Migration - Upgrades

How to Migrate ColdFusion to Azure App Service

by Aaron Longnion
12 min read
Contents show

Why move your ColdFusion workloads to Azure App Service

ColdFusion remains critical for many teams because of its productivity, CFML ecosystem, and mature integrations. Moving it to Azure App Service modernizes operations, reduces server Maintenance, and improves resilience with built-in autoscaling, Deployment slots, and managed SSL. You gain Cloud-native benefits such as CI/CD, centralized logging/monitoring, and easier Integration with services like Azure SQL, Azure Files, Key Vault, and Application Insights—all while keeping your ColdFusion application logic intact.

Prerequisites / Before You Start

  • Application inventory and documentation:
    • ColdFusion version (e.g., 11, 2016, 2018, 2021, 2023).
    • JDK/JRE version required by your ColdFusion version.
    • Web server and connector details (IIS/Apache/Tomcat connector).
    • CF Administrator Configuration: datasources (DSNs), mappings, Scheduled tasks, mail servers, caches, Custom tags/CFCs, JVM args, Security settings.
    • Dependencies: JDBC drivers, JARs in lib/ folders, CF packages (cfpm for CF2021+), third-party tools (ImageMagick, wkhtmltopdf), native binaries.
    • External services: SMTP, SSO, file shares, queueing, Payment gateways, SOAP/REST endpoints.
  • Backups:
    • Full code repository and static assets.
    • Export ColdFusion Administrator settings (CF2021/2023: cfsetup export; older versions: CAR file export or manual documentation).
    • Database backups and scripts to provision infra in Azure (IaC preferred).
    • Export SSL/TLS certificates if needed for backend truststores.
  • Compliance and Licensing:
    • Validate ColdFusion license terms for Azure and containers. Ensure you have a valid license for production. Plan for staging/test licenses.
  • Azure resources and access:
    • Active Azure subscription, permissions to create App Service, Azure Container Registry (ACR), Azure Storage, Key Vault, VNet/Subnets.
    • Azure CLI or PowerShell installed locally.
  • Containerization plan:
    • Preferred approach is App Service for Linux with a custom container (Adobe publishes official images for 2021/2023). For older versions, you may need to build a custom image.
    • Decide image registry (ACR or Docker Hub).
  • Networking and Security:
    • Decide if your app needs private connectivity (VNet Integration) to databases or internal APIs.
    • Plan to store secrets in Azure Key Vault and inject via App Settings/Managed Identity.
  • Performance/Scaling considerations:
    • Session management strategy (ARR affinity, external session store).
    • Shared storage approach (Azure Files) if your app writes files at runtime.
  • CI/CD:
    • Choose GitHub Actions or Azure DevOps pipelines for build-and-deploy.

Planning and Architecture Decisions

Choose your replatform path

  • Lift-and-shift with Adobe ColdFusion in containers (recommended):
    • Use Adobe’s ColdFusion 2021 or 2023 official Docker images as base.
    • Import your CF Admin settings via cfsetup, add your code, set environment variables.
  • Move from Adobe CF to Lucee CFML (optional Modernization):
    • Requires code and Configuration validation. Not a drop-in for all apps.
  • When not to use App Service:
    • If you require low-level OS control, non-container native binaries, or complex clustering that relies on multicast or unsupported kernel Features, consider Azure VMs or Azure Kubernetes Service instead.
See also  How to Migrate ColdFusion Admin Settings to New Server

Storage and state

  • Code should be immutable inside the container. Treat runtime file writes carefully:
    • Use Azure Files for shared storage across instances.
    • Avoid writing to local container filesystem (ephemeral). Only /home is persistent in App Service, but external shares are safer for multi-instance.
  • Sessions:
    • Default: rely on App Service’s sticky sessions (ARR affinity). Works for many apps but not ideal for failover.
    • Better: use Azure Cache for Redis or database-backed sessions if your app supports it. Lucee has Redis session storage. Adobe CF Session replication requires enterprise Features and cluster support; in containers, replication is non-trivial.

Data layer

  • Use Azure SQL, Azure Database for MySQL/PostgreSQL, or keep your existing DB over private network peering or VPN/ExpressRoute.
  • Configure JDBC drivers and DSNs in the image or at startup.

Observability

  • Application Insights (Java agent) for request traces, metrics, and logs.
  • App Service diagnostics and container logs to capture stdout/stderr.
  • Log aggregation to Storage or Log Analytics.

