The “Multi-Cloud Exit” Reality
The promise of multi-cloud—avoiding vendor lock-in by spreading workloads across Azure, AWS, and GCP—has run headfirst into operational reality. In 2025, enterprises discovered that multi-cloud means multi-everything: multiple identity systems, multiple networking stacks, multiple CI/CD pipelines, and multiple teams with different expertise.
Azure to AWS migration is not about one cloud being “better.” It’s about consolidation economics. When the majority of your workloads and engineering talent are already on AWS, maintaining Azure parity costs more than the lock-in risk it was meant to prevent. The 2024-2025 wave of Azure-to-AWS migrations is driven by this math, not religious cloud preference.
But here’s what vendors won’t tell you: Azure migrations are harder than GCP migrations. Azure’s deep Microsoft ecosystem integration—Active Directory, DevOps, M365 identity, hybrid connectivity via ExpressRoute—creates dependencies that don’t exist in the more cloud-agnostic GCP world. Extracting from Microsoft’s gravity is the real migration challenge.
Go / No-Go Assessment
Before committing to leave Azure, score your readiness honestly. A score below 50 means you should reconsider or phase the migration over 18+ months.
| Criteria | Threshold for "Go" | Score (0-10) |
|---|---|---|
| **AWS Workload Majority** | 50%+ of compute/data already on AWS or migration-committed. | |
| **Azure AD Decoupling** | Azure AD used primarily for Azure access, not deeply integrated with M365 identity. | |
| **CI/CD Portability** | Using GitHub Actions, Jenkins, or portable CI—not heavily invested in Azure DevOps. | |
| **PaaS Abstraction** | Limited use of Azure-specific PaaS (Cosmos DB, Azure Functions, Logic Apps). | |
| **Connectivity Flexibility** | ExpressRoute can be replaced with Direct Connect within 6 months. | |
| **Team Expertise** | Engineering team has AWS experience or training runway (3-6 months). | |
| **Contract Timing** | Azure EA/CSP renewal is 12+ months away (leverage for negotiation). | |
| **Egress Budget** | Budget allocated for one-time egress ($0.05-$0.09/GB for all Azure data). |
Scoring Guide: 70+ = Green light. 50-69 = Proceed with caution, extend timeline. Below 50 = Reconsider or phase migration over 24 months.
Top 3 Failure Modes
1. The "Azure AD is Just SAML" Fallacy (40% of failures)
The Trap: Treating Azure AD migration as a simple SAML federation setup.
The Reality: Azure AD in enterprise environments isn't just an identity provider—it's intertwined with Conditional Access policies (device compliance, location-based access, risk scoring), Privileged Identity Management (PIM), and Azure RBAC. A Fortune 500 insurance company discovered they had 127 Conditional Access policies, 34 PIM role assignments, and 89 custom RBAC definitions that all needed AWS equivalents. What was budgeted as a 2-week SSO setup became a 4-month security architecture project.
Prevention: Audit your Azure AD configuration before migration planning. Export Conditional Access policies, PIM assignments, and custom roles. Map each to AWS IAM Identity Center + AWS Organizations SCPs + IAM Roles. Budget $50K-$150K for identity translation in complex environments.
2. ExpressRoute "Cold Turkey" Cutover (30% of failures)
The Trap: Planning a weekend cutover from ExpressRoute to Direct Connect without parallel running.
The Reality: ExpressRoute and Direct Connect use different peering architectures. ExpressRoute Private Peering connects to Azure VNets; Direct Connect uses Virtual Private Gateways to AWS VPCs. During a healthcare company's migration, their on-premises Epic EHR system lost connectivity for 6 hours during cutover because BGP route propagation took longer than expected. Patient care systems were impacted.
Prevention: Run ExpressRoute and Direct Connect in parallel for 2-3 months minimum. Test failover scenarios weekly. Create detailed runbooks for the final cutover with per-minute rollback triggers. Budget $15K-$25K/month for parallel connectivity—it's insurance.
