Infrastructure as Code (IaC) Considerations for a Sitecore Upgrade

Building a resilient infrastructure by leveraging Infrastructure as Code (IaC) is crucial for a successful Sitecore DXP upgrade—ensuring optimal performance, reliability, and security. There are several options for your Sitecore Architecture, driven with IaC which helps prevents deployment failures, streamlines updates, and supports long-term scalability, helping businesses meet evolving digital experience demands.

The Role of Infrastructure in Sitecore Architecture and Sitecore Migration

A well-structured  infrastructure ensures that Sitecore upgrades run smoothly, reducing technical debt and deployment risks. By combining Infrastructure as Code (IaC) practices with automation, organizations can eliminate manual errors and accelerate deployments.

Key considerations include:

• Version Control & CI/CD Pipelines – Ensuring all Sitecore code changes are managed through Git and automated CI/CD workflows.
• Infrastructure as Code (IaC) – Using tools like Terraform, Bicep, or ARM templates that are fully source controlled to automate Sitecore environment provisioning.
• Using CI/CD Pipelines to deploy and amend infrastructure with the IAC templates.
• Scalability & Security – Designing the infrastructure to handle growth while maintaining a secure configuration.
• Adhering to practices that support the Sitecore latest version.

Sitecore Hosting Options

 Selecting the right Sitecore hosting model is critical to ensuring a scalable and secure infrastructure for your Sitecore migration. Incorporating Infrastructure as Code (IaC) can further streamline provisioning, ensuring consistency across environments. There are several options for Sitecore hosting, each with different topologies and cloud service models, these ultimately form a key part of your Sitecore Architecture:

• Physical or virtual Infrastructure as a Service (IaaS) in a private data centre
• IaaS infrastructure in Microsoft Azure or Amazon Web Services (AWS)
• Platform as a Service (PaaS) in Azure (using containers or app services) or AWS (container-based options)
• An infrastructure only option (a shared Sitecore tenant) through Sitecore Managed Cloud
• A fully managed offering (in your tenant or a dedicate tenant) through Dataweavers Fusion

For most organizations, IaaS offers no significant benefits as a Sitecore hosting option. This is because the modern PaaS solutions close previous networking security gaps and now offer a better total cost of ownership (TCO).

This narrows the viable Sitecore hosting options down to two PaaS categories:

• Azure Kubernetes Service (AKS) or Amazon Elastic Kubernetes Service (EKS) for container-based deployments
• Azure App Service for a fully managed, PaaS-native solution

Both categories are supported by the Sitecore’s latest version.

Why Containers Aren’t Always the Best Option for Sitecore

Containers appear to be a flexible solution for Sitecore hosting, but in practice, they can introduce unnecessary complexity without delivering clear advantages. Based on extensive testing and real-world deployments:

• Cost Effectiveness: Containers on AKS or EKS often have a higher TCO than Azure App Service, especially for core Sitecore roles. Containers remain valuable for non-production workloads, APIs, microservices and Solr instances
• Portability: Migrating containers between platforms like AKS and EKS requires significant reconfiguration, making full migrations between cloud providers is rare and the theoretical benefit is most often not utilized or realized.
• Scalability: Azure App Service offers flexible horizontal and vertical autoscaling that aligns with Sitecore’s workload patterns, while Kubernetes ecosystems often require more maintenance to configure and optimize effectively
• Security: A properly configured Azure App Service offers comprehensive security controls without the operational overhead required for managing containers

While Sitecore initially promoted containers as the future of its platform for Sitecore hosting, operational complexity and limited cost benefits led to a strategic shift. This is noticeable as even with Sitecore Managed Cloud 2.0, Sitecore has returned to a PaaS model as the preferred approach for Sitecore hosting, prioritizing, performance and scalability and balanced costs. Aligned with Sitecore own hosting and deployment models Azure PaaS is a clear focus to consider.

Optimizing Sitecore Topology with Azure PaaS

Optimizing your code infrastructure for Sitecore requires choosing the right topology and leveraging Infrastructure as Code (IaC) to automate deployment and scaling.

Sitecore supports two primary deployment topologies for Sitecore DXP hosting:

• XP/XM Scaled Topology: Roles are split across distinct compute resources, allowing for fine-tuned performance optimization and autoscaling. This setup is ideal for production environments
• XP/XM Single Topology: Consolidates roles onto shared resources, making it better suited for non-production, development and system integration testing environments.

Ensuring Redundancy and High Availability (HA) in Azure

After defining your topology, building a robust high availability (HA) and redundancy strategy ensures your Sitecore hosting platform remains stable under high load and resilient during outages.

Single Region Redundancy (Basic HA)

• Deploy services across Azure Availability Zones to mitigate data centre failures
• Run at least three instances for each app service to ensure operational redundancy
• Use Azure SQL Database in the Business-Critical tier for resilient regional failover and redundancy

Geo-Redundancy (Advanced HA)  

For global resilience and disaster recovery, extend redundancy with the following configuration:

• Deploy at least one instance per region of each app service
• Use Azure Front Door for global load balancing, applying a live 70/30 traffic split between primary and secondary regions
• Geo-redundant options can often be cost-neutral compared to availability zones

Why Use Azure Front Door for Load Balancing?

Azure Front Door offers global load balancing, intelligent traffic routing and high availability across regions, while integrating with Azure’s built-in security features such as Web Application Firewall (WAF) and DDoS Protection.

