Azure Migrate Server Migration: Advanced Topics and Enhancements

Azure Migrate has matured significantly over the past few years. Beyond basic discovery, assessment, and replication, the platform now supports advanced scenarios like secure connectivity, automation, and hybrid environments.

In the previous article, we have discussed Azure Migrate in detail and how it works. If you have not read that article, please read that first before you read this article.

In this article, we explore some of the newer and deeper capabilities that complement the core server migration workflow.

---

1. Discovery Without the Azure Migrate Appliance – Using Azure Arc

Traditionally, the Azure Migrate appliance was the only way to discover on-premises machines and collect performance data for assessment. However, this model posed challenges in environments with:

• • • Strict security restrictions

    • Lack of outbound connectivity

    • Fragmented infrastructure across multiple locations

With Azure Arc, you can now onboard machines into Azure using the Connected Machine Agent, and then perform server assessment without deploying a migration appliance.

Key Benefits:

• • • No need to open firewall ports or deploy additional VMs

    • Ideal for distributed and remote locations

    • Supports both Windows and Linux VMs

    • Connects to Azure Monitor, Policy, and Defender post-assessment

Limitations:

• • • Replication and migration still require an appliance

    • Not supported for dependency visualization at the time of writing

📘 How to assess Arc-enabled servers

---

2. Using Private Endpoints with the Azure Migrate Appliance

In earlier versions, the Azure Migrate appliance communicated with Azure services (Migrate, Key Vault, Log Analytics) over the public internet, even when using ExpressRoute.

Now, you can configure Private Endpoints, allowing the appliance to securely communicate with:

• • • Azure Migrate project metadata service

    • Log Analytics Workspace

    • Key Vault used during replication

This aligns with zero-trust and defense-in-depth architectures, and is ideal for customers with:

• • • Regulatory restrictions (e.g., healthcare, finance)

    • Enforced firewall/NVA routing

    • Private DNS zones and custom DNS requirements

Key Requirements:

• • • Must configure Private DNS zones or custom DNS resolution

    • Virtual network hosting the appliance must allow private endpoint access

📘 Configure appliance with private endpoints

---

3. Azure Monitor Agent (AMA) Replaces MMA

For years, Azure Migrate relied on the Microsoft Monitoring Agent (MMA) and the Dependency Agent to collect performance metrics and visualize dependencies.

As of 2024:

• • MMA is deprecated

  • New setups must use Azure Monitor Agent (AMA)

Why the change?

• • AMA is more efficient and supports centralized data collection rules (DCR)

  • Enables integration with multiple workspaces and modern telemetry scenarios

  • Reduces overhead on source machines

Dependency Agent Compatibility:

• • Works alongside AMA for dependency visualization

  • Still required to gather TCP port-level flows and app-level traffic

Recommendation: Update all documentation, processes, and automation scripts to install AMA instead of MMA.

📘 Azure Monitor agent overview

---

4. Encrypted Disks – Platform vs Customer-Managed Keys

Azure Migrate now handles encryption-at-rest with platform-managed keys (PMK) seamlessly. These are the default encryption mechanisms for disks in Azure.

However, migrating customer-managed key (CMK) encrypted disks (especially from VMware) still has some caveats.

Current Support Matrix:

Recommendation: Avoid encrypting source disks with CMK pre-migration. If CMK is required post-migration, enable it after the VM lands in Azure.

📘 Migrate VMware VMs with CMK disks

---

5. Automating Migrations Using Azure Migrate REST APIs

For large-scale or repetitive migrations, using the Azure portal becomes inefficient. Azure Migrate now supports a wide set of REST APIs that can:

• • Register and configure appliances

  • Trigger machine discovery

  • Create assessments programmatically

  • Enable replication and initiate cutover

  • Monitor migration progress and status

Where to Use It:

• • Azure DevOps Pipelines (Infrastructure-as-Code driven migration)

  • GitHub Actions (event-driven modernization workflows)

  • Scheduled task runners for bulk migration batches

Bonus Tip: Use Azure Resource Graph or Tags to dynamically fetch servers ready for migration in automated flows.

📘 Azure Migrate REST API Reference

---

6. Post-Migration Optimization: Tagging, Policy, and Monitoring

A successful server migration doesn’t end with cutover. It should be followed by optimization and governance.

What You Should Do:

• • Tag all migrated resources with details like app name, owner, and migration date

  • Enable Defender for Cloud, Azure Policy, and cost alerts

  • Review NSGs and IP configurations to align with Azure security best practices

  • Optimize disk SKUs or VM sizes after observing workloads for 1–2 weeks

  • Clean up migration-related temporary resources, such as replication storage accounts

Post-Migration Tools:

• • Azure Advisor (cost and performance recommendations)

  • Azure Monitor (for threshold-based alerting)

  • Azure Arc (to onboard hybrid workloads not migrated)

---

✅ Conclusion

Azure Migrate’s server migration capabilities now go far beyond simple VM lift-and-shift.
From supporting hybrid discovery via Arc to secure appliance connectivity via private endpoints, and full REST API automation — Azure Migrate is enterprise-ready.

If your environment is heavily regulated, hybrid, or automation-driven, these advanced topics can help you build a highly scalable, secure, and repeatable migration factory.