Navigating Legacy Infrastructure Migration: Lessons from a Time-Critical Datacenter Exit

May 7, 2026
Table of contents

Your datacenter contract ends in 42 days and is set for decommission. Over twenty percent of your VMs run operating systems that lost support before the COVID-19 pandemic began and haven't received security updates in nearly a decade. Documentation is incomplete due to corporate restructuring. Releasing these systems isn't always an option - they're running revenue-critical applications, and system modernization is not an option by customer definition.

This isn't hypothetical. It's the reality CloudZone recently navigated for a leading AI company: ±25 VMs across two Israeli data centers, a hard December 31st deadline, legacy Windows/Linux OS versions, and significant knowledge gaps due to organizational changes.

The project succeeded not by pursuing technical perfection, but by aligning pragmatic approaches with real-world constraints.

Tri-Path Migration strategy

Not every VM fits the same migration pattern. We developed three parallel paths based on OS compatibility and business constraints:

Path 1: Rehost via AWS MGN (70-80% of estate)

AWS Application Migration Service provides automated, continuous replication for supported operating systems. Minimal downtime, built-in validation, test launches before production cutover. We executed in four migration waves, grouped by functionality, technology stack, migration strategy, and complexity.

Path 2: VM import and Preserve via S3 Backup (10-20% of estate)

Legacy OS versions incompatible with MGN (vendor link) were exported as OVF files to S3. This isn't failure- it's strategic pragmatism. S3 preservation provides compliance retention, recovery optionality, and costs a fraction of maintaining datacenter space.

VM Import/Export enables you to import virtual machine (VM) images from your existing virtualization environment to Amazon EC2, and then export them back. This enables you to migrate applications and workloads to Amazon EC2, copy your VM image catalog to Amazon EC2, or create a repository of VM images for backup, this mitigation option supports alternative OS stack (vendor link).

 

Path 3: Selective Modernization (±10% of estate)

Reserving cloud-native refactoring for high-value systems where investment is justified. Make this a post-migration opportunity, not a pre-migration requirement.

The critical insight: These paths aren't sequential stages where you "fail down", they're parallel strategic choices aligned with business constraints and risk tolerance.

We evaluated different technologies (including AWS's latest Agentic Transport, MGN, VM Import, OVF Backups, EVS, VMC, etc.), Glass box transparency approach, and side-to-side collaboration with customer focal, AWS, and Matrix experts taking the best decisions aligned to requirements and constraints.

Architecture decisions that beat the deadline

Active Directory: The Trust Relationship Approach

This represents our most differentiated value, delivering a tailored approach. From assessment and planning to execution and post-optimization, with Max agility to customer change requests, during the project lifecycle.

Most AD migration content focuses on user migration via ADMT. But legacy applications don't work this way; service accounts are hardcoded in configuration files, connection strings, and Windows services across dozens of systems. Finding and updating every reference takes time which you don't have.

Our Journey:

  1. We evaluated with the customer IT the pros/cons of deploying AWS Managed Microsoft AD as a new subdomain vs AD self managed AD
  2. We temp established trust relationships with on-premises domain controllers
  3. Migrate VMs while applications continue authenticating via trust credentials unchanged
  4. Phased credential updates become operational work, not a migration-critical path
  5. Clean decommission once dependencies are validated

Strategic impact: Shifting approach to self-managed AD.. In retrospect actually simplified customer IT operation, as existed forest and domains where re-used, preserved SIDs, no domain join changes required post MGN, fully compatible with MGN (no identity remediation required, existing GPOs/service accounts, LDAPs are preserved, no app impact, full operational control (customer request).

 

Multi-VPC Segregation as Risk Management

We architected four distinct VPCs connected via Transit Gateway:

  • App Migration VPC: MGN replication staging
  • Labs VPC: Test cutover validation
  • Legacy VPC: Production workloads post-cutover
  • Network VPC: Shared services, AD management, Firewall

Test failures in Labs don't impact production. You validate functionality, networking, and authentication before actual cutover windows. Labs VPC test launches revealed network connectivity assumptions, DNS dependencies, and permission issues, resolved before production impact.VPN vs. Direct Connect: Timeline Drives Decision

We chose Site-to-Site VPN over Direct Connect due to timeline constraints. Direct Connect requires weeks to provision and upfront capital investment. VPN offered rapid provisioning (days), sufficient bandwidth for MGN replication, and operational expense versus capital expense. For time-constrained migrations with defined end states, VPN delivers faster results.

Questions CTOs Should Ask Before Migration

1. Where's the organizational knowledge?

Documentation gaps equal migration risk. If nobody can answer "What happens if this VM stops for 30 seconds?", you have a knowledge problem. In our project, partial knowledge due to reorganizations emerged as a more significant risk factor than OS compatibility.

2. What's the real deadline?

Contractual datacenter exit dates are non-negotiable. Map backward from the hard deadline and accept "good enough" over "perfect" in architecture decisions when timeline compression demands it.