3. Azure DevOps "Lift and Shift" Assumption (25% of failures)
The Trap: Assuming Azure Pipelines YAML will work in AWS CodePipeline with minor modifications.
The Reality: Azure Pipelines and AWS CodePipeline are fundamentally different architectures. Azure Pipelines is an integrated CI/CD system; CodePipeline is an orchestrator that calls other AWS services (CodeBuild, CodeDeploy). A fintech company with 400+ Azure Pipelines discovered they needed to rewrite every single pipeline. The planned 6-week DevOps migration became 5 months, delayed their go-live by a quarter, and cost $380K in unbudgeted consulting.
Prevention: Audit all Azure DevOps pipelines before migration. Consider GitHub Actions as Bridge—it runs on both clouds during transition. For complex builds, evaluate keeping Azure DevOps temporarily (it can deploy to AWS). Budget 1 engineer-week per 10 pipelines for rewrite.
5 Technical Traps: Azure to AWS
1. Azure AD → AWS IAM Identity Center Translation
Azure AD is Microsoft’s enterprise identity backbone. AWS IAM Identity Center (formerly AWS SSO) is a lightweight federated identity aggregator. They’re not equivalent.
Critical Differences:
- Conditional Access: Azure AD policies must be recreated using AWS Organizations SCPs + IAM permission boundaries
- PIM (Privileged Identity Management): No direct AWS equivalent. Use IAM Roles with time-limited assume policies + CloudTrail monitoring
- Device Compliance: Requires integration with third-party MDM → AWS Verified Access (limited)
Cost Impact: Underestimating identity translation adds $100K-$300K in enterprise migrations.
Prevention: Engage identity specialists (Oxford Computer Group or equivalent) for assessment. Create a policy mapping document before touching infrastructure.
2. Azure SQL → Aurora PostgreSQL or RDS SQL Server
Not all Azure SQL workloads should become Aurora PostgreSQL. Understand your options:
| Scenario | Target | Complexity | Cost Implication |
|---|---|---|---|
| Minimal app changes needed | RDS for SQL Server | Low | Higher licensing, familiar code |
| Open source mandate | Aurora PostgreSQL | High | Schema/code conversion required |
| Analytics-heavy | Redshift | Medium | Different architecture patterns |
| Read-heavy, distributed | Aurora Global Database | Medium | Multi-region complexity |
The Trap: Choosing Aurora PostgreSQL for “cost savings” without budgeting for T-SQL → PL/pgSQL conversion. Enterprise apps with 500+ stored procedures can require $200K+ in code refactoring.
Prevention: Use AWS Schema Conversion Tool (SCT) to assess conversion complexity. For <100 stored procedures, PostgreSQL may save money. For 500+, consider RDS SQL Server to preserve investment.
3. ExpressRoute → Direct Connect Architecture
Azure ExpressRoute and AWS Direct Connect both provide private connectivity, but the architecture differs:
| Feature | Azure ExpressRoute | AWS Direct Connect |
|---|---|---|
| Scope | Connects to all VNets in regions with peering | Per-VPC connections via VPN Gateways |
| Global Reach | Native cross-region via Global Reach add-on | Requires Transit Gateway + DXGW |
| Pricing Model | Per port + egress data | Per port + data transfer |
| Typical Lead Time | 2-4 weeks (provider) | 2-8 weeks (varies by location) |
Cost Impact: Direct Connect setup at $10K-$50K + monthly $2K-$15K depending on port speed. Parallel running doubles this during transition.
4. Azure Functions → AWS Lambda Refactoring
Azure Functions and Lambda are both “serverless,” but code isn’t portable:
- Runtime Differences: Azure Functions use
function.jsonbindings; Lambda uses event handlers - Triggers: Azure Event Grid ≠ EventBridge. Service Bus ≠ SQS. Cosmos DB triggers → DynamoDB Streams
- Durable Functions: Azure’s stateful orchestration has no direct Lambda equivalent (use Step Functions)
Prevention: Inventory all Azure Functions. Categorize by trigger type. HTTP triggers migrate easiest. Queue and database triggers require architectural decisions. Budget 2-4 hours per function for migration + testing.
