The Lift-and-Shift Myth
"Just move it to Azure" sounds simple. The pitch from cloud vendors is seductive: lower infrastructure costs, elastic scale, built-in resilience. What the brochures don't mention is that cloud migration without preparation consistently results in higher costs, governance nightmares, and security gaps that take years to resolve.
The organisations that get Azure right share one characteristic: they sorted out the fundamentals before migration started. Everything else — the workload moves, the automation, the cost optimisation — builds on that foundation.
Phase 0: The Foundation Work
We call everything before workload migration "Phase 0." It's the work that most organisations skip in their eagerness to show progress. It's also the work that determines whether migration succeeds or fails.
Azure Landing Zone Design
Your Landing Zone is the governed environment that all workloads will inhabit. It defines networking topology, management groups, subscription hierarchy, and policy baselines. Built wrong, every subsequent workload inherits the debt.
Identity & Access Architecture
Hybrid identity (Azure AD Connect or Entra ID) must be planned before any workload moves. Role-Based Access Control (RBAC) hierarchies should be designed with the principle of least privilege — not retrofitted after migration.
Cost Management Framework
Azure Cost Management + Budgets + Alerts need to be configured before any resource is deployed. Tagging taxonomies must be decided upfront — retroactive tagging is painful and often incomplete.
Security Baseline (Microsoft Defender)
Enable Microsoft Defender for Cloud and configure your security posture baseline. Establish your Secure Score target. Deploy Azure Policy to enforce compliance automatically.
Network Topology Decision
Hub-and-spoke vs. Virtual WAN. ExpressRoute vs. Site-to-Site VPN vs. cloud-native networking. These decisions affect latency, security, and cost permanently — they are very difficult to change post-migration.
The Workload Assessment
Not every workload belongs in Azure. A cloud readiness assessment categorises workloads across four migration strategies — the "4 Rs" — allowing you to prioritise and sequence rationally:
The 4-R Migration Strategy Framework
Typically 30–40% of enterprise workloads can be Rehosted quickly; 15–25% should be Retired.
Governance: The Piece Everyone Ignores
Azure Policy and Management Groups are not post-migration concerns. They need to be designed as part of your Landing Zone so that compliance is enforced by default — not audited after the fact.
Define your tagging taxonomy before a single resource is deployed. Tags drive cost allocation, compliance reporting, and automation. Retroactive tagging is one of the most painful activities in cloud operations.
Key governance artifacts to produce before migration:
- Management Group hierarchy — Tenant Root → Platform → Landing Zones → Workloads
- Tagging policy — minimum mandatory tags: Environment, CostCentre, Owner, Project
- Budget alerts — per subscription, with escalating notification thresholds at 70%, 85%, 100%
- Azure Policy assignments — enforce encryption, geo-restrictions, resource lock policies
- RBAC role matrix — document who gets what at each scope level
Security Baseline in Azure
Microsoft Defender for Cloud should be enabled as one of your first actions. It provides a Secure Score — a measurable benchmark of your security posture — and continuous recommendations prioritised by impact.
| Security Control | Azure Service | Priority |
|---|---|---|
| Threat detection | Microsoft Defender for Cloud | Day 1 |
| Identity protection | Microsoft Entra ID P2 + Conditional Access | Day 1 |
| Secret management | Azure Key Vault | Day 1 |
| Network security | Azure Firewall + NSGs + DDoS Protection | Week 1 |
| Log aggregation | Microsoft Sentinel + Log Analytics | Week 1 |
| Data encryption | Azure Disk Encryption + TDE + CMKs | Before workloads |
Controlling Cloud Cost from Day One
Cloud cost overruns are almost never caused by waste alone. They're caused by absence of visibility. The solution is instrumentation before spend:
- Enable Azure Cost Management + Billing immediately — it's free
- Set Budget Alerts at subscription level with email + action group notifications
- Use Azure Advisor recommendations weekly for right-sizing signals
- Purchase Azure Reservations for stable workloads after 30 days of baseline data
- Enable Azure Hybrid Benefit for Windows Server and SQL Server workloads
Don't purchase Reserved Instances on day one. Run workloads on Pay-As-You-Go for 30 days to establish accurate baseline consumption — then buy reservations. You'll save 25–40% on committed compute costs.
How KloudSync Approaches Azure Migration
Our certified Azure architects (AZ-303, AZ-304) have delivered Landing Zones and migrations across financial services, professional services, and healthcare sectors in Australia. We don't start with workload migration — we start with Phase 0.
Every KloudSync Azure engagement includes a formal Cloud Readiness Assessment that produces a scored inventory of your workloads, a recommended migration sequencing plan, and a governance blueprint — before a single resource is deployed in Azure.
Summary
Azure migration success is determined before migration starts. Invest in Landing Zone design, governance frameworks, security baselines, and identity architecture. Assess every workload using the 4-R framework. Instrument cost management on day one. Then migrate — in a sequence that builds on a solid foundation.
Ready to start your Azure journey the right way? Speak with a KloudSync Azure architect.