Azure Migrate

 Azure Migrate is a service that helps you to decide, plan, and execute
migration to Azure
 Azure Migrate helps you to find the best migration path, Assess Azure
readiness, estimate the cost, and perform migration of workloads to Azure
using minimal downtime and risk
 Azure Migrate provides support for servers, databases, web applications,
virtual desktop and migration of large-scale offline data using Azure
Databox.
Migration Phases
 Decide:
o Discovery - Discover servers, workloads, applications, inventory,
web applications, dependencies, and software installed.
o Business Case – Identify cost of migration, ROI, and savings
 Plan
o Assessment - Azure readiness assessment, Azure target services,
Migration strategy, estimated cost, right sized SKU’s, Azure
readiness and blockers.
o Dependency Analysis - Application, workload and network
dependencies
o Wave planning - plan migration into different phases based on
workload dependencies
 Execute
o Replication
o Test Migration
o Migrate to target Azure services

 Phase 1: Decide
The first step in your migration journey is to identify your workloads. This process
of identification is called Discovery. To discover the workloads, you can deploy a
light weight appliance called Azure Migrate Appliance. The Azure Migrate
Appliance is a virtual appliance that can be deployed on a server in datacenters.
The appliance collects the configuration and performance data for your servers
and continually sends it to Azure migrate service.
After identifying your workloads, you can create a Business Case to make
decision to migrate your On-premise workloads to Azure. A business case helps
you to estimate the cost and savings of moving to Azure. The business case
helps you to identify:
o Total cost of ownership (TCO)
o Year to year cash overflow comparison
o Resource utilization
o Long term cost reduction by switching from CapEx to OpEx

 Phase 2: Plan
After you make the decision to migrate to Azure, the next important phase of
migration is planning. To plan migration in detail, use Azure Migrate assessments
to find:
o Azure Readiness
o Right Sizing SKU’s
o Azure Cost estimation
o Dependency Analysis

 Phase 3: Execute
In the execution phase, you perform the migration or modernization of your
workloads to move to Azure. You can use the Azure Migrate service or partner
tools to migrate your servers, databases, web apps, or virtual desktops with
minimal downtime and risk.
You can migrate the following workloads by using the integrated Azure Migrate
and Modernize tool:

Workload Details
On-Premises VMware Migrate On-Premise VMs to Azure using Agent based or
VMs Agentless migration
For Agentless migration, Azure Migrate and Modernize
tool uses the same appliance for discovery and
assessment of servers.
For Agent based migration, Azure Migrate and
Modernization tool uses Replication Appliance.
On-Premises Hyper-V The Azure Migrate and Modernize tool uses provider
VMs agents installed on Hyper-V host for migration.
On-Premises The Azure Migrate and Modernization tool uses
Physical servers or Replication Appliance for the migration of On-Premise
servers hosted on Physical servers and other public cloud servers.
other clouds
Web Apps hosted on Uses Agentless migration of [Link] web apps to Azure
Windows in a App service and Azure Kubernetes service by using
VMware Azure Migrate.
environment

 Benefits of Azure Migrate

Azure Migrate offers these benefits for your cloud migration journey:
o Unified migration platform
 o Free Service
o Identify inventory of workloads
o Assess workloads
o Develop a plan for migration
o Migrate the resources and workloads using migration tools
o Discover, Assess, Migrate and Modernization of servers, databases, web
applications, virtual desktops and large-scale offline data using Azure Data
Box
Prepare Azure accounts for Azure Migrate using built-in roles
Azure Migrate is a unified migration platform that lets customers discover,
assess, and migrate various workloads including servers, databases, and web
apps. A typical customer's migration journey includes three phases: the Decide
phase to discover the workloads, plan phase to assess the Azure readiness of
workloads, right size the Azure targets and execute phase to migrate and
modernize the workloads.
Using built-in roles enables you to enforce the principle of least privilege, grant
granular access, and ensure compliance with regulatory requirements. Assigning
built-in roles is recommended over granting broad Owner or Contributor access
to users at the subscription or resource group level.
Azure Migrate Built-in roles are:
o Azure Migrate owner: Grants full access to create and manage Azure
Migrate projects, including appliance or import based discovery,
creation of business case, assessment and execution of migrations; Also
grants the ability to assign Azure Migrate specific roles in Azure Role-
Based Access Control (or RBAC). The scope is resource group or
subscription where the Azure Migrate project is created.
o Azure Migrate decide and plan expert: Grants restricted access on an
Azure Migrate project to only perform planning operations including
appliance or import-based discovery, managing inventory, identifying
server dependencies, creation of business case, applications &
assessment reports. The scope is resource group or subscription where the
Azure Migrate project is created.
o Azure Migrate execute expert: Grants restricted access on an Azure
Migrate project to only perform migration related operations, including
replication, execution of test migrations, tracking and monitoring of
migration progress, and initiation of agentless and agent-based
migrations. The scope is Source Resource Group or subscription where
Azure Migrate Project is created; Target Resource Group or
subscription where servers and workloads are migrated to.
Assigning Azure Migrate Owner Role
o Select the resource group where the Migrate project is created
o In the navigation menu, select Access control (IAM)
o Select Add > Add role assignment
 o On the privileged administrator roles tab, select Azure Migrate Owner role.
o On the members tab, select the user or group.
o Select the preferred assignment type and duration. The recommended
approach is to choose eligible type and time-bound assignment duration.
o Select next and review + assign to complete the role assignment.

