Migrate network resources to global Azure

  • Article

Important

Since August 2018, we have not been accepting new customers or deploying any new features and services into the original Microsoft Cloud Germany locations.

Based on the evolution in customers’ needs, we recently launched two new datacenter regions in Germany, offering customer data residency, full connectivity to Microsoft’s global cloud network, as well as market competitive pricing.

Additionally, on Sept 30th, 2020, we announced that the Microsoft Cloud Germany would be closing on October 29th, 2021. More details are available here: https://www.microsoft.com/cloud-platform/germany-cloud-regions.

Take advantage of the breadth of functionality, enterprise-grade security, and comprehensive features available in our new German datacenter regions by migrating today.

Most networking services don't support migration from Azure Germany to global Azure. However, you can connect your networks in both cloud environments by using a site-to-site VPN.

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

The steps you take to set up a site-to-site VPN between clouds are similar to the steps you take to deploy a site-to-site VPN between your on-premises network and Azure. Define a gateway in both clouds, and then tell the VPNs how to communicate with each other. Create a site-to-site connection in the Azure portal describes the steps you complete to deploy a site-to-site VPN. Here's a summary of the steps:

  1. Define a virtual network.
  2. Define address space.
  3. Define subnets.
  4. Define a gateway subnet.
  5. Define a gateway for the virtual network.
  6. Define a gateway for the local network (your local VPN device).
  7. Configure a local VPN device.
  8. Build the connection.

To connect virtual networks between global Azure and Azure Germany:

  1. Complete steps 1-5 in the preceding procedure in global Azure.
  2. Complete steps 1-5 in Azure Germany.
  3. Complete step 6 in global Azure:
    • Enter the public IP address of the VPN gateway in Azure Germany.
  4. Complete step 6 in Azure Germany:
    • Enter the public IP address of the VPN gateway in global Azure.
  5. Skip step 7.
  6. Complete step 8.

Virtual networks

Migrating virtual networks from Azure Germany to global Azure isn't supported at this time. We recommend that you create new virtual networks in the target region and migrate resources into those virtual networks.

For more information:

Network security groups

Migrating network security groups from Azure Germany to global Azure isn't supported at this time. We recommend that you create new network security groups in the target region and apply the network security groups rules to the new application environment.

Get the current configuration of any network security group from the portal or by running the following PowerShell commands:

$nsg=Get-AzNetworkSecurityGroup -ResourceName <nsg-name> -ResourceGroupName <resourcegroupname>
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg

For more information:

ExpressRoute

Migrating an Azure ExpressRoute instance from Azure Germany to global Azure isn't supported at this time. We recommend that you create new ExpressRoute circuits and a new ExpressRoute gateway in global Azure.

For more information:

VPN Gateway

Migrating an Azure VPN Gateway instance from Azure Germany to global Azure isn't supported at this time. We recommend that you create and configure a new instance of VPN Gateway in global Azure.

You can collect information about your current VPN Gateway configuration by using the portal or PowerShell. In PowerShell, use a set of cmdlets that begin with Get-AzVirtualNetworkGateway*.

Make sure that you update your on-premises configuration. Also, delete any existing rules for the old IP address ranges after you update your Azure network environment.

For more information:

Application Gateway

Migrating an Azure Application Gateway instance from Azure Germany to global Azure isn't supported at this time. We recommend that you create and configure a new gateway in global Azure.

You can collect information about your current gateway configuration by using the portal or PowerShell. In PowerShell, use a set of cmdlets that begin with Get-AzApplicationGateway*.

For more information:

DNS

To migrate your Azure DNS configuration from Azure Germany to global Azure, export the DNS zone file, and then import it under the new subscription. Currently, the only way to export the zone file is by using the Azure CLI.

After you sign in to your source subscription in Azure Germany, configure the Azure CLI to use Azure Resource Manager mode. Export the zone by running this command:

az network dns zone export -g <resource group> -n <zone name> -f <zone file name>

Example:

az network dns zone export -g "myresourcegroup" -n "contoso.com" -f "contoso.com.txt"

This command calls the Azure DNS service to export the zone contoso.com in the resource group myresourcegroup. The output is stored as a BIND-compatible zone file in contoso.com.txt in the current folder.

When the export is finished, delete the NS records from the zone file. New NS records are created for the new region and subscription.

Now, sign in to your target environment, create a new resource group (or select an existing one), and then import the zone file:

az network dns zone import -g <resource group> -n <zone name> -f <zone file name>

When the zone has been imported, you must validate the zone by running the following command:

az network dns record-set list -g <resource group> -z <zone name>

When validation is finished, contact your domain registrar and redelegate the NS records. To get NS record information, run this command:

az network dns record-set ns list -g <resource group> -z --output json

For more information:

Network Watcher

Migrating an Azure Network Watcher instance from Azure Germany to global Azure isn't supported at this time. We recommend that you create and configure a new Network Watcher instance in global Azure. Afterward, compare results between the old and new environments.

For more information:

Traffic Manager

Azure Traffic Manager can help you complete a smooth migration. However, you can't migrate Traffic Manager profiles that you create in Azure Germany to global Azure. (During a migration, you migrate Traffic Manager endpoints to the target environment, so you need to update the Traffic Manager profile anyway.)

You can define additional endpoints in the target environment by using Traffic Manager while it's still running in the source environment. When Traffic Manager is running in the new environment, you can still define endpoints that you haven't yet migrated in the source environment. This scenario is known as the Blue-Green scenario. The scenario involves the following steps:

  1. Create a new Traffic Manager profile in global Azure.
  2. Define the endpoints in Azure Germany.
  3. Change your DNS CNAME record to the new Traffic Manager profile.
  4. Turn off the old Traffic Manager profile.
  5. Migrate and configure endpoints. For each endpoint in Azure Germany:
    1. Migrate the endpoint to global Azure.
    2. Change the Traffic Manager profile to use the new endpoint.

For more information:

Load Balancer

Migrating an Azure Load Balancer instance from Azure Germany to global Azure isn't supported at this time. We recommend that you create and configure a new load balancer in global Azure.

For more information:

Next steps

Learn about tools, techniques, and recommendations for migrating resources in the following service categories: