Healthsoft

AWS to Azure Migration Plan

Containerized Architecture with Cloudflare & GitHub Actions CI/CD
DRAFT - FOR REVIEW
Prepared: May 28, 2026

Executive Summary

Migration of the existing SpringBoot-Tomcat-Java application from AWS (EC2/RDS) to Azure using a containerized architecture (Azure Container Apps), replacing AWS WAF with Cloudflare for edge security, and implementing GitHub Actions for CI/CD.

Total Estimated Effort
12-16d
Working days
Phases
6
Sequential phases
Architecture
Container
Azure Container Apps
Edge Security
Cloudflare
Replaces AWS WAF

Current AWS Architecture (As-Is)

ServiceDetailsRemarks
EC2t3.smallHost the API Server - SpringBoot-Tomcat-Java
Storage for API Server128 GBEBS volume
RDS - PostgreSQLt3.mediumDatabase Service
Elastic Load Balancer (ALB)-Routing rules to route to API Server
VPC-2 Subnets (9 total), Internet Gateway x2, NAT Gateway x1
API Gateway-VPC Link to ALB, HTTP/S (80/443)
Route 53-DNS management
WAF with Web ACLs18 rulesWeb Application Firewall
CloudWatch-Monitoring & Logging
KMS-Key Management Service
Secrets Manager-Secrets storage
SNS-Notifications
Certificate Manager-SSL/TLS certificates

Service Mapping: AWS → Azure

AWS Service Azure Equivalent Change Notes
EC2 (t3.small) Azure Container Apps CONTAINERIZED Replaces VM; ~2 vCPU / 4GB RAM allocation. Managed serverless container platform.
RDS PostgreSQL (t3.medium) Azure Database for PostgreSQL - Flexible Server EQUIVALENT Burstable B2s tier (2 vCPU / 4GB). Same PostgreSQL engine.
ALB + API Gateway Container Apps Ingress (built-in) SIMPLIFIED Container Apps has built-in HTTP ingress with routing - no separate ALB/API GW needed.
Route 53 Cloudflare DNS REPLACED DNS managed via Cloudflare; Azure DNS optional as backup.
AWS WAF (18 rules) Cloudflare WAF + DDoS REPLACED Cloudflare provides WAF, DDoS protection, rate limiting, bot management at edge.
VPC + Subnets + NAT GW Azure VNet + Subnets + NAT Gateway EQUIVALENT Container Apps Environment deployed into a custom VNet. NAT Gateway required for outbound internet access (image pulls, external API calls).
CloudWatch Azure Monitor + Log Analytics EQUIVALENT Metrics, logs, alerts, dashboards.
KMS Azure Key Vault EQUIVALENT Encryption keys + secrets in one service.
Secrets Manager Azure Key Vault (Secrets) MERGED Key Vault handles both keys and secrets.
SNS Azure Monitor Action Groups EQUIVALENT Email/SMS/webhook notifications via alerts.
Certificate Manager Cloudflare SSL (Edge) + Key Vault Certs REPLACED Cloudflare provides free edge SSL. Key Vault for origin certs if needed.
- (No equivalent) Azure Container Registry (ACR) NEW Private Docker image registry for storing and managing container images. Required for containerized deployment.
EBS (128GB) Azure Files (if persistent storage needed) LIKELY REMOVED Containers are ephemeral. Only needed if app writes to disk.

