Defense IT portfolios are littered with systems built 15–30 years ago on architectures that weren't designed for cloud, weren't designed for continuous deployment, and weren't designed for the scale of data those systems now process. Many of these systems are mission-critical — they can't go offline for a ground-up rebuild.
Modernizing legacy defense systems requires a strategy that delivers new capability while keeping existing mission functionality running. This is the strangler-fig approach: build the new system incrementally around the edges of the old one, migrate functionality piece by piece, and retire the legacy system when the new one fully replaces it.
Why Legacy Defense Systems Get Stuck
The typical obstacle to legacy modernization isn't budget or intent — it's risk. Programs understand that the old system has problems; they don't want to be responsible for breaking something that works, even poorly, in favor of something new that might not.
That risk is legitimate. The answer is an architecture and delivery approach that provides escape hatches:
- Parallel operation — new and old systems run simultaneously, with traffic gradually shifting to the new
- API abstractions — the legacy system gets wrapped in a modern API layer before migrating internal components
- Feature flags — new functionality rolls out to a subset of users before full deployment
- Rollback paths — every deployment can be reversed if problems emerge
A modernization project that can't be rolled back is a high-stakes bet. Every stage of Rutagon's modernization approach preserves rollback capability.
The Strangler-Fig Pattern for Defense Systems
The strangler-fig pattern (named after a vine that grows around an existing tree, eventually replacing it) is the foundational pattern for incremental legacy replacement:
- Place a façade in front of the legacy system — an API gateway or proxy that intercepts all traffic
- Build new components behind the façade, targeting specific legacy functionality
- Shift traffic from legacy to new components feature by feature
- Retire legacy components as each is fully replaced
The façade is the key control point. It enables traffic splitting (send 5% of users to the new service, 95% to legacy), gradual migration (increase the percentage as confidence grows), and instant rollback (shift 100% back to legacy if problems emerge).
# Simplified façade routing logic
class LegacyModernizationFacade:
def __init__(self, legacy_client, modern_client, feature_flags):
self.legacy = legacy_client
self.modern = modern_client
self.flags = feature_flags
def route_request(self, endpoint: str, request_data: dict):
rollout_percentage = self.flags.get_rollout(endpoint)
if self._should_use_modern(rollout_percentage):
try:
response = self.modern.call(endpoint, request_data)
# Shadow comparison: compare modern response to legacy for validation
if self.flags.shadow_mode_enabled(endpoint):
legacy_response = self.legacy.call(endpoint, request_data)
self._compare_responses(endpoint, response, legacy_response)
return response
except ModernSystemError as e:
# Automatic fallback to legacy on modern system error
self._log_fallback(endpoint, e)
return self.legacy.call(endpoint, request_data)
else:
return self.legacy.call(endpoint, request_data)
def _should_use_modern(self, percentage: int) -> bool:
import random
return random.random() < (percentage / 100)Shadow mode — running the new system in parallel and comparing responses to the legacy system without exposing the new response to users — is valuable for validating correctness before traffic shifts.
Phased Migration Approach
A typical 18–24 month legacy defense system modernization follows a structured sequence:
Phase 1: Assessment and API Wrapping (Months 1–3)
Before touching the legacy system's internals, wrap it in an API layer:
- Document the existing system's external interfaces (what calls it, what it calls)
- Build an API gateway that proxies all existing interfaces
- Establish logging and observability around the gateway (this becomes the baseline for comparison during migration)
- Deploy the gateway with 100% traffic to legacy — no disruption, just instrumentation
This phase delivers the façade and gives the team months of baseline data on actual usage patterns.
Phase 2: Extract and Modernize First Module (Months 3–8)
Select the first module to migrate — typically the one with the most technical debt relative to its business value, or the one with the clearest data boundary. Build the cloud-native replacement:
- Containerized microservice deployed on Kubernetes (EKS on GovCloud)
- Backed by a modern database (Aurora Serverless v2 replacing Oracle or MSSQL)
- CI/CD pipeline delivering changes continuously
- ATO-in-progress documentation for the new component
Shift 5% of traffic to the new module, expand to 50%, then 100% over 4–6 weeks as confidence grows.