5. Azure DevOps → AWS CodePipeline (or GitHub Actions)
Azure DevOps is an integrated DevOps platform. AWS provides building blocks (CodeCommit, CodeBuild, CodePipeline, CodeDeploy) that require assembly.
Decision Framework:
| If your priority is… | Choose |
|---|---|
| AWS-native, deepest integration | CodePipeline + CodeBuild |
| Portability, gradual migration | GitHub Actions |
| Minimal disruption (short-term) | Keep Azure DevOps, deploy to AWS |
| Enterprise scale + governance | AWS CodeCatalyst (newer, growing) |
Non-Obvious Insight: Many organizations keep Azure DevOps for 12-24 months post-migration. It deploys to AWS perfectly well. Migrating CI/CD during infrastructure migration doubles risk.
Migration Architecture: The Translation Layer
flowchart TB
subgraph Azure["Azure (Source)"]
AzureAD["Azure AD"]
VNET["Virtual Networks"]
AzureSQL["Azure SQL"]
DevOps["Azure DevOps"]
ExpressRoute["ExpressRoute"]
Functions["Azure Functions"]
AKS["AKS (Kubernetes)"]
end
subgraph Transition["Transition Period (3-6 months)"]
SAML["SAML Federation<br/>Azure AD → IAM Identity Center"]
DualConnect["Parallel Connectivity<br/>ExpressRoute + Direct Connect"]
DMS["AWS DMS<br/>Database Replication"]
GitHub["GitHub Actions<br/>Cross-Cloud CI/CD"]
end
subgraph AWS["AWS (Target)"]
IAM["IAM Identity Center"]
VPC["VPCs + Transit Gateway"]
Aurora["Aurora/RDS"]
CodePipeline["CodePipeline or GitHub Actions"]
DirectConnect["Direct Connect"]
Lambda["Lambda + Step Functions"]
EKS["EKS (Kubernetes)"]
end
AzureAD --> SAML --> IAM
VNET --> DualConnect --> VPC
AzureSQL --> DMS --> Aurora
DevOps --> GitHub --> CodePipeline
ExpressRoute --> DualConnect --> DirectConnect
Functions --> Lambda
AKS --> EKSMigration Roadmap
Phase 1: Discovery & TCO (Weeks 1-4)
Full Azure inventory via Azure Resource Graph. Map every resource to AWS equivalent. Calculate 3-year TCO including egress, licensing, and team reskilling. Identify "poison pills" (Cosmos DB, Logic Apps, deeply integrated Azure AD).
Phase 2: Landing Zone & Identity (Weeks 5-10)
Deploy AWS Control Tower. Configure AWS Organizations with SCPs. Set up IAM Identity Center with Azure AD SAML federation. Establish Direct Connect (long lead time). Design VPC architecture mirroring Azure VNet topology.
Phase 3: Data & Database Migration (Weeks 11-18)
Use AWS DMS for SQL Server → Aurora/RDS. Schema conversion via AWS SCT. Blob Storage → S3 via Data Transfer Family. Begin Azure DevOps → GitHub Actions pipeline conversion for non-critical apps.
Phase 4: Compute & App Migration (Weeks 19-28)
AWS Application Migration Service (MGN) for VMs. AKS → EKS for Kubernetes workloads. Azure Functions → Lambda (requires code changes). Test all applications in AWS before cutover.
Phase 5: Cutover & Decommission (Weeks 29-36)
Final DNS cutover (Route 53). Cut ExpressRoute, confirm Direct Connect stability. Complete Azure DevOps → CodePipeline migration. Decommission Azure resources. Complete FinOps optimization on AWS.