Proposed Azure Architecture

INTERNET | +--------+--------+ | Cloudflare | | DNS + WAF + | | DDoS + SSL | +--------+--------+ | HTTPS (443) | +------------------+-------------------+ | Azure Resource Group | | | | +-------------------------------+ | | | Azure VNet (10.0.0.0/16) | | | | | | | | +-------------------------+ | | | | | Subnet: container-apps | | | | | | | | | | | | +---------------------+ | | | | | | | Container Apps Env | | | | | | | | | | | | | | | | +--------+--------+ | | | | | | | | | SpringBoot API | | | | | | | | | | (Container App) | | | | | | | | | +--------+--------+ | | | | | | | +--------|------------+ | | | | | +----------|------+-------+ | | | | | | | | | | Port 5432 | | | | | | | | | | | +----------+---+ | Private | | | | | Subnet: db | | Endpoint | | | | | | | | | | | | +----------+ | | | | | | | | Postgres | | | | | | | | | Flexible | | | | | | | | | Server | | | | | | | | +----------+ | | | | | | +--------------+ | | | | +--------------------+----------+ | | | | | +--------------------+----------+ | | | Azure Key Vault | Azure | | | | (Secrets + Keys) | Monitor | | | +-------------------+-----------+ | +---------------------------------------+ | +------------------+-------------------+ | GitHub Actions CI/CD | | Build -> Test -> Push ACR -> Deploy | +--------------------------------------+

Detailed Task Breakdown

Phase 1: Azure Infrastructure Setup
3 - 4 days
  • Create Azure Resource Group and set tagging policy 0.5d
  • Provision Azure VNet with subnets (container-apps-subnet, db-subnet, management-subnet) 0.5d
  • Configure NSG (Network Security Groups) rules for each subnet 0.5d
  • Set up NAT Gateway for outbound internet access from Container Apps VNet 0.25d
  • Provision Azure Container Apps Environment inside VNet 0.5d
  • Provision Azure Database for PostgreSQL Flexible Server (Burstable B2s, private access via VNet) 0.5d
  • Configure PostgreSQL firewall rules, VNet integration, and SSL enforcement 0.25d
  • Set up Azure Key Vault for secrets and encryption keys 0.25d
  • Create Azure Container Registry (ACR) for Docker images 0.25d
Phase 2: Application Containerization
2 - 3 days
  • Create Dockerfile for SpringBoot-Tomcat-Java application 0.5d
  • Externalize configuration (env vars, Key Vault references for DB creds, API keys) 0.5d
  • Build and test Docker image locally 0.25d
  • Push image to Azure Container Registry 0.25d
  • Deploy Container App with proper CPU/memory allocation, scaling rules, and health probes 0.5d
  • Configure Container App ingress (HTTPS, custom domain binding) 0.25d
  • Test application connectivity to PostgreSQL over private network 0.25d
  • Validate app functionality end-to-end in Azure 0.5d
Phase 3: GitHub Actions CI/CD Pipeline
2 - 3 days
  • Create GitHub Actions workflow: build stage (Maven/Gradle build, unit tests) 0.5d
  • Add Docker build & push to ACR step (using OIDC or service principal auth) 0.5d
  • Add deployment step to Azure Container Apps (az containerapp update) 0.5d
  • Configure GitHub Environments (staging, production) with approvals 0.25d
  • Store Azure credentials & secrets in GitHub Secrets 0.25d
  • Set up branch protection rules and PR-triggered builds 0.25d
  • Test full pipeline: commit → build → push → deploy → verify 0.5d
  • Add rollback mechanism (deploy previous revision on failure) 0.25d
Phase 4: Cloudflare & Security Setup
2 - 3 days
  • Add domain to Cloudflare and configure DNS records pointing to Container App 0.25d
  • Enable Cloudflare SSL/TLS (Full Strict mode with origin certificate) 0.25d
  • Recreate the 18 WAF rules equivalent in Cloudflare WAF (custom rules + managed rulesets) 1d
  • Configure Cloudflare rate limiting and bot management 0.25d
  • Enable Cloudflare DDoS protection 0.25d
  • Migrate secrets from AWS Secrets Manager to Azure Key Vault 0.25d
  • Configure Managed Identity for Container App to access Key Vault (no passwords in config) 0.25d
  • Restrict Container App ingress to only accept traffic from Cloudflare IP ranges 0.25d
  • Validate end-to-end security: Client → Cloudflare → Container App → PostgreSQL 0.25d
Phase 5: Monitoring & Alerts
1 - 1.5 days
  • Enable Azure Monitor and Log Analytics workspace 0.25d
  • Configure Container App diagnostic settings (console logs, system logs) 0.25d
  • Configure PostgreSQL monitoring (CPU, connections, storage, slow queries) 0.25d
  • Set up alert rules (app errors, high CPU, DB connection failures, deployment failures) 0.25d
  • Configure Action Groups for notifications (email/SMS/webhook - replaces SNS) 0.25d
  • Create monitoring dashboard 0.25d
Phase 6: Database Migration & Cutover
2 - 2.5 days
  • Take PostgreSQL backup from AWS RDS (pg_dump) 0.25d
  • Restore database to Azure PostgreSQL Flexible Server (pg_restore) 0.25d
  • Validate data integrity (row counts, checksums, sample queries) 0.5d
  • Run application smoke tests against Azure environment with production data 0.5d
  • Switch DNS in Cloudflare from old endpoint to Azure Container App 0.25d
  • Monitor post-cutover: error rates, latency, logs for 24-48 hours 0.5d
  • Document runbook: rollback procedure, scaling instructions, incident response 0.25d

