Choose the right Azure hosting option

This article provides considerations and comparisons between the multiple choices you have in Azure when migrating your existing .NET Framework applications from on-premises to Azure.

The fundamental areas to consider when migrating existing .NET applications to Azure are:

  1. Compute choices
  2. Database choices
  3. Networking and security considerations
  4. Authentication and authorization considerations

Compute choices

When migrating existing .NET Framework applications to Azure you have multiple choices. However, since .NET Framework depends on Windows, the following choices are limited to Windows-based compute services.

The following table shows several comparisons and recommendations to help you choose the right compute migration path for your existing .NET application.

Azure VMs Azure App Service Windows Containers
When to use
  • Application has strong dependencies on the server and local .msi installations.
  • You want the easiest application migration path
App has no dependencies on the server, it is just a clean ASP.NET web app (MVC, WebForm) or N-Tier app (Web API, WCf) accessing a database server.
  • Application has dependencies on the original server but those dependencies can be included in the Docker Windows image.
  • Want to modernize the app so it is Cloud DevOps-Ready
Pros & benefits
  • Easiest migration path
  • Familiar environment. Deployment environment is a VM, so it's similar to on-premises servers.
Ongoing PaaS maintenance, simplest way to manage and scale apps in Azure.
  • Prepared for the future, Cloud DevOps-Ready with dependencies included in the app's containers.
  • Almost no need to refactor .NET /C# code.
Cons It is IaaS. Maintenance is costly. You have to manage the VM's infrastructure about networking, load-balancer, scale-out, IIS management, and so on.
  • Not all apps are supported
  • Some apps might need to be refactored and even slightly rearchitected, so they support Azure App Service.
  • Docker's skills learning curve
  • Some code and app configuration settings changes
Requirements Windows Server VM with the same requirements than the app for on-premises Azure App Service requirements specified in Readiness checks.
How to migrate See Migrate to Azure Virtual Machines See Migrate Azure App Service Follow considerations, scenarios, and walkthroughs explained in the Modernizing existing .NET apps with Azure and Windows Containers eBook

The following flowchart diagram shows a decision tree when planning a migration to Azure for your existing .NET Framework applications. If it's viable, try option A first, but option B is the easiest path to perform.

Flowchart showing hosting decision tree

Database choices

When migrating relational databases to Azure you have multiple choices. See Migrate your SQL Server database to Azure to help you choose the right database migration path for your existing .NET application.

Networking and security considerations

When deploying applications to a public cloud like Microsoft Azure, you might want to isolate and secure certain networks by creating network DMZs, such as a DMZ between Azure and on-premises or a DMZ between Azure and the Internet. DMZs can be implemented with Azure Virtual Network.

Azure Virtual networks enable you to:

  • Build a hybrid infrastructure that you control
  • Bring your own IP addresses and DNS servers
  • Secure your connections with an IPsec VPN or ExpressRoute
  • Get granular control over traffic between subnets
  • Create sophisticated network topologies using virtual appliances
  • Get an isolated and highly secure environment for your applications

To get started building your own virtual network, see the Azure Virtual Network documentation.

Authentication and authorization considerations when migrating to Azure

A top concern of any organization moving to the cloud is security. Most companies have invested a substantial amount of time, money, and engineering into designing and developing a security model, and it's important that they're able to leverage existing investments such as identity stores and single sign-on solutions.

Many existing enterprise B2E .NET applications running on-premises use Active Directory for authentication and identity management. Azure AD Connect enables you to integrate your on-premises directories with Azure Active Directory. To get started, see Integrate your on-premises directories with Azure Active Directory.

See Identity requirements for your hybrid identity solution for further planning related to Azure Active Directory.

Other authentication protocol choices are OAuth and OpenID, which are common in consumer-facing applications. When using autonomous identity databases, such as an ASP.NET Identity SQL database wrapped by IdentityServer4 using OAuth, no connectivity to on-premises databases or directories is usually required.

Next steps