Assigning Azure Migrate Decide and Plan Expert and Execute Expert
Role
o Select the resource group where the Migrate project is set up.
o In the navigation menu, select Access control (IAM)
o Select Add > Add role assignment
o Select the role you want to assign. The Azure Migrate Decide and Plan
Expert role and Azure Migrate Execute Expert role appear under Job
function roles.
 o After selecting the role, on the members tab, select the user or group.
o Select the preferred assignment type and duration. The recommended
approach is to choose eligible type and time-bound assignment duration.
o Select next and review + assign to complete the role assignment.

Check access and verify Role assignment

o From the resource group/subscription, select Access control (IAM) and view
my access.
o Verify if the role assignment is successful.

o To check access for a user or group, select check access. Enter the user or
group details and verify role assignment.
Remove access
o Azure Migrate owner can only remove Azure Migrate Decide and Plan
Expert and Azure Migrate Execute Expert role assignments. Subscription or
resource group owners can remove the Azure Migrate owner role
assignment.
 o Open Access control (IAM) at scope subscription or resource group.
o Select role assignments
o Select the role assignment that you would like to remove

o Select Delete to remove the role assignment.

Register Azure Resource Provider

To enable all Azure migrate capabilities, you must register the required resource
providers at the subscription where the Azure Migrate project is created. The
Azure Migrate Owner and Azure Migrate Decide and Plan Expert roles have
permissions to automatically register resource providers if the role assignment is
done at the subscription scope. However, if these roles are assigned at the
resource group level, project key generation could fail if the resource provider
isn't already registered on the subscription. In such cases, the subscription owner
should manually register the listed resource providers as a prerequisite.
The required Resource Providers are:
o [Link]
o [Link]
o [Link]
o [Link]
o [Link]
o [Link]
o [Link]
o [Link]
o [Link]

Register resource provider

Before you use a resource provider, make sure your Azure subscription is
registered for the resource provider. Registration configures your subscription to
work with the resource provider.
Some resource providers are registered by default. When you take certain
actions, Azure automatically registers other resource providers. When you create
a resource in the Azure portal, the portal typically registers the resource provider
for you. When you deploy an Azure Resource Manager template or Bicep file,
Azure automatically registers the resource providers defined in the template.
Sometimes, a resource in the template requires supporting resources that aren't
in the template. Common examples are monitoring or security resources. You
need to register those resource providers manually.
You might need to manually register a resource provider during other scenarios.
o Sign in to the Azure portal.
o On the Azure portal menu, search for Subscriptions. Select it from the
available options.

o Select the subscription you want to view.

o On the left menu and under Settings, select Resource providers.

o Find the resource provider you want to register.

o Select the resource provider to see the details of the resource provider.

o Select the resource provider, and select Register. To maintain least

privileges in your subscription, only register the resource providers that
you're ready to use.

o Re-register a resource provider to use locations that you added since the
previous registration.
To see information for a particular resource provider:
o In the All services box, enter resource explorer, and select Resource
Explorer.

o Select the right arrow to expand Providers.

o Expand the resource provider and resource type that you want to view.

Create Azure Migrate Project

A project is used to store discovery, business case, assessment, and migration
metadata collected from the environment you're assessing or migrating. Within a
project, you can track discovered assets, create business cases, conduct
assessments, and orchestrate migrations to Azure.
Ensure you have the correct permissions to create a project using the following
steps:
o In the Azure portal, open the relevant subscription, and select Access
control (IAM).
o In Check access, find the relevant account, and select it and view
permissions. You should have Azure Migrate Owner or a role with higher
permissions.
Set up a new project in an Azure subscription.
1. In the Azure portal, search for Azure Migrate.
2. In Services, select Azure Migrate.
3. In Get started, select Discover, assess and migrate.

4. In Servers, databases and web apps, select Create project.

5. In Create project, select the Azure subscription and resource group. Create
a resource group if you don't have one.
 6. In Project Details, specify the project name and the geography in which
you want to create the project. The region is only used to store the
metadata gathered from on-premises servers.
7. Select Create

Phase 1: Discover Inventory

 Appliance based discovery
The appliance-based discovery method involves deploying a virtual appliance
that scans your environment to collect metadata about resources. This approach
is ideal for scenarios where detailed, automated, and continuous discovery are
required.