Total Cost of Ownership (TCO)
Moving from Azure to AWS is rarely about “cheaper infrastructure.” It’s about operational consolidation. Here’s a realistic TCO comparison:
| Cost Category | Azure (Current) | AWS (Future) | Migration Cost |
|---|---|---|---|
| Compute | Pay-as-you-go or RI/SP. Azure Hybrid Benefit for Windows. | Savings Plans or RI. Graviton 40% cheaper for Linux. | Parallel running (3-6 months) |
| Database | Azure SQL elastic pools. Cosmos DB consumption. | Aurora Serverless v2 or RDS. DynamoDB on-demand. | $50K-$200K schema conversion |
| Storage | Blob Storage (Hot/Cool/Archive) | S3 (Standard/IA/Glacier) | $0.05-$0.09/GB egress! |
| Identity | Azure AD P1/P2 licensing | IAM Identity Center (free) + Verified Access | $50K-$150K policy translation |
| Networking | ExpressRoute ($1K-$10K/mo) | Direct Connect ($2K-$15K/mo) | Parallel running doubles cost |
| DevOps | Azure DevOps (per user) | CodePipeline/GitHub Actions | $100K-$300K pipeline rewrite |
Break-even Analysis: Typical enterprise Azure-to-AWS migration achieves break-even at Month 18-24. Primary drivers: 1) FinOps gains from Graviton adoption, 2) S3 intelligent tiering savings, 3) Elimination of Azure/AWS duplicate licensing. Organizations heavily invested in Windows workloads may never break even—validate TCO before starting.
When NOT to Migrate: Azure Lock-In Scenarios
Azure to AWS migration is a bad idea if:
-
Microsoft 365 is your identity backbone. If Azure AD is tied to Outlook, Teams, and SharePoint with Conditional Access enforcing device compliance, staying on Azure for infrastructure may be simpler than managing complex SAML federation.
-
Windows Server licensing is optimized for Azure. Azure Hybrid Benefit gives 40%+ discounts for Windows workloads. AWS charges full licensing. If you’re 80%+ Windows VMs, crunch the numbers before moving.
-
You’re deeply invested in Azure PaaS. Cosmos DB, Logic Apps, Power Platform, and Azure Functions with Event Grid triggers don’t have clean AWS translations. If you’ve gone “Azure-native,” refactoring may cost more than the value of consolidation.
-
Your contract renewal is less than 12 months away. You’ll lose negotiating leverage with Microsoft. Time migration for EA/CSP renewal to maximize credits and avoid early termination penalties.
-
Your team lacks AWS expertise and 6-month runway. Skills gap is the hidden budget killer. Training, certification, and learning curve productivity loss add 15-30% to migration cost.
How to Choose an Azure to AWS Migration Partner
If you need white-glove AWS-native expertise: Mission Cloud or Caylent. AWS-focused partners who understand the destination better than the source. Ideal for mid-market companies who want deep engineering talent, not just project managers.
If you’re a European enterprise with GDPR complexity: Nordcloud or Claranet. Dual AWS/Azure expertise means they understand both platforms’ identity and compliance models. Nordcloud’s proprietary tools (Klarity, Klar) speed migration.
If cost optimization is the primary driver: Cloudreach or 2nd Watch. Their FinOps practices help negotiate Azure egress and AWS credits (MAP program). Expect 15-25% lower net migration cost.
If you need ongoing managed services post-migration: 2nd Watch or Rackspace. These partners don’t just migrate—they run your AWS environment 24/7. Ideal if you’re reducing internal ops headcount.
If this is part of M&A or business transformation: Deloitte or Accenture. You need partners who can handle the board presentation, regulatory filings, and organizational change management alongside the technical migration.
Red flags when evaluating Azure to AWS migration partners:
- “We have automated Azure-to-AWS conversion tools.” (Misleading. VMs can lift-and-shift, but identity, databases, and pipelines require manual work.)
- Not mentioning Azure AD complexity upfront. (If they don’t ask about Conditional Access policies in the first call, they don’t understand enterprise Azure.)
- Promising fixed-price migration without discovery. (Run. They’ll either change-order you to death or cut corners.)