Environments and rollouts

  • Deployment slots for Blue/Green and zero-downtime swaps.
  • Feature flags for progressive cutovers.
  • Health checks to gate slot swaps.

Step-by-Step Migration guide

  1. Assess and export your current ColdFusion configuration
  • List your CF Admin settings, including datasources, mail, Scheduled tasks, mappings, JVM tuning, security, and custom libraries.
  • Export configuration:
    • ColdFusion 2021/2023: use cfsetup to export to JSON.
    • Older versions: create CAR files or export DSNs/mappings manually.
  • Inventory all external dependencies (Image processing, PDF generation, native tools). Decide which can be replaced with Java libs or OS packages in the container.
  1. Containerize the application
  • Start with Adobe’s official image for your target version (e.g., adobecoldfusion/coldfusion:2023).
  • Add your code and any needed libs into the container image.
  • Apply your Admin config via cfsetup during image build or container startup.
  • Expose the CF internal HTTP port (e.g., 8500), and prepare for WEBSITES_PORT in App Service.
  • Keep secrets out of the image—use environment variables and Key Vault references.
  1. Prepare Azure resources
  • Create or reuse an Azure Container Registry (ACR) to store your custom image.
  • Create an App Service Plan (Linux) sized according to CPU/RAM needs.
  • Create the Web App for Containers targeting your ACR image.
  • Optional but recommended:
    • Azure Files for shared storage; mount to /home/site/wwwroot/assets or a path your app uses.
    • VNet integration to securely reach databases and internal APIs.
    • Key Vault for secrets; grant system-assigned managed identity access to secrets.
    • Application Insights for telemetry.
  1. Set application settings (environment variables)
  • DB connection strings, mail Server settings, CF Admin password, license keys, and feature toggles.
  • Set WEBSITES_PORT to your container’s listening port (e.g., 8500).
  • Enable ARR affinity unless your Session management is externalized.
  • Configure HEALTHCHECK path in App Service for automatic restarts on failures.
  1. Build and push your container
  • Build locally or via CI. Push to ACR.
  • Example GitHub Actions or Azure DevOps pipeline can automate build-and-push on every commit.
  1. Wire up logging and monitoring
  • Enable container logging in App Service.
  • Attach Application Insights Java agent by adding -javaagent to JAVA_OPTS, or use the App Service integration where available.
  • Confirm logs appear in Log Stream and traces in Application Insights.
  1. Database Migration and connectivity
  • Migrate schema/data to Azure SQL/MySQL/PostgreSQL if applicable.
  • Update JDBC drivers and DSNs.
  • Use private endpoints for secure access; verify from within App Service using VNet integration.
  1. Static assets and shared files
  • Mount Azure Files to your Web App. Repoint your app’s upload paths to the mounted share.
  • Validate read/write permissions and Performance.
  1. Security hardening
  • Lock down admin endpoints. Do not expose /CFIDE in production. Use IP restrictions or route CF Admin through private access only.
  • Offload TLS to App Service; manage certs in App Service with Key Vault integration.
  • Use managed identity for secrets; avoid plain-text credentials.
  1. Deploy to a staging slot and validate
  • Create a staging slot linked to the same ACR image but with staging-specific app settings.
  • Run smoke tests, functional, and performance tests.
  • Only when green, perform a slot swap to production for Zero downtime.
  1. Optimize Scaling and performance
  • Right-size the App Service Plan. Monitor memory utilization; ColdFusion JVM can be memory-hungry.
  • Configure autoscale rules (CPU %, memory via custom metrics, or request count).
  • Tune JVM options (-Xms/-Xmx, GC). Validate under load.
  1. Cutover DNS and monitor
  • Point custom domain to App Service. Upload or bind certificates.
  • Monitor errors, latency, and server CPU/memory.
  • Keep rollback ready via previous slot/image.
See also  How to Move ColdFusion to a Cloud Environment

