Best Practice of Hybrid Active Direcotry during Lift anf Shift Migration.

Salman Aslam 1 Reputation point

Dear Azure Gurus,

Please I need to clarify below technical concerns as I am at the learning stage and building my skills by moving from On-Premises infrastructure to Azure IaaS.

While Lift and Shift of any workload, do we need to buy new OS or we can use same as what we have currently? I mean do we need to re-install the new OS?

Can somebody please highlight the difference between Azure VPN Gateway and Azure Firewall and how’s the network terrific flows from Azure?

What’s the best practice for Active Directory while moving a potential application on the Azure with the help of Lift and Shift? How the authentication will happen? Do we need to consider Hybrid Active Directory?

I really appreciate for your guy’s kind support as I am working as a Solution Architect role.

Thank you,


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,620 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. thgibard-MSFT 356 Reputation points

    Hello SalmanAslam-9424

    It seems a bite confusing. A lot of questions and not all the stuff seems to be connected (except it can be part of one architecture.
    You're speaking about Hybrid Active Directory - we prefer to speak about "Hybrid Identity". In this setup your company will have an On-Prem Active Directory (ADDS) that will be synchronized (with AAD Connect tool) with the Azure Active Directory in your Microsoft Cloud Tenant. Then, you will be able to affect licences and use SaaS services for all these "hybrid" accounts - depending on what you want to do.

    Then, you speak about workload in Azure. So you will have some Azure subscriptions and you will create some VM or others resources. You can do lift and shift (many tools or Azure solutions can help you to do some lift and shift). If we're speaking about Windows Server VM you will probably not have much to do - keep in mind you will have to manage the network part : maybe the new IP address in Azure will not be the same as on-premises ? Will you have an impact concerning what you're running on this server ? Also, do not forget to install the Azure Agent if needed to be sure you will be able to manage the VM you've moved. Consider looking Azure Migrate that will allow you to lift and shift in a large scale. - It's hopefully not needed to reinstall your OS but maybe for some cases you will go with this option (depend on your expectations and what is running on your VM).

    You speak about Identity management when you're in Cloud Scenario. In general, a company will create a private connection between on-prem network and network in Azure (we can use VPN S2S or dedicated ExpressRoute). Depending on that, Azure become the extension of you on-premises datacenter and network, so you will be able to connect with your traditional on-prem credentials. For this example, nothing to see with Hybrid. But yes, it's also possible to have both possibility with VM in Azure : connection from standard on-prem accounts or with Azure Active Directory accounts (just a few setups to do).

    Azure VPN Gateway : Need more context.
    Azure Firewall is the NVA (Network Virtual Appliance) that is proposed by Microsoft as an alternative of the classical : F5 BigIP, Citrix Netscaler, Palo Alto, etc. It's a powerful network platform but there are also some important differences : for example Azure Firewall is a "platform" that's mean you don't need to deploy virtual machine or virtual appliances. It will automatically scale on your usage.

    0 comments No comments