# Cloud Migration Architecture Blueprint ## PHASE 1: THE 6 R's MIGRATION STRATEGY **Objective Alignment:** To exit the data center within a strict 6-month timeframe, we must prioritize speed over extensive modernization. We will utilize a hybrid approach: - **Web/App Tier (Java Monolith on VMware): REHOST (Lift & Shift).** We will move the VMs "as-is" to Amazon EC2 instances. Refactoring a monolith in 6 months introduces too much risk and timeline delay. - **Database Tier (Oracle DB): REPLATFORM (Lift, Tinker, and Survive).** We will migrate from self-managed Oracle on bare metal to Amazon RDS for Oracle. This removes the hardware and OS management burden while maintaining application compatibility without requiring immediate code changes. - **Load Balancers (Hardware F5): REPURCHASE (Drop and Shop).** We will abandon the physical F5 appliances and repurchase cloud-native Application Load Balancers (ALB) in AWS. ## PHASE 2: LANDING ZONE & SECURITY ARCHITECTURE **AWS Landing Zone Setup:** - **Networking:** We will deploy an AWS Transit Gateway connecting the on-premise data center via AWS Direct Connect (for high-bandwidth, private data replication) and VPN (as a failover). The VPC will utilize public subnets for the ALBs and strictly private subnets for the EC2 app servers and RDS databases. - **Identity:** AWS IAM Identity Center will be federated with your existing on-premise Active Directory. **Compliance (PCI-DSS):** - All EBS volumes and RDS instances will have AES-256 encryption-at-rest enforced via AWS KMS. - AWS WAF (Web Application Firewall) will be attached to the ALB to block SQLi and XSS. - VPC Flow Logs and AWS CloudTrail will be enabled and shipped to an immutable S3 bucket for audit purposes. ## PHASE 3: PHASED EXECUTION ROADMAP **Step 1: Foundation (Weeks 1-4):** Deploy the AWS Landing Zone, establish Direct Connect, and configure networking/security guardrails. **Step 2: Mobilize & Replicate (Weeks 5-12):** Use AWS Application Migration Service (MGN) to install replication agents on the VMware VMs. Block-level replication to AWS begins silently in the background. Setup AWS Database Migration Service (DMS) for continuous replication from on-prem Oracle to RDS Oracle. **Step 3: Testing & Validation (Weeks 13-20):** Launch test instances in AWS isolated subnets. QA performs User Acceptance Testing (UAT) against the replicated data to verify performance and integrations. **Step 4: Cutover (Weeks 21-24):** - Put the on-premise application in "Maintenance Mode" (Read-only). - Wait for the final DMS sync to finish to ensure zero data loss. - Update global DNS (Route53) to point to the new AWS ALB. ## PHASE 4: RISK MITIGATION & TCO **Key Risks:** 1. *Oracle Licensing Compliance:* Moving Oracle to the cloud can trigger license audits. *Mitigation:* Engage an AWS Licensing Specialist to ensure you bring your own licenses (BYOL) correctly under the AWS dedicated host or RDS rules. 2. *Latency during Hybrid State:* If the DB is migrated before the App, network latency across the Direct Connect will crash the application. *Mitigation:* The App and DB must be cut over simultaneously in the same maintenance window. **FinOps Strategy:** Once the migration is stable (after 30 days), right-size the over-provisioned EC2 instances and purchase a 1-Year Compute Savings Plan to reduce costs by up to 30%.