Jet Mariano

How to Migrate On-Prem to AWS?

One-screen summary

  • Goal: Move on-prem apps/data to AWS safely, with repeatable guardrails.
  • Pattern: Multi-account, multi-region, VPC-per-tier, zero public SSH/RDP, everything encrypted, everything logged.

0) Readiness checklist

  • Inventory apps, dependencies, RPO/RTO, data size, change windows
  • Pick primary + failover regions; classify regulated data (PII/PCI)
  • Decide: rehost (lift/shift), re-platform (RDS/EKS), or refactor

1) Org & accounts

  • AWS Organizations, SCP guardrails, prod/nonprod accounts
  • Naming, tagging, cost-allocation tags and budgets

2) Identity & access

  • IAM Identity Center (SSO) with least-privilege permission sets
  • Break-glass role, CloudTrail for all accounts, Config enabled org-wide

3) Landing zone & regions

  • Enable two regions; document data residency
  • Baseline via Control Tower (or custom landing zone)

4) Networking & connectivity

  • VPC per environment, public/private subnets, NAT/IGW, route tables
  • Connectivity: Site-to-Site VPN for Day-1; add Direct Connect for steady-state
  • VPC Endpoints (S3, STS, SSM) to keep traffic off the internet
  • Security Groups (app-aware), NACLs (subnet guard), optional AWS Network Firewall

5) Security baselines (fintech-minded)

  • KMS CMKs for EBS, RDS, S3; enforce TLS; no public access blocks off by default
  • GuardDuty, Security Hub, ECR image scanning
  • Secrets Manager/SSM Parameter Store for secrets

6) Data migration

  • Databases: DMS (CDC for near-zero downtime) → RDS/Aurora
  • Files/objects: S3 + lifecycle; Storage Gateway for NFS/SMB
  • VMs: Application Migration Service (MGN) or VM Import/Export

7) Compute patterns

  • EC2 with Auto Scaling & launch templates
  • Containers with ECS Fargate or EKS (private endpoints)
  • RDS/Aurora Multi-AZ; ElastiCache for caching; SQS/SNS for decoupling

8) Observability

  • CloudWatch metrics/alarms/dashboards
  • CloudTrail org trail to S3 + Glacier
  • AWS Config rules; centralized log archive account

9) Resilience & backup

  • Multi-AZ by default; cross-region replicas for Tier-1
  • AWS Backup plans + cross-account copies
  • GameDays: failure injection / region isolation test

10) Cutover playbook

  • Freeze window → final sync → smoke tests → DNS switch (Route 53)
  • Rollback conditions and timebox written in advance

11) Cost & hygiene

  • Budgets + alerts, Compute Optimizer, rightsizing
  • Tagging policy and monthly governance review

12) Day-2 hardening

  • Patch baselines via SSM, CIS benchmarks, JIT access with SSM Session Manager
  • Periodic access reviews and key rotation

Also see:How to Migrate On-Prem to AWS — A Field Runbook for the Amazon counterpart.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

error: Content is protected !!