS to Azure Database for PostgreSQL):

Bash

# Native logical replication for online migration
# On source (RDS PostgreSQL):
# ALTER SYSTEM SET wal_level = 'logical';
# CREATE PUBLICATION migration_pub FOR ALL TABLES;

# On target (Azure PostgreSQL Flexible Server):
# CREATE SUBSCRIPTION migration_sub
#   CONNECTION 'host=rds-endpoint port=5432 dbname=mydb'
#   PUBLICATION migration_pub;

Data validation: After migration, run checksums and row counts on every table. Validate application-level data integrity, not just technical replication success.

Deliverable: All data stores migrated and validated. Delta sync configured for ongoing changes until cutover.

Weeks 9-10: Application Migration

Objective: Deploy and test applications on Azure.

Activities:

Container workloads: Kubernetes manifests are mostly portable. Rebuild CI/CD pipelines to push to Azure Container Registry and deploy to AKS or Container Apps.
Serverless functions: Lambda functions must be rewritten for Azure Functions. The business logic is portable; the trigger configuration, input/output bindings, and runtime configuration are not.
Configuration update: Replace all AWS SDK calls, connection strings, and environment variables with Azure equivalents. This is tedious but critical.

Python

# Before (AWS)
import boto3
s3 = boto3.client('s3')
obj = s3.get_object(Bucket='my-bucket', Key='data.json')

# After (Azure)
from azure.storage.blob import BlobServiceClient
blob_service = BlobServiceClient.from_connection_string(os.environ['AZURE_STORAGE_CONNECTION'])
blob_client = blob_service.get_blob_client(container='my-container', blob='data.json')
data = blob_client.download_blob().readall()

Integration testing: Run full integration test suites against the Azure deployment. Focus on data paths, authentication flows, and cross-service communication.

Deliverable: All applications deployed to Azure staging environment. Integration tests passing.

Weeks 11-12: Validation and Cutover

Objective: Validate production readiness and execute the cutover.

Activities:

Performance testing: Run load tests against the Azure environment matching production traffic patterns. Compare latency, throughput, and error rates against AWS baselines.
Security validation: Run vulnerability scans. Verify Defender for Cloud recommendations are addressed. Confirm network security groups match the intended security posture.
Compliance validation: Map every AWS Config rule to its Azure Policy equivalent. Verify audit logs are flowing to Sentinel. Confirm compliance dashboard parity.
Cutover execution

Loading diagram...

Rollback plan: Maintain the AWS environment for 2-4 weeks after cutover. DNS can be reverted within 60 seconds (due to lowered TTL). Database failback requires the reverse sync to be active.

Deliverable: Production traffic serving from Azure. Monitoring confirms parity with AWS performance.

Post-Migration (Weeks 13-16)

Week 13-14: Optimise Azure configuration based on production metrics. Right-size VMs, adjust auto-scaling, enable Reserved Instances for stable workloads.
Week 15-16: Decommission AWS resources systematically. Verify no traffic is flowing to AWS. Delete resources, cancel Reserved Instances (or transfer), close the account.

Risk Mitigation

Risk	Probability	Impact	Mitigation
Data migration data loss	Low	Critical	Checksum validation, parallel-run period
Identity misconfiguration	Medium	High	Phased IAM migration, extensive testing
Performance regression	Medium	Medium	Load testing before cutover
Team skill gap	High	Medium	Training in weeks 1-4, Azure sandbox accounts
Timeline overrun	High	Medium	Buffer 4 weeks. Migrate in waves, not big-bang
Cost overrun (parallel running)	Medium	Low	Budget 2x infrastructure for weeks 9-14

Honest Assessment

Migrating between cloud providers is expensive, disruptive, and risky. A 12-week migration with 5 engineers represents approximately EUR 200,000-300,000 in effort (salaries, training, parallel infrastructure) plus 3 months of reduced delivery velocity.

This investment is justified when the long-term benefits (license savings, compliance posture, operational consolidation) exceed the migration cost within 18-24 months. If the payback period is longer, consider whether the migration is truly necessary or whether optimising your current AWS environment is the better investment.

If you need help planning or executing an AWS to Azure migration, building your landing zone, or training your team on Azure, contact us at mbrahim@conceptualise.de. We have guided European enterprises through this process and can help you avoid the pitfalls we have learned the hard way.

Migrating from AWS to Azure: A 12-Week Enterprise Playbook

Why Enterprises Migrate from AWS to Azure

AWS to Azure Service Mapping

Migration Phases Overview

Week-by-Week Playbook

Weeks 1-2: Discovery and Assessment

Weeks 3-4: Architecture Mapping and Azure Design

Weeks 5-6: Identity and Networking

Weeks 7-8: Data Migration

Weeks 9-10: Application Migration

Weeks 11-12: Validation and Cutover

Post-Migration (Weeks 13-16)

Risk Mitigation

Honest Assessment

Frequently Asked Questions

Need expert guidance?

Related articles

Vendor Lock-In Is a Spectrum, Not a Binary: A Pragmatic Assessment Framework

Azure Well-Architected Review: Why Every Enterprise Should Run One Annually

Sovereign Cloud on Azure: Data Residency, Encryption, and EU Compliance Patterns