Listen to this Post
Introduction:
The cloud migration playbook has been rewritten. For years, enterprises agonized over the “big bang” approach—attempting to modernize applications during migration, which often led to paralysis, cost overruns, and failed projects. AXIS Capital took a different path: migrate first, modernize second. This pragmatic strategy involves lifting and shifting workloads to Azure Infrastructure-as-a-Service (IaaS) to establish a foundation, then systematically refactoring and re-platforming for cloud-1ative capabilities. The results were staggering—one analytics job that previously took 48 hours was reduced to approximately 90 minutes once it could scale on demand. This article explores the technical blueprint behind this transformation, providing actionable commands, configuration examples, and security considerations for IT professionals planning their own cloud journey.
Learning Objectives:
- Understand the “migrate first, modernize second” strategy and when to apply it versus alternative approaches
- Master Azure Migrate, Azure Site Recovery, and Infrastructure-as-Code tools for seamless workload migration
- Implement disaster recovery automation and confidential computing for financial services compliance
- Optimize analytics and AI workloads through Azure’s scalable compute and data services
- Apply security hardening and cost governance best practices across migrated environments
1. Azure Migrate: Assessment and Discovery at Scale
Before any migration, understanding your existing environment is critical. Azure Migrate provides a centralized hub to discover and assess on-premises servers, applications, and data. For AXIS Capital, this meant evaluating over 30 servers across their datacenter footprint.
Step‑by‑step guide:
Step 1: Deploy the Azure Migrate appliance
Download the Azure Migrate appliance OVA/VHD from the Azure portal and deploy it on your on-premises VMware vCenter or Hyper-V environment. This appliance continuously discovers server inventory, performance data, and application dependencies.
Step 2: Run discovery and dependency mapping
From the Azure Migrate appliance management console, initiate discovery For Windows servers, use the following PowerShell to install the dependency agent: $ErrorActionPreference = "Stop" $agentInstaller = "MicrosoftDependencyAgent.msi" Start-Process -FilePath msiexec -ArgumentList "/i $agentInstaller /quiet /norestart" -Wait
Step 3: Assess migration readiness
Navigate to Azure Migrate > Servers, databases, and web apps > Assessment. Create an assessment with the following parameters:
– Assessment type: Azure VM (IaaS) or Azure SQL
– Sizing criteria: Performance-based (recommended) or as-on-premises
– Comfort factor: 20–30% buffer for growth
– Pricing tier: Standard or Premium based on workload criticality
The assessment will generate readiness reports, cost estimates, and compatibility issues. For SQL Server instances, Azure Migrate automatically evaluates compatibility and recommends target Azure SQL configurations.
Step 4: Identify migration waves
Group servers by dependencies (using the dependency visualization) and prioritize migration waves. Start with non-critical workloads to build confidence, then move to production systems.
2. Azure Site Recovery: Zero‑Downtime Disaster Recovery Automation
AXIS Capital strengthened their disaster recovery posture significantly through Azure Site Recovery (ASR). ASR ensures business applications remain online during planned and unplanned outages.
Step‑by‑step guide:
Step 1: Create a Recovery Services Vault
Using Azure CLI az group create --1ame AXIS-DR-RG --location eastus az recovery-services vault create \ --resource-group AXIS-DR-RG \ --1ame AXIS-RecoveryVault \ --location eastus
Step 2: Configure replication for on-premises VMs
From the Azure portal, navigate to Recovery Services Vault > Site Recovery > Enable Replication. Select the source environment (VMware/Hyper-V/Physical) and target Azure region. Configure the following:
– Target resource group: Where replicated VMs will failover to
– Target virtual network: Azure VNet for DR environment
– Storage account: For replication data
– Replication policy: 15-minute recovery point objective (RPO) for critical workloads
Step 3: Automate failover with ARM templates
Deploy a Recovery Services vault using an Azure Resource Manager template:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2022-10-01",
"name": "AXIS-RecoveryVault",
"location": "eastus",
"sku": {
"name": "Standard"
},
"properties": {}
}
]
}
Step 4: Test failover regularly
Schedule monthly test failovers to validate RPO and recovery time objectives (RTO). Use isolated Azure networks for testing to avoid production impact.
3. Infrastructure‑as‑Code: Repeatable and Auditable Migrations
For enterprises migrating 30+ servers, manual provisioning is untenable. Infrastructure-as-Code (IaC) ensures consistency, repeatability, and auditability.
