Cloud Migration and ArcGIS Utility Network Implementation System

The Vendor is required to provide for a multiphase project focused on migrating existing on-premises infrastructure and software to azure, as well as implementing both ArcGIS utility network as well as county unity.
- migrate file servers to Azure in addition to necessary networking, security, and reporting solutions.
- The SQL Server instance will need to have all existing connections reconfigured to point to the new location after migration. 
- The software being used to access SQL Server databases includes, but is not limited to, ArcGIS Pro, ArcGIS Server, Microsoft Access, GraniteNet, and Cityworks.
- There is an upcoming implementation of SpryPoint which shall be integrated with as well. Necessary SQL Server functionality includes that currently provided by SQL Server Management Studio (SSMS), SQL Server Integration Services (SSIS), SQL Server Reporting Services (SSRS), Management Plans, SQL Server Agent, and Database Mail.
- The file servers need to have their content, shares, and permissions migrated into Azure. Best practices need to be provided for the Azure subscription, to be adopted at the discretion of the agency. Backups, disaster recovery, and availability are a priority need for the agency. Access and use logs should be available for the solution.
- Network and infrastructure security:
•    As-Built Logical Network Diagram: A detailed map showing Virtual Networks (VNets), subnets, Network Security Groups (NSGs), and the flow of traffic between on-premises, Azure, and third-party SaaS (county Unity) shall be provided.
•    Firewall & NSG Rule Matrix: A spreadsheet documenting every open port, its purpose, source IP, and destination. This must include a "Deny All" default strategy for all non-essential traffic.
•    Private Link / Endpoint Configuration: Documentation confirming that SQL Server and ArcGIS Server traffic remains on the Microsoft backbone and is not exposed to the public internet shall be provided.
- Identity and access management (IAM):
•    Conditional Access Policy Design: A document detailing the Duo/Entra ID rules enforced (e.g., "MFA required for all GIS Administrative logins" or "Geofencing restricted to US-based IP addresses") shall be provided.
•    RBAC (Role-Based Access Control) Registry: A list of Azure and GIS roles created, including a "Least Privilege" justification for each user group should be provided.
•    Privileged Access Management (PAM) Plan: Procedures for how "Domain Admin" or "Global Admin" tasks are handled (e.g., using Azure Bastion or Just-In-Time access) should be provided.
- Data protection and encryption:
•    Encryption Key Management Report: Confirmation that Transparent Data Encryption (TDE) is active for all SQL databases and that Azure Disk Encryption (ADE) is enabled for all 3+TB of file storage.
•    Secrets Management Log: Documentation of how service account passwords and API keys are stored within Azure Key Vault rather than in plain-text configuration files or scripts.
- Evaluate current ArcGIS Pro use at the agency and determine the need and quantity of the virtual desktops before and after Utility Network implementation is complete. Create and configure new virtualized desktops for low latency editing of Azure SQL GIS databases via ArcGIS Pro software.