 Import based discovery

Import-based discovery is a simpler and faster alternative, relying on manual
upload of inventory data in a structured format.
 Arc-based discovery (preview)
If you have already Arc-enabled your servers and SQL Server instances, Arc-
based discovery provides a simple alternative that doesn't require any additional
on-premises deployments.
Discovery using Azure Migrate Appliance
The appliance can be deployed using a couple of methods:
o The appliance can be deployed using a template for servers running in
VMware or Hyper-V environment (OVA template for VMware or VHD for
Hyper-V).
 o If you don't want to use a template, you can deploy the appliance for
VMware or Hyper-V environment using a PowerShell installer script.
o For physical or virtualized servers on-premises or any other cloud, you
always deploy the appliance using a PowerShell installer script.
Before you use the OVA/VHD/Zip file to deploy appliance, verify that the file is
secure:
o On the server where you downloaded the file, open Command Prompt
window by using Run as administrator option.
o Run this command to create the hash for the OVA/VHD/Zip file:

C:\>CertUtil -HashFile <file_location> <hashing_algorithm>

For example, C:\>CertUtil -HashFile C:\Users\Administrator\Desktop\
[Link] SHA256
The appliance has the following services:
o Appliance configuration manager: This is a web application, which can
be configured with source details to start the discovery and assessment of
servers.
o Discovery agent: The agent collects server configuration metadata,
which can be used to create as on-premises assessments.
o Assessment agent: The agent collects server performance metadata,
which can be used to create performance-based assessments.
o Auto update service: The service keeps all the agents running on the
appliance up-to-date. It automatically runs once every 24 hours.
o SQL discovery and assessment agent: Sends the configuration and
performance metadata of SQL Server instances and databases to Azure.
o DRA agent: Orchestrates server replication, and coordinates
communication between replicated servers and Azure. Used only when
replicating servers to Azure using agentless migration.
o Gateway: Sends replicated data to Azure. Used only when replicating
servers to Azure using agentless migration.
o Web apps discovery and assessment agent: sends the web apps
configuration data to Azure.

Discovery and collection process

The appliance communicates with the discovery sources using the following:
 The VMware appliance communicates with the vCenter server on TCP port
443 by default. If the vCenter server listens on a different port, you can
configure it in the appliance configuration manager.
 The Hyper-V appliance communicates with the Hyper-V hosts on WinRM
port 5986 (HTTPS) by default.
 The Physical appliance communicates with Windows servers over WinRM
port 5986 (HTTPS) by default and with Linux servers over port 22 (TCP).
 The appliance collects the metadata of servers running on vCenter
Server(s) using vSphere APIs by connecting on port 443 (default port) or
any other port each vCenter Server listens on.
 The appliance collects the metadata of servers running on Hyper-V hosts
using a Common Information Model (CIM) session with hosts on port 5986.
 The appliance collects metadata from Windows servers using Common
Information Model (CIM) session with servers on port 5986 and from Linux
servers using SSH connectivity on port 22.
 The appliance sends the collected data to Azure Migrate: Discovery and
assessment over SSL port 443.
 The appliance can connect to Azure over the internet or via ExpressRoute
private peering or Microsoft peering circuits.
 Configuration metadata is collected and sent every 15 minutes.
 Performance metadata is collected every 50 minutes to send a data point
to Azure.
 Software inventory data is sent to Azure once every 24 hours.
 Agentless dependency data is collected every 5 minutes, aggregated on
appliance and sent to Azure every 6 hours.
 The SQL Server configuration data is updated once every 24 hours and the
performance data is captured every 30 seconds.
 The web apps configuration data is updated once every 24 hours.
Performance data is not captured for web apps.
  You can create assessments from the metadata collected by the appliance
using Azure Migrate: Discovery and assessment tool.
Register Azure Migrate appliance using a preconfigured Microsoft Entra
ID application
Registering the Azure Migrate appliance in Microsoft Entra ID is required because
the appliance acts as a trusted identity that connects your on-premises
environment to Azure. Without this trust, Azure cannot securely allow the
appliance to perform inventory, assessment, and migration operations.
Step 1: Create the App Registration
o Go to Microsoft Entra ID → App registrations → New registration
o Name: AzureMigrateAppliance
o Supported account type: Single tenant
o Redirect URI type: Web
o Redirect URI value:
[Link]
o Click Register

Step 2: Configure API Permissions

o Go to API Permissions → Add permission → APIs my organization uses
o Search and add.
o Click Grant admin consent for the permissions.

Step 3: Generate Client Secret

o Go to Certificates & Secrets
o Click New client secret
o Expiry: 12 months / 24 months
o Copy the Client Secret Value

Step 4: Open the Appliance Portal

o Log in to your Azure Migrate Appliance VM
o Open the appliance configuration page at: [Link]
o Select: "Use existing service principal"

Step 5: Enter the App Registration Values

Fill in the following:
o Application (Client) ID
o Directory (Tenant) ID
o Client Secret

Click Validate and Register.