Open Queries (Requires Customer Input)

Q1: Database Size & Migration Window
What is the current PostgreSQL database size? Is there an acceptable downtime window for migration, or do we need near-zero-downtime migration (which would require DMS/logical replication)?
Q2: Application Persistent Storage
Does the SpringBoot application write files to disk (e.g., uploaded files, generated reports, logs to file)? This affects whether we need Azure Files mounted to the container. The 128GB EBS volume on AWS suggests possible file storage usage.
Q3: Existing 18 WAF Rules
The 18 WAF rules are AWS managed rule groups. Can the customer share which specific managed rule groups are enabled (e.g., Core Rule Set, SQL Injection, Known Bad Inputs, etc.) so we can map equivalent protections in Cloudflare?
Q4: API Gateway Usage Pattern
Is the AWS API Gateway used for anything beyond routing (e.g., throttling, API keys, usage plans, request/response transformation, authorizers)? This determines if we need Azure API Management or if Container Apps ingress suffices.
Q5: PostgreSQL Version
What PostgreSQL version is running on AWS RDS? Azure Flexible Server supports 13, 14, 15, 16 - need to confirm compatibility.
Q6: Environment Count
Do we need multiple environments (dev, staging, production) in Azure, or just production for now? This affects infrastructure and CI/CD pipeline design.
Q7: SNS Notification Recipients
Who should receive alerts (email addresses, phone numbers, Slack/Teams channels)? What alert conditions are currently configured in CloudWatch?
Q8: Source Code Repository
Where is the application source code currently hosted? Is it already in GitHub, or does it need to be migrated?

Out of Scope

AWS infrastructure decommissioning - Tearing down existing AWS resources after migration is complete
Application code changes - Any refactoring, bug fixes, or feature changes to the SpringBoot application itself (only containerization config changes)
Multi-region / HA deployment - Active-active or active-passive setup across multiple Azure regions
Database schema changes or optimization - Migration is data-as-is; no schema modifications
Load testing and performance benchmarking - Formal load/stress testing of the new Azure environment
Cloudflare account setup and billing - Customer is expected to have a Cloudflare account with appropriate plan
Azure subscription setup and billing - Customer provides an Azure subscription with Owner/Contributor access
Domain registrar changes - DNS nameserver delegation to Cloudflare is in scope, but domain purchase/transfer is not
End-user training or documentation - Internal team training on Azure/Cloudflare console usage
Backup and disaster recovery strategy - Beyond basic PostgreSQL backup; full DR plan is a separate engagement
Compliance and audit requirements - SOC2, HIPAA, or other compliance certifications for the Azure environment
VPN or ExpressRoute setup - Private connectivity from customer's on-premises network to Azure

Assumptions

This is a draft plan for review. Estimates may change based on answers to open queries.

Prepared for internal review - May 28, 2026