Phase 3: Successive Module Migration (Months 8–18)
Repeat the extraction and migration pattern for each subsequent module. The strangler-fig grows — each migrated module reduces the legacy footprint and increases the cloud-native footprint. The façade remains in place as the traffic control point throughout.
Phase 4: Legacy Decommission (Months 18–24)
When 100% of traffic routes to the new system and the new system has operated in full production for a validation period (typically 3–6 months), the legacy system is decommissioned. The façade remains briefly as a circuit breaker, then is removed once decommission is confirmed.
Database Migration Considerations
Defense systems often run Oracle or SQL Server — expensive, proprietary databases with licensing structures that make them targets for migration to open-source alternatives. PostgreSQL on Amazon Aurora Serverless v2 is Rutagon's standard target for modernized database tiers.
The migration path:
- Schema assessment — identify Oracle-specific features (stored procedures, triggers, specific data types) that need rewriting
- AWS SCT (Schema Conversion Tool) — automated conversion of compatible schema elements
- Manual rewrite — Oracle PL/SQL procedures to PostgreSQL PL/pgSQL or application-layer logic
- Data migration — AWS DMS (Database Migration Service) for the initial data load and CDC (Change Data Capture) for ongoing replication during the cutover period
- Validation — automated comparison of query results between Oracle and PostgreSQL for the full test suite before cutover
See our guide on zero-downtime database migration for the full database-specific migration pattern.
ATO Continuity During Modernization
Legacy systems have existing ATOs. The modernization process must not create an authorization gap — operating a system outside authorization is not an option in DoD environments.
The approach: inherit, then expand. The new cloud-native components are added to the existing system's ATO package as new components under the existing authorization boundary. As legacy components are retired, they're removed from the SSP. The ATO migrates from the legacy system to the cloud-native system incrementally, rather than requiring a complete new authorization.
This requires coordination with the Authorizing Official (AO) from phase 1 — not a surprise late in the project. AOs who understand the phased approach and have visibility into the plan are significantly more accommodating than AOs who receive a package saying "the old system is gone and here's the new one."
For more on ATO architecture, see our guides on continuous ATO automation and AWS GovCloud IaC with Terraform.
Discuss a legacy system modernization program → rutagon.com/government
Frequently Asked Questions
How long does a legacy defense system modernization typically take?
Complex legacy modernization programs typically run 18–36 months for full migration. Simple systems with clear boundaries and limited integrations can complete in 12–18 months. The timeline is driven more by the complexity of integrations and the pace of ATO processes than by raw development effort.
What's the biggest risk in legacy defense modernization?
The biggest risk is scope creep combined with attempting a big-bang replacement rather than incremental migration. Programs that try to replace everything at once with a completely new system frequently fail or dramatically overrun schedule. Incremental migration with working rollback at each step is the risk mitigation strategy.
Can legacy COBOL or Fortran systems be modernized to cloud-native?
Yes, but it requires a different approach from modern-language legacy systems. The primary path is wrapping the legacy system in API adapters that expose its functionality to modern consumers, then gradually replacing the underlying computation with modern implementations. Automated transpilation tools (COBOL-to-Java, for example) exist but produce code that is difficult to maintain — manual rewrite of business logic is often cleaner.
How does the strangler-fig pattern maintain ATO during migration?
By operating new components under the existing ATO boundary as additions to the existing system, rather than as a separate new system requiring separate authorization. This requires adding new components to the existing System Security Plan, getting them reviewed and approved as additions, and not putting them in production until the AO has accepted the updated boundary.
What is shadow mode in a migration context?
Shadow mode runs the new system alongside the old system, receiving the same traffic and generating responses — but without returning those responses to users. Instead, the responses are compared to the legacy responses and differences are logged. This validates that the new system is producing correct results before any traffic actually shifts to it.
Discuss your project with Rutagon
Contact Us →