Step‑by‑step guide:
Step 1: Generate ARM templates from existing VMs
Using Azure Migrate, export VM configurations as ARM templates. This captures:
– VM size and SKU
– Operating system (Windows/Linux)
– Disk configurations (managed disks with SSD/HDD tiers)
– Network interface settings (NIC, private IP, NSG rules)
Step 2: Parameterize templates for reusability
Replace hard-coded values with parameters (e.g., vmName, adminUsername, vnetId):
"parameters": {
"vmName": {
"type": "string",
"metadata": { "description": "Name of the VM" }
},
"adminUsername": {
"type": "string"
}
}
Step 3: Deploy using Azure CLI
az deployment group create \ --resource-group AXIS-Production-RG \ --template-file vm-template.json \ --parameters @vm-parameters.json
Step 4: Integrate with CI/CD
Use Azure DevOps pipelines to automate infrastructure deployment. The `az deployment` commands can be embedded in YAML pipelines, enabling infrastructure changes to follow the same review and approval processes as application code.
4. Confidential Computing: Security for Financial Services Workloads
AXIS Capital adopted Azure Confidential Compute to protect critical workloads. For financial services handling sensitive data, this is not optional—it’s regulatory.
Step‑by‑step guide:
Step 1: Select confidential VM sizes
Choose from Azure’s DC-series (Intel SGX) or AMD SEV-SNP enabled VMs. These provide hardware-based memory encryption, isolating workloads from the hypervisor and even Microsoft administrators.
Step 2: Deploy a confidential VM
az vm create \ --resource-group AXIS-Confidential-RG \ --1ame ConfidentialVM01 \ --image UbuntuLTS \ --size Standard_DC2s_v2 \ --admin-username azureuser \ --generate-ssh-keys
Step 3: Configure attestation
Set up Azure Attestation to verify that your VM is running in a trusted execution environment. This is critical for compliance audits and regulatory reporting.
Step 4: Enforce data encryption at rest
All Azure managed disks are encrypted by default with Azure Storage Service Encryption (SSE). For additional protection, use customer-managed keys (CMK) stored in Azure Key Vault:
az keyvault create \ --1ame AXIS-KeyVault \ --resource-group AXIS-Security-RG \ --location eastus az vm encryption enable \ --resource-group AXIS-Confidential-RG \ --1ame ConfidentialVM01 \ --disk-encryption-keyvault AXIS-KeyVault
- Analytics and AI Optimization: From 48 Hours to 90 Minutes
The headline achievement of AXIS Capital’s migration was a 97% reduction in analytics job execution time. This was enabled by Azure’s elastic compute and data services.
Step‑by‑step guide:
Step 1: Migrate data to Azure SQL or Azure Synapse
Use Azure Database Migration Service for a simplified, near-zero-downtime migration. Assess compatibility first using Azure Migrate or SQL Server enabled by Azure Arc:
Install Azure Database Migration Service az extension add --1ame dms-preview Create a migration project az dms create \ --resource-group AXIS-Data-RG \ --1ame AXIS-DMS \ --location eastus \ --sku-1ame Premium_4vCores
Step 2: Scale compute on demand
Azure SQL Database and Azure Synapse Analytics support auto-scaling. Configure a serverless compute tier for unpredictable analytics workloads:
az sql server create \ --1ame axis-sql-server \ --resource-group AXIS-Data-RG \ --location eastus \ --admin-user azureadmin \ --admin-password <secure-password> az sql db create \ --resource-group AXIS-Data-RG \ --server axis-sql-server \ --1ame AnalyticsDB \ --edition GeneralPurpose \ --compute-model Serverless \ --family Gen5 \ --capacity 2
Step 3: Implement partitioning and indexing
For large datasets, implement table partitioning and columnstore indexes to dramatically improve query performance. A well-tuned Azure SQL database can process terabytes of data in minutes rather than hours.
Step 4: Leverage Azure AI services
Once the data foundation is in place, integrate Azure OpenAI and Azure Machine Learning. This enables predictive analytics, fraud detection, and automated reporting—turning raw data into actionable intelligence.
6. Cost Governance and FinOps in the Cloud
Shifting from CAPEX to OPEX is a strategic advantage, but without governance, cloud costs can spiral.