Risks, Common Issues, and How to Avoid Them

  • Container mismatch with old CF versions:
    • Risk: Older ColdFusion versions may not have official images. Custom images can be brittle.
    • Mitigation: Target CF2021/2023 if possible; run full regression tests; lock base image versions.
  • Session loss during scale-out:
    • Risk: With ARR affinity off or during instance restarts, users may lose sessions.
    • Mitigation: Keep ARR affinity on; implement external session store (Redis) if feasible; avoid writing session state to local disk.
  • File persistence:
    • Risk: Writing to ephemeral container filesystem leads to data loss on restarts.
    • Mitigation: Redirect uploads and generated files to Azure Files or blob storage; keep the container image immutable.
  • Missing native binaries:
    • Risk: Tools like ImageMagick not present in container.
    • Mitigation: Install required packages in Dockerfile or switch to pure-Java libraries; test at build time.
  • Database connectivity and firewall rules:
    • Risk: App can’t reach DB after move.
    • Mitigation: Configure VNet integration and Private Endpoints; update firewall rules to allow App Service outbound; verify DNS resolution.
  • Time zone and locale differences:
    • Risk: Containers default to UTC; date logic breaks.
    • Mitigation: Set TZ environment variable or configure JVM user.timezone; write timezone-aware code.
  • JVM memory/GC tuning:
    • Risk: OOM kills or GC pauses under load.
    • Mitigation: Right-size Xms/Xmx; use G1GC for modern JVMs; monitor heap and adjust.
  • Admin endpoints exposed:
    • Risk: Security exposure if /CFIDE or CF Admin is public.
    • Mitigation: Remove/disable admin UI in production images; restrict with IP allowlists, VNet, or Authentication.
  • Licensing:
    • Risk: Non-Compliance or unexpected cost.
    • Mitigation: Validate licensing model for Cloud/Containers; store license keys securely.

Post-Migration Checklist / Validation Steps

  • Functional verification:
    • All pages render without 500 errors; CFML tags and components behave as expected.
    • Datasources connect; CRUD operations succeed; transactions commit/rollback.
    • Scheduled tasks run on schedule (or via Azure WebJobs/Logic Apps if you externalized scheduling).
    • Email sending works; mail server credentials are correct.
  • Security and Networking:
    • CF Admin not publicly accessible.
    • Health check endpoint returns 200.
    • App Service has required outbound connectivity to DBs/internal APIs.
  • Storage:
    • File uploads, downloads, and generated PDFs/images work and persist after instance recycle.
    • Cleanup and retention policies set for logs and temp files.
  • Observability:
    • Application Insights shows requests, dependencies, exceptions.
    • Container logs are captured; alerts configured for error spikes or CPU/memory thresholds.
  • Performance and scaling:
    • Load test confirms acceptable latency and throughput.
    • Autoscale rules tested (scale out and back in).
    • JVM heap usage stable; no frequent full GCs.
  • Compliance:
    • Secrets served from Key Vault or environment; no secrets in code or image.
    • Correct TLS configuration and cipher suites; custom domains bound with valid certs.
  • Operations:
    • CI/CD pipeline builds, scans (SAST/DAST), and deploys the container.
    • Backup/restore plan verified for databases and file shares.
    • Runbooks for incident response updated.

Reference configuration snippets

Sample Dockerfile (Adobe ColdFusion 2023, Linux)

Dockerfile
FROM adobecoldfusion/coldfusion:2023

Install OS packages if needed (example: Image processing tools)

RUN microdnf install -y ImageMagick && microdnf clean all

Copy application code into the image

Consider copying to /app and using a webroot mapping to keep /home persistent

WORKDIR /app
COPY ./webroot/ /app/

Import CF Admin settings using cfsetup (if you exported to cfconfig.json)

Place cfconfig.json next to Dockerfile or bake it into the image

COPY ./cfconfig.json /opt/coldfusion/cfconfig.json

See also  How to Roll Back a Failed ColdFusion Upgrade

Set admin password and import config at startup

ENV cfsetup_adminPassword=${CF_ADMIN_PWD}
ENV CFUSION_HOME=/opt/coldfusion/cfusion

Example entrypoint script to apply config (simplified)

COPY ./entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

EXPOSE 8500
CMD [“/entrypoint.sh”]

Example entrypoint.sh
bash

!/usr/bin/env bash

set -e

Start ColdFusion in the background

/opt/coldfusion/cfusion/bin/coldfusion start

Wait for server to be ready

sleep 20

Apply cfsetup configuration if present (CF2021/2023)

/opt/coldfusion/cfusion/bin/cfsetup import /opt/coldfusion/cfconfig.json –password “${CF_ADMIN_PWD}” || true

Keep CF running in foreground

tail -f /opt/coldfusion/cfusion/logs/coldfusion-out.log

Notes:

  • For older CF versions, use CAR files or manual configuration.
  • Keep secrets out of the image; pass CF_ADMIN_PWD as an App Setting in App Service, preferably sourced from Key Vault.

