Opening
Migrating to Azure without assessing your workloads is like pouring mystery beans into your espresso machine. It’s noisy, messy and the result won’t be pretty.
Visibility is non-negotiable. Without it, you’re flying blind and potentially dragging deadweight into your shiny new cloud. Let’s fix that.
Before you migrate even a single workload, you need visibility.
- What’s running?
- What talks to what?
- What actually needs to move (and what doesn’t)?
In this post, we’ll break down how to confidently discover, assess, and categorise your private cloud environments using Azure native tools.
What is Discovery & Assessment?
In the cloud migration game, discovery and assessment help you:
- Identify all existing workloads (VMs, apps, databases)
- Understand workload interdependencies and communication paths
- Evaluate sizing, utilisation, and readiness for Azure
- Build migration groups (e.g., dev/test, app tiers, supporting infra)
- Choose migration paths (rehost, refactor, or retire)
How it Works: Azure Migrate
The key player here is Azure Migrate Microsoft’s free migration hub for discovery, assessment, and planning.
- Discover and map workloads from VMware, Hyper-V, or bare metal
- Assess based on performance, right-sizing, and Azure SKU mapping
- Understand cost implications
- Identify dependent services during scoping phase
Tool Capabilities
- Discovery appliance runs as a lightweight VM in your environment, collecting real-time data
- Dependency mapping helps you visualise app-to-app communication
- Assessment reports guide you on sizing and compatibility (including readiness for Azure Hybrid Benefits)
Real-World Impact: Knowing Before Moving
Our not-for-profit organisation — the same one we met in Part 1 — had just 90 days before their co-location contract expired. With 300 VMs to move, they knew guessing wasn’t an option.
Before touching a single workload, they deployed Azure Migrate and ran a thorough discovery process over two weeks.
Here’s what they uncovered:
- Around 40 VMs were underutilised or no longer needed
- Several production systems were quietly dependent on a legacy print management app
- Core application tiers were more interdependent than documentation suggested
- A few critical services were still running on legacy OS versions flagged as unsupported in Azure
By grouping VMs based on functional roles and real dependency chains, they avoided risky one-shot cutover plans. Instead, they took a phased approach:
- Internal tools and dev environments
- App servers with isolated backends
- Shared services (storage, databases, web front-ends)
This up-front investment in discovery meant fewer surprises, cleaner change windows, and improved stakeholder confidence throughout the project.
Implementation Examples
Ready to get stuck into it let’s deploy an Azure Migrate project in Azure
Azure Portal
- In Azure, go to Azure Migrate
- Click + Add Tool > Choose Discovery and assessment
- Download and deploy the appliance in your on-prem environment
- Start Discovery — allow time for data to build (typically 24–72 hrs)
- Organise machines into groups for assessment
- Use Dependency Visualisation to map flows
Bicep Example (Azure Migrate project)
|
|
Required ports for connectivity
Here’s a single comprehensive table combining all required ports for Azure Migrate discovery across different environments:
| Source/Direction | Protocol | Port(s) | Purpose / Notes |
|---|---|---|---|
| Appliance → Azure (All Scenarios) | HTTPS | 443 | Communication with Azure Migrate services |
| Appliance → vCenter Server | HTTPS | 443 | Access vSphere API for VMware discovery |
| Appliance → ESXi Hosts | HTTPS | 443 | Optional – validation during discovery |
| Appliance → vCenter/ESXi | SSH | 22 | Optional – Linux collector appliances (command/script execution) |
| Appliance → VMware VMs (optional) | ICMP | N/A | Optional ping to validate connectivity |
| Appliance → Hyper-V Hosts/SCVMM | WMI/DCOM | 135 | Initial connection for agentless Hyper-V discovery |
| Appliance → Hyper-V Hosts/SCVMM | RPC | 1024–65535 | Dynamic ports for WMI/DCOM communication |
| Appliance → Hyper-V Hosts/SCVMM | SMB | 445 | Script and file transfer |
| Agent (on physical/other VMs) → Azure | HTTPS | 443 | Communication from agent-based discovery |
| Appliance → Domain Controller | LDAP | 389 | AD authentication (if domain-joined) |
| Appliance → Domain Controller | Kerberos | 88 | Authentication ticket exchange |
| Appliance → DNS Server | DNS | 53 | Name resolution for Azure and on-prem resources |
*.servicebus.windows.net, *.azure-automation.net, *.blob.core.windows.net, etc., and are region-specific.
Gotchas & Edge Cases
- Discovery won’t succeed without proper firewall rule allowances
- You need read access to the clusters you’re targeting
- Dependency mapping requires longer collection windows (up to 30 days for full flow accuracy)
Best Practices
- Start early: Run discovery at least one month before migration…
- Group by dependencies: Avoid grouping purely by app names…
- Tag everything: Use Azure tags to pre-classify workloads
- Validate stakeholders: Confirm ownership before cutovers
- Use cost models early: Run pricing estimates on intended SKUs
Brewed Take ☕
Discovery isn’t a checkbox it’s your safety net.
Rushing it is like skipping the espresso grind and hoping for good coffee it’s not gonna happen.
Every smooth migration we’ve seen had one thing in common: clarity up front. When you know your workloads, dependencies, and downtime risks before lift-off, everything downstream gets easier. Testing, phasing, even stakeholder buy-in.
Azure Migrate helps you map your real workload DNA not just what’s documented or in the heads of System Admins and Application Owners.