Step‑by‑step guide:
Step 1: Implement Azure Policy for compliance
Define policies to restrict VM sizes, enforce tags, and block non-compliant resources:
az policy definition create \ --1ame restrict-vm-sizes \ --rules policy-rules.json
Step 2: Set up budgets and alerts
az consumption budget create \ --budget-1ame AXIS-Monthly-Budget \ --amount 100000 \ --time-grain Monthly \ --time-period start=2026-01-01,end=2026-12-31 \ --category Cost
Step 3: Use Azure Cost Management + Billing
Regularly review the Azure Advisor recommendations for idle resources, resizing opportunities, and reserved instance purchases.
Step 4: Enable auto-shutdown for development environments
For non-production workloads, schedule auto-shutdown to eliminate waste:
az vm auto-shutdown --resource-group AXIS-Dev-RG --1ame DevVM01 --time 1900
7. Azure DevOps CI/CD: Automating Deployment Pipelines
Modernizing after migration means establishing continuous integration and continuous deployment (CI/CD) pipelines.
Step‑by‑step guide:
Step 1: Create an Azure DevOps project
Navigate to Azure DevOps and create a new project. Connect your repository (GitHub, Azure Repos, or Bitbucket).
Step 2: Build a YAML pipeline for infrastructure deployment
trigger: - main pool: vmImage: 'ubuntu-latest' steps: - task: AzureCLI@2 inputs: azureSubscription: 'AXIS-ServiceConnection' scriptType: 'bash' scriptLocation: 'inlineScript' inlineScript: | az deployment group create \ --resource-group AXIS-Production-RG \ --template-file main.bicep \ --parameters environment=prod
Step 3: Implement multi-stage pipelines
Separate development, staging, and production environments with approval gates. Use Azure DevTest Labs for safe testing before production deployment.
Step 4: Monitor deployments with Azure Monitor
Set up Application Insights and Log Analytics workspaces to track performance, detect anomalies, and receive alerts for critical metrics.
What Undercode Say:
- Key Takeaway 1: The “migrate first, modernize second” strategy is not a compromise—it’s a practical risk-management approach. By decoupling migration from modernization, AXIS Capital reduced complexity, accelerated timelines, and delivered tangible business value within months rather than years. This pattern is especially effective for organizations with legacy dependencies and compliance constraints.
-
Key Takeaway 2: Infrastructure-as-Code and automation are non-1egotiable at scale. Manually provisioning 30+ servers is error-prone and unsustainable. ARM templates, Azure CLI, and CI/CD pipelines ensure that every deployment is consistent, auditable, and repeatable—transforming IT from a cost center into a strategic enabler.
Analysis: What makes this case study compelling is the 97% performance improvement in analytics—not through application rewrite, but through elastic scaling. This demonstrates that the cloud’s true value lies not in “lift and shift” alone but in the optionality it provides. Once workloads are in Azure, teams can incrementally refactor, adopt serverless, and integrate AI services without disrupting core operations. The financial services industry, with its regulatory burden and legacy systems, often lags in cloud adoption. AXIS Capital’s success provides a replicable blueprint: assess thoroughly, migrate methodically, secure aggressively, and optimize continuously. The 10-month timeline from data center exit to production readiness is particularly noteworthy—it shows that enterprise-scale cloud transformation is achievable without multi-year engagements. For security teams, the adoption of Confidential Compute signals a maturing understanding that cloud can be more secure than on-premises when properly architected.
Prediction:
- +1 Financial services firms will increasingly adopt the “migrate first” strategy, compressing typical 3–5 year cloud roadmaps into 12–18 month execution windows as competitive pressure intensifies.
-
+1 The integration of Azure OpenAI and advanced analytics directly on migrated data lakes will become standard within 24 months, turning historical data into real-time decision engines for risk, fraud, and customer intelligence.
-
-1 Organizations that attempt to modernize during migration—without first establishing a stable IaaS foundation—will continue to experience project delays, cost overruns, and security gaps, reinforcing the pragmatic AXIS Capital approach as the industry best practice.
-
+1 Confidential computing will move from “nice-to-have” to “mandatory” for regulated industries, with Azure’s hardware-based TEEs becoming a differentiator for cloud providers serving financial, healthcare, and government sectors.
-
-1 The skills gap in Azure migration, IaC, and cloud security will widen, creating a talent bottleneck that may slow adoption for mid-sized enterprises—making partnerships with specialized providers like Noventiq increasingly critical.
▶️ Related Video (80% Match):
https://www.youtube.com/watch?v=30PdklJVdBc
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mikeflannagan The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
