Cloud atlas: how to accelerate application migrations to the cloud

It’s common for people to imagine that business applications can be beamed up, Star Trek style, into the cloud – the IT team just needs to press a few buttons and whoosh, the migration is done.  If only it were that easy:  In this post, I’m going to cover some of the obstacles that need to be overcome when migrating applications to the cloud.

In the first place, it’s important to note that there are some applications that should not, or cannot be moved.  Legacy applications may be difficult to virtualize, requiring significant development work before they can be migrated.  Some applications may be sensitive to latency, so for performance reasons they should stay on-premise.  Others may be governed by regulations which prohibit their moving outside of a given jurisdiction or geographic region.  But in general, we’ve found through working with large enterprise organizations that around 85% of applications can potentially be migrated to the cloud.

Hand-drawing maps

But then there are multiple challenges which need to be addressed for the migration to be smooth and secure.  First, the application’s existing network flows need to be mapped, so that you know how to reconnect the application’s connectivity post-migration.  This is extremely hard to do in complex environments.  There’s usually little to no up-to-date documentation, and attempting to understand the requirements and then painstakingly migrate and adjust every firewall rule, router ACL and cloud security group to the new environment manually is an extremely time-consuming and error prone process.  A single mistake can cause outages, compliance violations and create holes in your security perimeter.

Just how long could this process take?  In our experience, an experienced consultant can manually map around one application per day, or five per week, depending on the number of network flows in the application, and the complexity.  This means a team of five consultants would take around a year to map 1,200 applications in a typical large enterprise.  If the organization does have good documentation of its applications, and an accurate configuration management database, it may be possible to cut this time by 50%.

But given the work and time involved – not to mention cost –  in mapping applications manually, some organizations may ask if they really need to do it before migration.  The answer is definitely yes, unless they plan to move only one or two applications in total – and can afford to manage without those applications for hours or days, in the likely event that a problem occurs and connectivity is disrupted.  Having comprehensive maps of all the applications you want to migrate is essential: this atlas of connectivity flows shows the way forward to smooth, secure cloud migrations.

Ready to move

With your atlas of existing connectivity maps, you’re ready to tackle the migration process itself.  This can be done manually using the APIs and dashboards available on all cloud platforms, but it’s slow work, and it’s all too easy to make costly mistakes.  Some cloud service providers offer native automation tools, but these often only address the cloud provider’s environment and they don’t provide visibility, automation or change management across your entire estate.   Even some third-party cloud management tools which are capable of spanning multiple clouds will not be necessarily cover your on-premise networks.

The most effective way to accelerate application migrations is with an automation solution that supports both your existing on-premise firewall estate, and the new cloud security controls, and can accurately define the flows needed in the new environment based on your atlas of existing connectivity flows, as well as the security and compliance needs of the new environment.

You can then use the solution to navigate through the actual migration process to the cloud, automatically generating the hundreds of security policy change requests that are needed across on-premise firewalls and cloud security controls.  This dramatically simplifies a process that is extremely complex, drawn-out and risky, if attempted manually.

After the applications have been migrated, the automation solution should be used to provide unified security policy management for the entire enterprise environment, from a single console.

While there isn’t yet a method for beaming applications up instantly into the cloud, automation makes the process both fast and relatively pain-free by eliminating time-sapping, error-prone manual processes, such as connectivity discovery and mapping, during the migration itself, and in ongoing management.  Automation helps organizations to boldly go where they haven’t easily been able to go before.

If you want to hear more, check out my recent webinar on migrating application connectivity to the cloud.