Step 6: Validate Connectivity
o Azure Migrate Service Access
o Service Principal Authentication
o Network Outbound rules
o Metadata & Discovery
 Once validation is successful, the appliance shows: "Appliance successfully
registered with Azure Migrate project."
Diagnose and solve issues with Azure Migrate appliance
The Diagnose and solve capability on Azure Migrate appliance helps users
identify and self-assess any issues with the appliance configuration that might be
blocking the initiation of discovery or issues with an ongoing Migrate operation
like discovery, assessment and replication from the appliance.
You can run Diagnose and solve at any time from the appliance configuration
manager to generate a diagnostics report. The report provides information about
the checks performed, their status, the issues identified, and recommendation
steps to solve the issues.
Diagnose and solve runs some prevalidations to see if the required configuration
files aren't missing or blocked by an anti-virus software on the appliance and
then performs the following checks:
 Pre-requisite checks - Connectivity checks, Time sync check, Auto
update check, VDDK check
 Service health checks - Operational status, service endpoint
connectivity
 Azure-specific checks – Microsoft Entra app availability, Migrate project
availability, Essential resources availability
 Appliance-specific checks – Key vault certificate availability, Credential
store availability, Replication appliance, OS license availability, CPU &
Memory utilization
Running Diagnostic checks
1. Select Diagnose and solve from the ribbon at the top of the
configuration manager.

After selecting Diagnose and solve, the appliance automatically starts running
the diagnostic checks. This may take around 5 minutes to complete. You would
see the timestamp of the last diagnostics report, if you ran the checks before.
2. Once diagnostic checks are completed, you can either view the report in
another tab where you can choose it save it in a PDF format, or you can go
to this location C:\Users\Public\Desktop\DiagnosticsReport on the
appliance server where the report gets autosaved in an HTML format.

3. The report provides information about the checks performed, their status,
the issues identified, and recommendation steps to solve the issues.

4. You can follow the remediation steps on the report to solve an issue. If
you're unable to resolve the issue, we recommend you to attach the
diagnostics report while creating a Microsoft support case so that it helps
expedite the resolution.
Discover servers running in a VMware environment with Azure Migrate
As part of your migration journey to Azure, you discover you’re on-premises
inventory and workloads. You discover the servers that are running in your
VMware environment by using the Azure Migrate: Discovery and assessment
tool, a lightweight Azure Migrate appliance. You deploy the appliance as a server
running in your vCenter Server instance, to continuously discover servers and
their performance metadata, applications that are running on servers, server
dependencies, web apps, and SQL Server instances and databases.
Pre-Requisites
 vCenter Server/ESXi host:
o You need a server running vCenter Server version 8.0, 7.0, 6.7, 6.5,
6.0, or 5.5.
o Servers must be hosted on an ESXi host running version 5.5 or later
o On the vCenter Server, allow inbound connections on TCP port 443
so that the appliance can collect configuration and performance
metadata.
o The appliance connects to vCenter Server on port 443 by default. If
the server running vCenter Server listens on a different port, you
can modify the port when you provide the vCenter Server details in
the appliance configuration manager.
o On the ESXi hosts, ensure that inbound access is allowed on TCP
port 443 for discovery of installed applications and for agentless
dependency analysis on servers.
 Azure Migrate appliance
o vCenter Server must have these resources to allocate to a server
that hosts the Azure Migrate appliance: 32 GB of RAM, 8 vCPUs, and
approximately 80 GB of disk storage.
o An external virtual switch and internet access on the appliance
server, directly or via a proxy.
 Servers
o All Windows and Linux OS versions are supported for discovery of
configuration and performance metadata.
o For application discovery on servers, all Windows and Linux OS
versions are supported.
o For discovery of installed applications and for agentless dependency
analysis, VMware Tools (version 10.2.1 or later) must be installed
and running on servers.
o Windows servers must have PowerShell version 2.0 or later
installed.
o For Linux servers, SSH key-based authentication supports discovery
of configuration and performance data, installed applications,
agentless dependency analysis, and workload discovery.
o To discover Linux servers using SSH key-based authentication, the
appliance needs a direct connection to the target servers.
 SQL Server access
o To discover SQL Server instances and databases, the Windows
account, or SQL Server account requires these permissions for each
SQL Server instance.
 o You can use the account provisioning utility to create custom
accounts or use any existing account that is a member of the
sysadmin server role for simplicity.
Step by Step Process of Discovering Servers in VMware environment
 Prepare an Azure user account with required permission
 Prepare VMware to create a Read-only account to access vCenter Server