- No Direct Connect implementation experience. (Connectivity cutover is where migrations fail. This should be their strength.)
- “You should rewrite everything in Lambda/containers.” (Modernization during migration doubles risk. Lift first, optimize second.)
Vendor Case Study: What Good Looks Like
Nordcloud (IBM) migrated a European financial services firm from Azure to AWS:
- Scope: 340 VMs, 85TB data, 47 Azure AD Conditional Access policies, ExpressRoute dependency
- Timeline: 7 months (vs. 4-month initial estimate—identity complexity)
- Cost: €620K consulting + €180K parallel infrastructure
- Approach: Used their Klarity tool for cost modeling, ran ExpressRoute/Direct Connect parallel for 10 weeks
- Outcome: 28% reduction in annual cloud spend post-migration, consolidated from 2 cloud teams to 1
Vendor Failure Story: What to Avoid
[Unnamed Big 4 Firm]: A healthcare company engaged a major consultancy for Azure-to-AWS migration. The partner:
- Estimated 16 weeks for identity migration (actual: 7 months)
- Didn’t discover 89 custom Azure RBAC roles until Week 8
- Recommended “lift and shift” without addressing AKS → EKS workload differences
- Result: $1.2M over budget, 6-month delay, client had to bring in AWS-specialized firm to remediate
Lesson: Dual-cloud expertise matters. Partners who only know AWS (or only know Azure) underestimate translation complexity.
Implementation Partner Interview Questions
Ask these before signing:
-
“Walk me through your Azure AD to AWS IAM Identity Center migration process. How do you handle Conditional Access policy translation?” (Tests identity depth—the hardest part of Azure migrations.)
-
“What’s your approach to ExpressRoute-to-Direct Connect cutover? How do you handle the parallel running period?” (Tests hybrid connectivity experience.)
-
“How many Azure DevOps-to-CodePipeline migrations have you completed? What was the pipeline-per-engineer-week ratio?” (Tests CI/CD migration realism.)
-
“Can you share an Azure-to-AWS case study with specific metrics: workload count, timeline, cost, and post-migration issues?” (Tests credibility and transparency.)
-
“How do you handle egress cost negotiation with Microsoft? Have you helped clients get migration credits?” (Tests commercial sophistication beyond just technical migration.)
How We Select Vendors
We analyzed 45+ multi-cloud migration firms based on:
- AWS Competency: Migration Competency, DevOps Competency status
- Azure Expertise: Azure Expert MSP, Azure Advanced Specializations (dual-cloud experience is critical)
- Case Studies: Proven Azure-to-AWS track record with metrics (not just “cloud migration experience”)
- Identity Depth: Experience with Azure AD → IAM Identity Center translation (the hardest part)
Vetting Process:
- Reviewed partner case studies specifically for Azure-to-AWS examples
- Verified both AWS and Azure partnership tiers (dual expertise matters)
- Evaluated their Azure AD migration methodology documentation
- Excluded partners without Direct Connect implementation experience
- Prioritized partners with FinOps practices (egress cost management)
Post-Migration: First 90 Days
Weeks 1-4: Stabilization & Cost Monitoring
- Daily FinOps check-ins: Watch for runaway costs (misconfigured auto-scaling, forgotten test environments)
- Performance baselining: Compare latency, throughput, and error rates to Azure baseline
- Identity audit: Verify all Conditional Access equivalents are enforced (test with edge cases)
- Decommission Azure: Don’t leave resources running “just in case”—you’re paying double
Weeks 5-8: Optimization
- Right-sizing: Analyze actual usage with AWS Compute Optimizer. Most migrated workloads are oversized.
- Graviton evaluation: Move Linux workloads to ARM-based Graviton instances for 40% cost savings
- Savings Plans: After 4-6 weeks of usage data, commit to 1-year Savings Plans for predictable workloads
- S3 Intelligent Tiering: Enable for all buckets to auto-optimize storage costs
Weeks 9-12: Modernization Planning
- Quick wins: Identify “lifted” workloads that could benefit from managed services (RDS, ElastiCache, Lambda)
- Training: Invest in AWS certifications for team (Solutions Architect, DevOps)
- Runbook handoff: Ensure on-call team has complete AWS operational documentation
- Lessons learned: Document what went wrong for future migrations
Related Migration Guides
- GCP to AWS Migration: Our companion guide for Google Cloud consolidation. Shorter timeline, fewer identity complexities.
