Choose the right Azure hosting option
This article provides considerations and comparisons between the multiple choices you have in Azure when migrating your existing .NET Framework applications from on-premises to Azure.
The fundamental areas to consider when migrating existing .NET applications to Azure are:
- Compute choices
- Database choices
- Networking and security considerations
- Authentication and authorization considerations
When migrating existing .NET Framework applications to Azure you have multiple choices. However, since .NET Framework depends on Windows, the following choices are limited to Windows-based compute services.
The following table shows several comparisons and recommendations to help you choose the right compute migration path for your existing .NET application.
|Azure VMs||Azure App Service||Windows Containers|
|When to use||
||App has no dependencies on the server, it is just a clean ASP.NET web app (MVC, WebForm) or N-Tier app (Web API, WCf) accessing a database server.||
|Pros & benefits||
||Ongoing PaaS maintenance, simplest way to manage and scale apps in Azure.||
|Cons||It is IaaS. Maintenance is costly. You have to manage the VM's infrastructure about networking, load-balancer, scale-out, IIS management, and so on.||
|Requirements||Windows Server VM with the same requirements than the app for on-premises||Azure App Service requirements specified in Readiness checks.||
|How to migrate||See Migrate to Azure Virtual Machines||See Migrate Azure App Service||Follow considerations, scenarios, and walkthroughs explained in the Modernizing existing .NET apps with Azure and Windows Containers eBook|
The following flowchart diagram shows a decision tree when planning a migration to Azure for your existing .NET Framework applications. If it's viable, try option A first, but option B is the easiest path to perform.
When migrating relational databases to Azure you have multiple choices. See Migrate your SQL Server database to Azure to help you choose the right database migration path for your existing .NET application.
Networking and security considerations
When deploying applications to a public cloud like Microsoft Azure, you might want to isolate and secure certain networks by creating network DMZs, such as a DMZ between Azure and on-premises or a DMZ between Azure and the Internet. DMZs can be implemented with Azure Virtual Network.
Azure Virtual networks enable you to:
- Build a hybrid infrastructure that you control
- Bring your own IP addresses and DNS servers
- Secure your connections with an IPsec VPN or ExpressRoute
- Get granular control over traffic between subnets
- Create sophisticated network topologies using virtual appliances
- Get an isolated and highly secure environment for your applications
To get started building your own virtual network, see the Azure Virtual Network documentation.
Authentication and authorization considerations when migrating to Azure
A top concern of any organization moving to the cloud is security. Most companies have invested a substantial amount of time, money, and engineering into designing and developing a security model, and it's important that they're able to leverage existing investments such as identity stores and single sign-on solutions.
Many existing enterprise B2E .NET applications running on-premises use Active Directory for authentication and identity management. Azure AD Connect enables you to integrate your on-premises directories with Azure Active Directory. To get started, see Integrate your on-premises directories with Azure Active Directory.
See Identity requirements for your hybrid identity solution for further planning related to Azure Active Directory.
Other authentication protocol choices are OAuth and OpenID, which are common in consumer-facing applications. When using autonomous identity databases, such as an ASP.NET Identity SQL database wrapped by IdentityServer4 using OAuth, no connectivity to on-premises databases or directories is usually required.