 Setup Azure Migrate Project. The Azure Migrate: Discovery and

assessment tool is added by default to the new project.
 Set up the Azure Migrate appliance by deploying an OVA template that can
be downloaded from the project.
 Provide an appliance name and generate a project key in the portal. The
Project key is used for configuration of Azure Migrate appliance and
creates an Azure resources
 Download an OVA template file and then import it to vCenter Server. Verify
that the OVA is secure.
 Create the appliance from the OVA file. Verify that the appliance can
connect to Azure Migrate.
 Configure the appliance for the first time.
 Register the appliance with the project by using the project key.
 Import the downloaded file, and then create a server in the VMware
environment:
 Verify appliance access to Azure using public or private endpoint network
connectivity
 Open a browser on any computer that can connect to the appliance. Then,
open the URL of the appliance configuration manager: [Link]
name or IP address: 44368.
 In the configuration manager, select Set up prerequisites, and then
complete these steps:
o Connectivity: The appliance checks that the server has internet
access.
o Time sync: Check that the time on the appliance is in sync with
internet time for discovery to work properly.
o Install updates and register appliance: To run auto-update and
register the appliance

o For the appliance to run auto-update, paste the project key that you
copied from the portal.
o The appliance will verify the key and start the auto-update service,
which updates all the services on the appliance to their latest
versions.
o When the auto-update has run, you can select View appliance
services to see the status and versions of the services running on
the appliance server.
o To register the appliance, you need to select Login. In Continue with
Azure Login, select Copy code & Login to copy the device code and
open an Azure sign in prompt in a new browser tab.
 o In a new tab in your browser, paste the device code and sign in by
using your Azure username and password. Signing in with a PIN isn't
supported.
o After you successfully sign in, return to the browser tab that display
the appliance configuration manager.
o After the appliance is successfully registered, to see the registration
details, select View details.
o Install the VDDK: The appliance checks if the VMware vSphere
Virtual Disk Development Kit (VDDK) is installed.
o The Migration and modernization tool uses the VDDK to replicate
servers during migration to Azure.
o You can rerun prerequisites at any time during appliance
configuration to check whether the appliance meets all the
prerequisites.
Start continuous discovery
 Complete the setup steps in the appliance configuration manager to
prepare for and start discovery.
 The appliance must connect to vCenter Server to discover the
configuration and performance data of the servers.
 Provide vCenter Server credentials, select Add credentials to enter a name
for the credentials. Add the username and password for the vCenter
Server account that the appliance will use to discover servers running on
vCenter Server.
 Provide vCenter Server details, select Add discovery source to add the IP
address or FQDN of a vCenter Server. You can leave the port as the default
(443) or specify a custom port on which vCenter Server listens.
 You can add up to 10 vCenter Servers per appliance.
 The appliance attempts to validate the connection to the vCenter
Server(s) added by using the credentials mapped to each vCenter Server.
 You can revalidate the connectivity to the vCenter Server(s) any time
before starting discovery.
 Provide server credentials to perform software inventory, agentless
dependency analysis, discovery of SQL Server instances and databases
and discovery of web apps in your VMware environment., you can provide
multiple server credentials.
 To check validation of the domain credentials: In the configuration
manager, in the credentials table, see the Validation status for domain
credentials. Only domain credentials are validated.
 If validation fails, you can select a Failed status to see the validation error.
Fix the issue, and then select Revalidate credentials to reattempt
validation of the credentials.
Start discovery
To start vCenter Server discovery, select Start discovery. After the discovery is
successfully initiated, you can check the discovery status by looking at the
vCenter Server IP address or FQDN in the sources table.

How discovery works

 It takes approximately 20-25 minutes for the discovery of servers across
10 vCenter Servers added to a single appliance.
 Software inventory occurs once every 12 hours.
 Software inventory identifies the SQL Server instances that are running on
the servers.
 The SQL Server discovery is performed once every 24 hours.
 Discovery of installed applications might take longer than 15 minutes. The
duration depends on the number of discovered servers.
 For 500 servers, it takes approximately one hour for the discovered
inventory to appear in the Azure Migrate project in the portal.
 Software inventory identifies web server role existing on discovered
servers. If a server is found to have web server role enabled, Azure
Migrate will perform web apps discovery on the server.
 Web apps configuration data is updated once every 24 hours.
  When the discovery of servers is finished, in the portal, you can enable
agentless dependency analysis on the servers. Only the servers on which
validation succeeds can be selected to enable agentless dependency
analysis.
 Along with software inventory, pending updates for Windows and Linux
servers are gathered. No additional permissions are required for
identifying pending updates.
 Web apps and SQL Server instances and databases data begin to appear
in the portal within 24 hours after you start discovery.
 By default, Azure Migrate uses the most secure way of connecting to SQL
instances that is, Azure Migrate encrypts communication between the
Azure Migrate appliance and the source SQL Server instances by setting
the TrustServerCertificate property to true.