Azure CLI: create ACR, App Service plan, and Web App

bash

Variables

RG=rg-cf-azure
LOC=eastus
ACR=cfacr1234
PLAN=plan-cf-linux
APP=web-cf-prod
IMG=cfapp:1.0.0

Resource group

az group create -n $RG -l $LOC

ACR

az acr create -n $ACR -g $RG –sku Standard
az acr login -n $ACR

Push image

docker tag $IMG $ACR.azurecr.io/$IMG
docker push $ACR.azurecr.io/$IMG

App Service plan (Linux)

az appservice plan create -g $RG -n $PLAN –is-linux –sku P1v3

Web App for Containers

az webapp create -g $RG -p $PLAN -n $APP \
-i $ACR.azurecr.io/$IMG

Configure ACR credentials

az webapp config container set -g $RG -n $APP \
–docker-custom-image-name $ACR.azurecr.io/$IMG \
–docker-registry-server-url https://$ACR.azurecr.io

App settings

az webapp config appsettings set -g $RG -n $APP –settings \
WEBSITES_PORT=8500 \
WEBSITE_HEALTHCHECK_PATH=/health.cfm \
WEBSITE_ENABLE_APP_SERVICE_STORAGE=true \
CF_ADMIN_PWD=@Microsoft.KeyVault(SecretUri=https://mykv.vault.azure.net/secrets/cfAdminPwd/xxxx)

Health check endpoint (health.cfm)

cfm



OK


FAIL

Sample Application Insights configuration (Java agent)

  • Upload the Application Insights Java agent to a mounted path or bake into the image, then set:
  • App Setting: JAVA_OPTS=-javaagent:/home/site/wwwroot/agents/applicationinsights-agent.jar

Comparison of deployment options

Option When to use Pros Cons
App Service for Linux with custom container (Adobe CF 2021/2023) Most replatforming scenarios Managed platform, autoscale, slots, easy CI/CD Requires Containerization, limited OS control
Lucee CFML on App Service (container) Open-source engine, Modernization Lower license cost, flexible session/Redis Some CFML features differ; requires testing/Refactoring
Azure VMs (IaaS) Legacy features, OS-level control Full control, existing installers More ops overhead, patching, scaling complexity

Additional tips and Best practices

  • Use deployment slots for Blue/Green; validate with synthetic tests before swap.
  • Avoid storing large binaries in the container image; fetch at startup or mount storage.
  • Keep runtime config externalized via environment variables and Key Vault.
  • Implement zero-trust networking with Private Endpoints and NSGs.
  • Set strict outbound rules if using a firewall; allow ACR and required service tags.
  • Consider WAF-enabled Application Gateway or Azure Front Door for global routing, caching, and security.

FAQ

How do I handle ColdFusion sessions when scaling to multiple instances?

App Service provides sticky sessions via the ARR Affinity cookie. For higher resilience, externalize session state. With Lucee, you can use Redis-backed sessions. For Adobe ColdFusion, consider application-level tokens or database persistence for critical state. Avoid local file-based session storage in containers.

Can I run Adobe ColdFusion 2016 or 2018 on Azure App Service?

There are no official container images for older versions. You can build a custom image, but you must validate licensing and test thoroughly. The recommended path is to upgrade to 2021/2023 and use the official images to reduce risk and improve supportability.

What’s the best way to migrate ColdFusion Administrator settings?

On CF2021/2023, use cfsetup to export/import JSON configurations. For older versions, create CAR packages or recreate settings via script. Consider storing the exported config in your repo and applying it during container startup for repeatability.

How do I secure the ColdFusion Administrator in Azure App Service?

Do not expose it publicly. Remove or disable admin UI in production images, and if you must keep it, restrict access via IP allowlists, VNet integration, or a private slot. Store admin passwords in Key Vault and inject via App Settings (Managed Identity).

What monitoring should I enable After migration?

Enable Application Insights (Java agent) for request traces and dependencies, container logs in App Service for stdout/stderr, and Azure Monitor alerts for error rates, CPU, memory, and health check failures. Regularly review GC metrics and heap usage to tune JVM settings.

About the author

Aaron Longnion

Aaron Longnion

Hey there! I'm Aaron Longnion — an Internet technologist, web software engineer, and ColdFusion expert with more than 24 years of experience. Over the years, I've had the privilege of working with some of the most exciting and fast-growing companies out there, including lynda.com, HomeAway, landsofamerica.com (CoStar Group), and Adobe.com.

I'm a full-stack developer at heart, but what really drives me is designing and building internet architectures that are highly scalable, cost-effective, and fault-tolerant — solutions built to handle rapid growth and stay ahead of the curve.

View all posts

You may also like