Case Studies

A multi-site enterprise running 54 Windows Server workloads across six network segments needed to leave its ageing VMware infrastructure behind, without disrupting the 100+ users who depended on it daily.

Challenge: A Complex Estate with No Room for Disruption

The organisation had outgrown its on-premises VMware environment. Hardware was ageing, scaling required capital expenditure with long lead times, and the disaster recovery posture amounted to tape backups with multi-day recovery times.

But moving to the cloud was not straightforward. Key challenges included:

• Legacy disk formats – VMDK variants across the estate were incompatible with AWS import tooling in several cases, with failures that surfaced no clear error messages.
• Multi-disk VMs – Several workloads relied on two to four data volumes that had to be imported and mapped in the correct order, or risk boot failures and data loss.
• A hardware-locked licence – The core ERP system was protected by a USB security dongle physically attached to an on-premises server. Moving the application to the cloud would break licence validation entirely.
• Six interconnected network segments – VLANs for corporate IT, ERP and finance, manufacturing, HR, remote desktop services, and a public-facing DMZ each had distinct trust boundaries that had to be reproduced in AWS.
• 100+ concurrent users – Session profiles, drive mappings, and application access all had to remain uninterrupted throughout the migration.

Action: A Wave-Based Migration with a Custom Licence Relay

Obsium designed a phased, dependency-sequenced approach that addressed each challenge independently before combining them into a controlled cutover.

Disk conversion first.  Rather than importing VMDKs directly, every disk was converted to RAW format using qemu-img before being submitted to AWS VM Import. This single step eliminated format-related failures across all 54 VMs.

Network architecture translated, not rebuilt.  The six on-premises VLANs were mapped to a multi-VPC design in AWS, with VPC peering, route tables, and security groups reproducing the original firewall access controls segment by segment.

The USB dongle problem, solved without the vendor.  A lightweight Linux relay server was retained on-premises, connected to the dongle and running USB-over-IP software. Tailscale mesh VPN linked the relay to the EC2 ERP instance over an encrypted peer-to-peer tunnel – making the dongle appear locally attached at the OS level. The ERP application launched on AWS with full licence validation on the first attempt.

Migration in five waves.  Identity and DNS infrastructure moved first, followed by ERP and finance, then manufacturing, HR, and finally remote desktop and DMZ services. Each wave was validated before the next began.

Results: 54 VMs Moved. Nothing Broken.

• Zero data loss across approximately 18 TB of storage, including multi-disk configurations
• Continuous RDP access for all users throughout the migration window
• Hardware licence preserved — ERP running on AWS with USB dongle validation via Tailscale relay
• Network segmentation reproduced — six-VLAN trust model faithfully replicated in AWS
• No application changes across any of the 54 workloads
• Stronger security posture — all workloads in private subnets, user access via Tailscale VPN

What This Makes Possible

With the estate now on AWS, the organisation can scale compute on demand, recover from failure in minutes rather than days, and progressively modernise workloads without another disruptive migration event. The Tailscale relay also creates a clear path toward full dongle elimination once the software vendor offers cloud-native licensing.