 To start vCenter Server discovery, select Start discovery. After the

discovery is successfully initiated, you can check the discovery status by
looking at the vCenter Server IP address or FQDN in the sources table.
View discovered data
Select the discovered servers count to review the discovered inventory. You can
filter the inventory by selecting the appliance name and selecting one or more
vCenter Servers from the Source filter.
Set discovery scope for servers in VMware vSphere environment
You can limit the scope of discovery for servers in VMware vSphere environment
when you are:
 Discovering servers with the Azure Migrate appliance when you're using
the Azure Migrate: Discovery and assessment tool.
 Discovering servers with the Azure Migrate appliance when you're using
the Migration and modernization tool, for agentless migration of servers
from VMware vSphere environment to Azure.
When you set up the appliance, it connects to vCenter Server and starts
discovery. Before you connect the appliance to vCenter Server, you can limit
discovery to vCenter Server datacenters, clusters, a folder of clusters, hosts, a
folder of hosts, or individual servers.
Support matrix for VMware discovery
To assess servers, first, create an Azure Migrate project. The Azure Migrate:
Discovery and assessment tool is automatically added to the project. Then,
deploy the Azure Migrate appliance. The appliance continuously discovers on-
premises servers and sends configuration and performance metadata to Azure.
When discovery is finished, gather the discovered servers into groups and run
assessments per group.
VMware Pre-Requisite Checks
 vCenter Server - Supports vCenter 5.5 or later
 Permissions - The Azure Migrate: Discovery and assessment tool requires
a vCenter Server read-only account.
 Operating Systems - All Windows and Linux operating systems can be
assessed for migration.
 Storage - Disks attached to SCSI, IDE, and SATA-based controllers are
supported
VMware Port access requirement
 Azure Migrate Appliance
o Inbound connections on TCP port 3389 to allow remote desktop
connections to the appliance.
 o Inbound connections on port 44368 to remotely access the
appliance management app by using the URL [Link]
or-name>:44368.
o Outbound connections on port 443 (HTTPS) to send discovery and
performance metadata to Azure Migrate and Modernize.
 vCenter Server
o Inbound connections on TCP port 443 to allow the appliance to
collect configuration and performance metadata for assessments.
o The appliance connects to vCenter on port 443 by default. If
vCenter Server listens on a different port, you can modify the port
when you set up discovery.
 ESXi Hosts
o For discovery of software inventory or agentless dependency
analysis, the appliance connects to ESXi hosts on TCP port 443 to
discover software inventory and dependencies on the servers.
Software Inventory Requirements
 Supported Servers - You can perform software inventory on up to
10,000 servers running across vCenter Servers added to each Azure
Migrate appliance.
 Operating System - Servers running all Windows and Linux versions are
supported.
 Server requirements
o For software inventory, VMware Tools must be installed and running
on your servers. The VMware Tools version must be version 10.2.1
or later.
o Windows servers must have PowerShell version 2.0 or later
installed.
o Windows Management Instrumentation (WMI) must be enabled and
available on Windows servers to gather the details of the roles and
features installed on the servers.
 vCenter Server account - To interact with the servers for software
inventory, the vCenter Server read-only account used for assessment
must have privileges for guest operations on VMware VMs.
 Server access
o You can add multiple domains and nondomain (Windows/Linux)
credentials in the appliance configuration manager for software
inventory.
o You must have a guest user account for Windows servers and a
standard user account (non-sudo access) for all Linux servers.
 Port access
o The Azure Migrate appliance must be able to connect to TCP port
443 on ESXi hosts running servers on which you want to perform
software inventory.
o If you use domain credentials, the Azure Migrate appliance must be
able to connect to the following TCP and UDP ports:
 TCP 135 – RPC Endpoint
 TCP 389 – LDAP
 TCP 389 – LDAP
  TCP 636 – LDAP SSL
 TCP 445 – SMB
 TCP/UDP 88 – Kerberos authentication
 TCP/UDP 464 – Kerberos change operations
 Discovery
o Software inventory is performed from vCenter Server by using
VMware Tools installed on the servers.
o The appliance gathers the information about the software inventory
from the server running vCenter Server through vSphere APIs.
o Software inventory is agentless. No agent is installed on the server,
and the appliance doesn't connect directly to the servers.
SQL Server instance and database discovery requirements
The appliance attempts to connect to the respective SQL Server instances
through the Windows authentication or SQL Server authentication credentials in
the appliance configuration manager by using this information. After the
appliance is connected, it gathers configuration and performance data for SQL
Server instances and databases. The appliance updates the SQL Server
configuration data once every 24 hours and captures the performance data
every 30 seconds.
 Supported servers
o Supported only for servers running SQL Server in your VMware,
Microsoft Hyper-V, and physical/bare-metal environments and
infrastructure as a service (IaaS) servers of other public clouds,
such as Amazon Web Services (AWS) and Google Cloud Platform
(GCP).
o You can discover up to 750 SQL Server instances or 15,000 SQL
databases, whichever is less, from a single appliance. We
recommend that you ensure that an appliance is scoped to discover
less than 600 servers running SQL to avoid scaling issues.
 Windows Servers - Windows Server 2008 and later are supported.
 Linux servers - Currently not supported.
 Authentication mechanism - Both Windows and SQL Server
authentication are supported. You can provide credentials of both
authentication types in the appliance configuration manager.
 SQL server access - To discover SQL Server instances and databases,
the Windows/ Domain account, or SQL Server account requires these low
privilege read permissions for each SQL Server instance.
 SQL server versions - SQL Server 2008 and later are supported.
 SQL Server editions - Enterprise, Standard, Developer, and Express
editions are supported.
 Supported SQL configuration - Discovery of standalone, highly
available, and disaster-protected SQL deployments is supported. Discovery
of high-availability disaster recovery SQL deployments powered by Always
On failover cluster Instances and Always On availability groups is also
supported.
 Supported SQL services - Only SQL Server Database Engine is
supported. Discovery of SQL Server Reporting Services, SQL Server
Integration Services, and SQL Server Analysis Services isn't supported.
Web apps discovery requirements
If a server has a web server installed, Azure Migrate and Modernize discovers
web apps on the server.
You can add both domain and nondomain credentials on the appliance. Ensure
that the account used has local admin privileges on source servers. Azure
Migrate and Modernize automatically maps credentials to the respective servers,
so you don't have to map them manually. Most importantly, these credentials are
never sent to Microsoft and remain on the appliance running in the source
environment.
After the appliance is connected, it gathers configuration data for [Link] web
apps (IIS web server) and Java web apps (Tomcat servers). Web apps
configuration data is updated once every 24 hours