- VMware to Native Cloud: If you’re also virtualizing on-premises, combine migrations for efficiency.
- Mainframe to AWS: For enterprises leaving both Azure and legacy mainframes for complete AWS consolidation.
Related Services
- Cloud Readiness Assessment: Get an honest evaluation before committing to migration—we’ll tell you if staying on Azure is actually cheaper.
- Cloud Cost Optimization: Post-migration FinOps to ensure you actually achieve the projected savings.
- Platform Engineering Setup: Build internal developer platforms on AWS to accelerate post-migration productivity.
FAQ
How long does an Azure to AWS migration take?
For a mid-sized enterprise (100-500 VMs, 20TB data, standard Azure services), expect 4-6 months. Complex migrations with Azure AD deep integration, ExpressRoute dependencies, and Azure DevOps pipeline rewrites typically take 9-12 months. The identity layer (Azure AD → AWS IAM Identity Center) often dictates timeline more than compute migration.
What does Azure to AWS migration cost?
Small migrations (< 50 VMs, simple identity): $75K-$150K. Mid-market (100-500 VMs, Azure AD, DevOps): $200K-$500K. Enterprise (1000+ workloads, ExpressRoute, complex compliance): $500K-$2M+. Egress fees add 5-15% for data-heavy workloads. Budget 20% contingency for Azure-specific PaaS translation.
Should I keep Azure AD or migrate to AWS IAM Identity Center?
If Microsoft 365 is central to your identity (Outlook, Teams, SharePoint), keep Azure AD as your IdP and federate to AWS via SAML/SCIM. If you’re leaving Microsoft entirely, migrate to AWS IAM Identity Center. Hybrid approaches work but add operational complexity. Most organizations keep Azure AD for workforce identity and use IAM Identity Center for AWS access only.
What happens to my Azure DevOps pipelines?
They don’t migrate. Azure Pipelines YAML is incompatible with AWS CodePipeline. Options: 1) Rebuild in CodePipeline/CodeBuild (full AWS native), 2) Migrate to GitHub Actions (works during transition, runs on AWS), 3) Keep Azure DevOps deploying to AWS (cross-cloud, adds latency). Most organizations choose GitHub Actions for flexibility.
How do I avoid Azure egress fees?
Microsoft doesn’t offer free egress waivers like Google’s Cloud Exit program. Strategies: 1) Negotiate with your Microsoft account team for migration credits (possible for large customers). 2) Use Azure Data Box for offline transfer of 10TB+ datasets. 3) Compress data before transfer. 4) Migrate during contract renewal for leverage.
Can I keep ExpressRoute and Direct Connect running in parallel?
Yes, but it’s expensive. Budget $10K-$30K/month for parallel connectivity during 3-6 month transition. Plan a hard cutover date—indefinite parallel running erodes ROI. Test failover thoroughly before cutting ExpressRoute.
What’s the biggest hidden cost in Azure to AWS migration?
Application refactoring for Azure PaaS services. Azure Functions → Lambda requires code changes. Cosmos DB → DynamoDB isn’t 1:1. Azure Service Bus → SQS/SNS needs architectural redesign. Budget 30-50% of migration cost for PaaS translation if you’ve adopted Azure-native services heavily.
Is AWS cheaper than Azure?
Not automatically. Azure’s pay-as-you-go can be cheaper for Windows workloads (Azure Hybrid Benefit). AWS often wins on: Graviton (ARM) compute (40% cheaper), S3 storage tiering, and Reserved Instance flexibility. Run a TCO analysis for YOUR workloads—generalizations are dangerous. Post-migration FinOps is essential.