Case Study

How We Cut Cloud Delivery Costs by 97% with a CloudFront to Cloudflare Migration

Cloud & DevOps
Industry
EdTech
Services
Cloud Cost Optimization · CDN Migration · Infrastructure Engineering · AI-Assisted Development
Company Size & Location
Non-Profit Organization & India
Technology Stack
Amazon S3, CloudFront, Route 53, Cloudflare R2, Cloudflare CDN, Cloudflare DNS, Cloudflare SSL/TLS, Cloudflare Cache Rules, Cloudflare Cache Response Rules, Cloudflare Compression Rules, Cloudflare Transform Rules (CORS), HTTP/2, Cloudflare Billing, GoDaddy + Cloudflare NS
Team
Cloud Engineer · DevOps Engineer · Full stack Developer
Timeline
Phased Migration Engagement
01

Client Vision

The client, an educational NGO, built a digital learning platform giving students and facilitators across India on-demand access to study materials, reference content, and course resources via web and mobile applications. Reliable, fast content delivery was central to their mission.

As usage grew, the client needed a technology partner to identify a sustainable content delivery architecture - one that matched their scale without the unpredictable cost of their existing AWS setup. The goal: keep every learner able to access materials instantly, on any device, while freeing up budget to redirect toward educational impact instead of infrastructure bills.

02

Challenge

The client's AWS-based content delivery setup had become financially unsustainable. Several interconnected cost and architecture issues were compounded with every increase in student engagement.

Unsustainable CDN Egress Costs

AWS CloudFront charges for India-region data transfer and HTTPS requests were the dominant cost driver. Over a 10-day period, CloudFront alone generated $1,005.63 in charges - part of a combined 10-day bill of $1,057.26 across CloudFront and S3, extrapolating to approximately $3,172 per month. With a fixed NGO budget, this left no room to grow the platform without growing the deficit.

Double-Layer AWS Billing

With CloudFront sitting in front of S3, every learner file access triggered charges across both services simultaneously - storage, GET/PUT requests, and data transfer fees stacking on both layers. There was no mechanism to absorb or cap traffic-driven cost spikes.

No Cost-Efficient Delivery Option for Traffic

AWS CloudFront's pricing model penalizes high-volume traffic originating from South Asia. With no alternative CDN layer, platform growth directly worsened the client's financial position: every new student added to the cost problem rather than the mission.

Secure Content Access Without Adding Cost

The platform serves protected learning content requiring access control, preventing unauthorized downloads while keeping the experience seamless for legitimate users. The solution needed to enforce security at the delivery layer without introducing additional compute costs unless genuinely required.

Zero-Downtime Cutover Complexity

The platform's mobile and web applications relied on existing CDN endpoints and file URLs. Any migration had to happen without disrupting active learners requiring precise DNS cutover planning, a clean one-way content transfer, and credential handover within a controlled window. GoDaddy DNS propagation carries a maximum downtime window of up to 24 hours, which had to be factored into the cutover plan.

03

Solution

We replaced AWS S3 and CloudFront with Cloudflare R2 and Cloudflare's zone-level security layer - an architecture that eliminates egress fees entirely while adding built-in security capabilities not available in the prior setup.

Cloudflare R2 Object Storage

R2 charges only for storage and operations with no data transfer egress fees. This single change removed the primary cost driver. All learning assets were transferred from S3 to R2 via a one-way copy; once integrity was confirmed, the S3 bucket was cleared and R2 became the sole content origin.

Zone-Level WAF and Cache Rules on Cloudflare

WAF rules and cache policies were configured at the Cloudflare zone level (applied to the platform's domain), not at the R2 bucket. R2 carries no WAF capability; protection and caching are enforced through Cloudflare's zone configuration. Cloudflare's WAF is included at no additional cost on the free plan, removing the need for a separate security layer.

Worker-Based Access Control

Where the platform required protected content delivery such as SCORM sub-resources - a Cloudflare Worker was deployed implementing HMAC signed URLs, KV-backed single-use tokens, and cookie-based authentication. Worker CPU and request costs are billable; platforms without signed URL requirements can skip this layer entirely for an even lower cost baseline.

Cloudflare's Built-In Security and Access Advantages Over AWS

One-Way S3 to R2 Content Transfer

Executed a structured one-way copy of all assets from S3 to R2 using rclone, followed by a final delta transfer to capture any files uploaded during the migration window. Once integrity was confirmed, the S3 bucket was emptied - eliminating residual S3 storage costs and establishing R2 as the sole content store going forward.