Support [Link] web apps Java web apps

Stack VMware, Hyper-V, and VMware, Hyper-V, and
physical servers. physical servers.
Windows Servers Windows Server 2008 R2 Not supported
and later are supported.
Linux Servers Not supported Ubuntu Linux
16.04/18.04/20.04,
Debian 7/8, and Red Hat
Enterprise Linux 5/6/7
Web Server versions IIS 7.5 and later. Tomcat 8 or later
Protocol WinRM port 5985 (HTTP) SSH port 22 (TCP)
Required Privileges Local admin. Read (r) and Execute
(x) permissions
recursively on all
CATALINA_HOME
directories.

Agentless Dependency analysis requirements

Dependency analysis helps you analyze the dependencies between the discovered
servers. You can easily visualize dependencies with a map view in an Azure
Migrate project. You can use dependencies to group related servers for migration
to Azure.
 Supported servers - You can enable agentless dependency analysis on
up to 1,000 servers (across multiple vCenter Servers) discovered per
appliance.
 Windows Servers – Windows Server 2008, 2008R2, 2012, 2012R2,
2016,2019,2022
 Linux Servers - Red Hat Enterprise Linux, Ubuntu, OracleLinux, SUSE
Linux, Debian, Alma Linux, Rocky Linux
 Server requirements
o VMware Tools (10.2.1 and later) must be installed and running on
servers you want to analyze.
o Windows Servers have PowerShell version 2.0 or later.
o Linux Servers have Bash version 4.0 or later installed.
o WMI should be enabled and available on Windows servers.
  vCenter server account - The read-only account used by Azure Migrate
and Modernize for assessment must have privileges for guest operations
on VMware VMs.
 Windows server access - A user account (local or domain) with
administrator permissions on servers.
 Linux Server access - A sudo user account with permissions to execute
ls and netstat commands.
 Port access - The Azure Migrate appliance must be able to connect to
TCP port 443 on ESXi hosts running the servers that have dependencies
you want to discover.
 Discovery methods - Dependency information between servers is gathered
by using VMware Tools installed on the server running vCenter Server.
Agent-based Dependency analysis requirements
 Before deployment - You should have a project in place with the Azure
Migrate: Discovery and assessment tool added to the project. You deploy
dependency visualization after setting up an Azure Migrate appliance to
discover you’re on-premises servers.
 Supported servers - Supported for all servers in your on-premises
environment.
 Log Analytics
o Azure Migrate and Modernize uses the Service Map solution in Azure
Monitor logs for dependency visualization.
o You associate a new or existing Log Analytics workspace with a
project. You can't modify the workspace for a project after you add
the workspace.
o The workspace must be in the same subscription as the project.
o The workspace must be located in the East US, Southeast Asia, or
West Europe regions. Workspaces in other regions can't be
associated with a project.
o The workspace must be in a region in which Service Map is
supported. You can monitor Azure VMs in any region. The VMs
themselves aren't limited to the regions supported by the Log
Analytics workspace.
o In Log Analytics, the workspace associated with Azure Migrate is
tagged with the project key and project name.
 Required agents
o On each server that you want to analyze, install the following
agents: Azure Monitor agent (AMA) and Dependency agent
o If on-premises servers aren't connected to the internet, download
and install the Log Analytics gateway on them.
 Log Analytics Workspace
o The workspace must be in the same subscription as the project.
o Azure Migrate supports workspaces that are located in the East US,
Southeast Asia, and West Europe regions.
o The workspace must be in a region in which Service Map is
supported. You can monitor Azure VMs in any region. The VMs
themselves aren't limited to the regions supported by the Log
Analytics workspace.
 o You can't modify the workspace for a project after you add the
workspace.
 Cost
o The Service Map solution doesn't incur any charges for the first 180
days. The count starts from the day you associate the Log Analytics
workspace with the project.
o After 180 days, standard Log Analytics charges apply.
o Using any solution other than Service Map in the associated Log
Analytics workspace incurs standard charges for Log Analytics.
o When the project is deleted, the workspace isn't automatically
deleted. After you delete the project, Service Map usage isn't free.
Each node is charged according to the paid tier of the Log Analytics
workspace.
o If you have projects that you created before Azure Migrate general
availability (GA on February 28, 2018), you might incur other
Service Map charges. To ensure that you're charged only after 180
days, we recommend that you create a new project. Workspaces
that were created before GA are still chargeable.
 Management
o When you register agents to the workspace, use the ID and key
provided by the project.
o You can use the Log Analytics workspace outside Azure Migrate and
Modernize.
o If you delete the associated project, the workspace isn't deleted
automatically. Delete it manually.
o Don't delete the workspace created by Azure Migrate and Modernize
unless you delete the project. If you do, the dependency
visualization functionality doesn't work as expected.
 Internet Connectivity - If servers aren't connected to the internet, install
the Log Analytics gateway on the servers.
Limitations
 Project Limits
o You can create multiple Azure Migrate projects in an Azure
subscription.
o You can discover and assess up to 35,000 servers in a VMware
environment in a single project. A project can include physical
servers and servers from a Hyper-V environment, up to the
assessment limits.
 Discovery
o The Azure Migrate appliance can discover up to 10,000 servers
running across multiple vCenter Servers.
o The appliance supports adding multiple vCenter Servers. You can
add up to 10 vCenter Servers per appliance.
o The scale is also valid to access discovered servers for Azure
Migrate VMware Solution (AVS).
o The same vCenter can be discovered by multiple appliances within
the same project, but it is not recommended to have same VM
discovered by multiple appliances
  Assessment
o You can add up to 35,000 servers in a single group.
o You can assess up to 35,000 servers in a single assessment.