The 70/30 traffic split strategy works as follows:

• 70% of traffic is routed to the primary region for optimal performance
• 30% of traffic is sent to the secondary region to keep resources warm and ready for failover; in some cases, a 50/50 split may be appropriate
• Reduces failover time by keeping the secondary region active and continually tested under live traffic
• Improves performance for users geographically closer to the secondary region

Enabling SQL Active Geo-Replication

Using Sitecore’s support for Azure Active Geo-Replication allows near real-time replication of Azure SQL Databases across multiple regions. This ensures data integrity and business continuity in the event of a regional failure.

• Replicate the Web database across regions to ensure uninterrupted content delivery (replicating other databases such as Forms is also recommended)
• Configure automatic failover groups for seamless switching between regions during outages
• Set up a standby Azure Cache for Redis in the secondary region to maintain cache consistency during failovers

This (Advanced) setup aligns with Sitecore’s hosting practices, but additional capability for ensuring minimal downtime, consistent performance and robust failover readiness. The Dataweavers platform provides the Active/Active approach by default (Advanced). Sitecore Managed Cloud 2.0 provides an Active/Passive model (Basic).

Scaling Sitecore hosting with Azure App Services

 A well-architected infrastructure, delivered with Infrastructure as Code (IaC), enables seamless scalability, automating resource allocation and performance tuning.

Azure App Service provides flexible scaling options:

• Autoscaling Rules: Automatically adjust the number of running instances based on metrics like CPU usage, memory consumption or HTTP request volume
• Scheduled Scaling: Allows proactive scaling during predictable traffic surges, such as marketing campaigns or product launches
• Instance Warm-Up Settings: Ensures that new instances are fully initialized before handling traffic, preventing cold-start delays

This dynamic scaling approach maintains high performance while optimizing operational costs in your Sitecore hosting environment.

Monitoring, Troubleshooting and Disaster Recovery

Monitoring and disaster recovery are critical for maintaining uptime and ensuring rapid issue resolution:

• Azure Monitor and Application Insights provide real-time visibility into system health, response times and resource utilization
• Set up custom alerts for unexpected performance issues, such as CPU spikes, slow database queries or traffic surges
• Implement Point-in-Time Restore (PITR) for Azure SQL backups and leverage geo-redundant storage for disaster recovery across regions

Security Best Practices for Azure PaaS Infrastructure

A secure Sitecore hosting environment requires a layered security strategy.

Network Security and Isolation

• Azure Private Endpoints secure internal communications between Azure resources, eliminating the need for public internet exposure
• Virtual Network (VNet) Isolation segments resources to prevent unauthorized access
• Network Security Groups (NSGs) apply granular inbound and outbound traffic control at the subnet and resource level

Identity and Access Management

• Azure Entra ID (formerly Azure Active Directory) centralizes identity management while enabling Single Sign-On (SSO) across Sitecore roles
• Role-Based Access Control (RBAC) limits access based on user roles and responsibilities
• SSO Integration simplifies user access management while securing sensitive administrative controls

Enhancing Security with Azure Front Door

Azure Front Door enhances your Sitecore deployment’s security posture with built-in protections:

• Web Application Firewall (WAF) defends against common threats such as SQL injection and cross-site scripting (XSS), with custom Sitecore-specific rule sets to minimize false positives
• Bot Protection identifies and mitigates automated attacks, including credential stuffing and scraping
• Azure DDoS Protection automatically blocks distributed denial-of-service attacks before they impact application performance

Other advanced considerations include using a CDN layer with a proxy capability such as Cloudflare or Akamai. These services provide DDoS protection and advanced BOT mitigation at the Edge, complementing the Azure security measures. A multi-layered defence strategy combining Azure Front Door with Edge protection ensures performance and security at scale. Dataweavers Fusion comes pre-packaged with the Cloudflare Advanced Capability perfectly tuned for Sitecore hosting.

Search Options for Sitecore on Azure

For Sitecore XP 10+ (and Sitecore latest versions), Apache Solr remains a required component for core platform functionality, including content indexing and analytics—even if its full search capabilities aren’t fully utilized.

Fully Managed Solr as a Service

Managing Solr can be costly and resource-intensive, but fully managed services simplify this while enhancing scalability:

• Dataweavers Managed Solr: A fully managed solution optimized for Sitecore hosting, and deployed with Dataweavers Fusion it includes operational management and seamless integration. It also provides significant cost savings over alternative options.
• SearchStax: A scalable SaaS Solr hosting service offering provides basic Solr functionality.  

Non-Solr Search Options

For businesses seeking advanced search features and AI-driven personalization:

• Sitecore Search: A fully managed, cloud-native solution with seamless integration into Sitecore’s personalization engine
• Coveo: An AI-powered platform that delivers personalized search results, recommendations and deep search analytics

Wrap up: Future-Proofing Sitecore with Azure PaaS

Upgrading Sitecore successfully requires more than deploying the latest version—it demands a well-optimized code infrastructure and a strong Infrastructure as Code (IaC) strategy to ensure long-term scalability, security, and automation in your Sitecore hosting environment.

Dataweavers Fusion for Sitecore offers a fully optimized Azure PaaS Sitecore hosting solution that ensures high availability, scalability and security in your Tenant, fully transparent and integrated into your ecosystem.

Ready to upgrade your Sitecore hosting environment and Sitecore solution? Talk to our team today to ensure your infrastructure is ready for the future!

Let's chat!