DNS Cutover via GoDaddy to Cloudflare Nameservers

GoDaddy nameservers were updated to point to Cloudflare, routing all platform traffic through the new delivery layer. The cutover was planned around GoDaddy's maximum 24-hour propagation window. Endpoint and credential handover to the middleware team was completed within this window with no user-facing downtime.

AI-Assisted Development

AI tooling was applied at the architectural level - analyzing the existing application, mapping service dependencies, and producing workflow designs before implementation began. This reduced integration risk across multiple services and accelerated the development phases that followed, from configuration scripting through to validation.

04

Our Approach

We executed in four structured phases, moving from diagnosis to live cutover while keeping the platform continuously available throughout.

Phase 1: Cost Audit and Architecture Assessment

Analysed the full AWS billing breakdown across CloudFront, S3, data transfer, and request charges. Identified India-region egress as the dominant driver and mapped all services requiring code changes for the migration. Assessed whether a Cloudflare Worker was needed for access control - scoping it only where signed URL protection was genuinely required to avoid unnecessary compute billing.

Phase 2: Cloudflare Environment Setup

Provisioned the R2 bucket, configured zone-level WAF rules and cache policies on the platform's domain, and where access control was required - deployed the Worker with HMAC signed URLs, KV single-use tokens, and cookie-based SCORM authentication. The new endpoint was validated against all application requirements before any content transfer began.

Phase 3: Content Transfer and Validation

Executed a one-way copy of all assets from S3 to R2 using rclone, followed by a final delta transfer immediately before DNS cutover to capture any files uploaded during the migration window. Content integrity was confirmed across both stores before the S3 bucket was cleared, and R2 established as the sole content origin.

Phase 4: DNS Cutover and Handover

Updated GoDaddy nameservers to Cloudflare within the 24-hour maximum propagation window. Handed over the new endpoint and credentials to the middleware team for final application configuration - completing the migration with no disruption to active learners.

05

Result / Impact

For the Client

  • 97% reduction in monthly cloud cost from ~$3,172/month to ~$90/month
  • 99.95% drop in CloudFront charges from $1,005.63 to $0.51 over the measured 10-day window
  • AWS S3 egress and request costs reduced to near-zero - S3 bucket cleared post-migration; storage costs eliminated
  • Zero egress fees on the new CDN layer - Cloudflare R2 carries no data transfer out costs
  • Migration completed within the planned 24-hour DNS propagation window with no disruption to active users

For End Users

  • Students and facilitators continued accessing study materials without interruption during and after cutover
  • Zero content gaps post-migration - delta transfer captured all materials uploaded during the transition period
  • Improved delivery performance for India-based users - Cloudflare's global edge network reduces latency compared to the prior CloudFront setup
  • Consistent experience across web and mobile applications maintained throughout the migration

For the Business

  • ~$37,000+ in estimated annual infrastructure savings - budget redirected toward educational programmes
  • Predictable, scalable cost model established - R2 pricing scales with usage without India-traffic penalty
  • Built-in WAF and origin masking at no additional cost - security posture improved without extra spend
  • Granular per-bucket access control replaces account-level AWS IAM, reducing misconfiguration risk
  • Worker costs scoped to genuine need - removable entirely for simpler deployments with no signed URL requirement
  • Platform positioned for user base growth without proportional cost increases
  • AI-assisted architectural analysis and execution reduced implementation risk and accelerated delivery across the engagement
06

Why It Matters

For an educational NGO, every dollar spent on infrastructure is a dollar not reaching learners. A $3,000 monthly cloud bill driven almost entirely by delivering study materials to students in India was not a scaling problem. It was an architecture problem.

By replacing a cost structure penalized by geography with one that eliminates egress fees entirely, we turned a recurring financial pressure into a solved problem. The platform now serves learners at a fraction of the prior cost and is structured to stay predictable even as the community grows. Where access control was needed, we implemented it precisely; where it wasn't, we left it out - keeping the cost floor as low as possible.

This engagement also illustrates that not every migration looks the same. The right combination of R2, zone-level security, and a deliberately scoped Worker layer fit this platform exactly - but the principle applies broadly: audit what you need, eliminate what you don't, and build only what earns its cost.

Let's build

Spending more on cloud infrastructure?

We help mission-driven organizations and product teams identify the architectural changes that deliver the greatest cost and performance impact - then execute them cleanly, without disruption. Whether you're facing runaway CDN bills, an S3 egress cost problem, or a broader cloud cost optimization challenge, we can help you move fast and move right.