Import servers using RVTools XLSX (preview)

As part of your migration journey to Azure by using the Azure Migrate appliance,
you first discover servers, inventory, and workloads. However, for a quick
assessment before you deploy the appliance, you can import the servers by
using the RVTools XLSX file (preview).
Using an RVTools XLSX file:
o Helps to create a business case or assess the servers before you deploy
the appliance.
o Aids as an alternative when there's an organizational restriction to deploy
the Azure Migrate appliance.
o Is helpful when you can't share credentials that allow access to on-
premises servers.
o Is useful when security constraints prevent you from gathering and
sending data collected by the appliance to Azure.
Discover servers running on Hyper-V with Azure Migrate: Discovery and
assessment
Discover the servers that are running in your Hyper-V environment by using the
Azure Migrate: Discovery and assessment tool, a lightweight Azure Migrate
appliance. You deploy the appliance as a server on Hyper-V host, to continuously
discover servers and their performance metadata, applications that are running
on servers, server dependencies, web apps, and SQL Server instances and
databases.
Set up an Azure account
Below are the pre-requisite checks for discovering servers in Hyper-V:
 Hyper-V host

o Hyper-V hosts on which servers are located can be standalone, or in

a cluster.
o The host must be running Windows Server 2022, Windows Server
2019, or Windows Server 2016.
o Verify inbound connections are allowed on WinRM port 5985 (HTTP),
so that the appliance can connect to pull server metadata and
performance data, using a Common Information Model (CIM)
session.
 Appliance deployment
o Hyper-V host needs resources to allocate a server for the appliance:
16 GB of RAM, 8 vCPUs, and around 80 GB of disk storage.
o An external virtual switch, and internet access on the appliance,
directly or via a proxy.
 Servers
 o All Windows and Linux OS versions are supported for discovery of
configuration and performance metadata.
o For application discovery on servers, all Windows and Linux OS
versions are supported.
o For discovery of installed applications and for agentless dependency
analysis, Windows servers must have PowerShell version 2.0 or later
installed.
 SQL Server access
o To discover SQL Server instances and databases, the Windows or
SQL Server account requires these permissions for each SQL Server
instance
To create an Azure Migrate project, the user must have the Azure Migrate Owner
role or a higher privileged role.
o Azure Migrate Owner: Grants full access to create and
manage Azure Migrate projects
o Azure Migrate Decide and Plan Expert: Grants restricted access
on an Azure Migrate project to only perform planning operations
o Azure Migrate Execute Expert: Grants restricted access on an
Azure Migrate project to only perform migration related operations