3. What's truly incompatible?

Not just "old", specifically incompatible with AWS MGN. Set expectations early: legacy OS requires mature assessment - vendor support, security hardenings, licensing, target resources (e.g. hypervisors, shared pool vs dedicated hosts), IT expertise, committed SLAs, etc)

4. What's in your control vs. customer responsibility?

Clear RACI boundaries prevent surprises. We made customer ownership (e.g., MGN agent installation) strategic, it forced early engagement with workload owners, surfacing hidden dependencies before cutover when addressing them is less costly.

CloudZone Team insights

Lital Hakim (Project Mgr):

How do you prevent "perfection" from becoming the enemy of the deadline?

Answer: We enforce a strict backward-mapped timeline from the exit date, prioritizing "good enough" for migration over "perfect" for architecture to ensure no VM is left behind.

Mhinkyu Kim (Cloud DevOps Mgr):

What is the biggest technical risk when migrating "32-bit fossils"?

Answer: It’s often not the OS itself, but undocumented dependencies, for example, AWS MGN does not include 32-bit (x86) network drivers in its conversion package, Nitro-based instances do not support 32-bit guest OS, etc.

 

Why can't I just import my OVA directly to EC2?

AWS VM Import validates that the instance can boot and establish network connectivity. Legacy VMs with VMware-only drivers will fail this check, forcing you to use the snapshot-import and helper-instance workaround to manually inject AWS drivers offline.

 

Should I use Nitro or Xen-based instance types for legacy VM migrations?

Start with Xen-based instances (t2, m4, r4) for legacy OS migrations. Nitro instances (t3+, m5+, r5+) require ENA and NVMe drivers that older operating systems may not support, even after driver injection.

 

Avital Silverstone (Cloud DevOps):

Why choose Self-Managed AD on EC2 instead of AWS Managed Microsoft AD?

We opted for a self-managed solution to ensure a zero-impact migration. By extending our existing domain into AWS, we avoided changing SIDs, rejoining servers, or modifying applications. This allowed us to meet our DC shutdown deadline safely without the risks of a full identity redesign.

 

What obstacles might we face during the MGN agent deployment?

While most servers synced perfectly, we hit three specific hurdles that required manual intervention:

 

  • OS Compatibility: Legacy systems like Windows 2003 (32-bit) and RHEL 6 (SSL issues) were unsupported by the MGN agent and required alternative migration strategies.
  • The "Initiating" Loop (Linux): On one RHEL 7 instance, a certificate error caused the agent to hang in a "Not Ready" state. We resolved this by performing a full session cleanup: disconnecting the server, uninstalling the agent, archiving the record in the MGN console, and performing a fresh installation. 
  • Hidden Credentials (Windows): A Windows 10 migration failed with an UninitializedAccountException. We discovered the installer was being "clobbered" by old AWS credentials stored in System Environment Variables. Once those were deleted, the agent installed successfully.

 

The impact

The datacenter exit succeeded:

  • VMs migrated or preserved within deadline constraints
  • Didn't miss deadlines on time-critical decommissioning
  • Business continuity maintained with downtime tolerance met
  • Pragmatic architecture balancing speed, risk, and cost
  • Post-migration foundation enabling selective modernization on the business timeline

The strategic insight: The best migration isn't the most technically elegant- it's the one that meets business objectives within real-world constraints.

Legacy OS preservation via S3 was pragmatic risk management. Trust-based AD architecture enabled business continuity while maintaining modernization optionality. Organizations that succeed make tradeoffs consciously, strategically, with a clear-eyed assessment of constraints.

If your organization faces aging infrastructure, hard deadlines, incomplete documentation, and business continuity requirements, the path forward isn't wishing for better circumstances. It's building a strategy that works within your actual circumstances.

Let's Navigate Your Challenge

CloudZone specializes in time-critical infrastructure migrations where standard playbooks don't apply. Our AWS Premier Partner status, Migration Competency, and 150+ AWS certifications mean we bring proven architectural patterns refined across enterprise migrations.

 

Schedule a migration discovery workshop →

FAQs

More from CloudZone

Ori Tabachnik
June 3, 2026
The 5 Decisions That Turn an AI Pilot Into a Production-Ready Solution

Most companies today are not struggling to start AI pilots. They are struggling to move them into production.

AI
Or Dotan
June 1, 2026
Security Operations Center on AWS: Designing a Modern Cloud SOC

Cloud-native security signals are increasingly central to what enterprise SOCs handle day-to-day. Yet, many security operations teams are still triaging them with tools and playbooks designed primarily for on-premises environments.

No items found.
Kamellia Penkova
May 28, 2026
How to Get the Most Out of Your Collaboration with a FinOps Expert

Let’s be honest- when an infrastructure team gets involved in a FinOps initiative at the beginning, the sentiments are often mixed. Some teams are happy to hear they will have extra hands to manage the AWS bill.

FinOps

Let’s push your cloud to the max

Thanks for reaching out

We’ve received your request, and one of our experts will be in touch shortly.
Form submission failed!
Solutions
AI Solutions
Cost Optimization
Marketplace & Co-Sell
Cloud Migration
Cloud Security
Our Partners
Amazon Web Services
Google Cloud
Resources
Blog
Case studies
Company
About us
Security trust center
@ All rights reserved to CloudZone Inc.
Privacy policy
Terms of service
Accessibility
@ All rights reserved to CloudZone Inc.