The client, an educational NGO, built a digital learning platform giving students and facilitators across India on-demand access to study materials, reference content, and course resources via web and mobile applications. Reliable, fast content delivery was central to their mission.
As usage grew, the client needed a technology partner to identify a sustainable content delivery architecture - one that matched their scale without the unpredictable cost of their existing AWS setup. The goal: keep every learner able to access materials instantly, on any device, while freeing up budget to redirect toward educational impact instead of infrastructure bills.
The client's AWS-based content delivery setup had become financially unsustainable. Several interconnected cost and architecture issues were compounded with every increase in student engagement.
AWS CloudFront charges for India-region data transfer and HTTPS requests were the dominant cost driver. Over a 10-day period, CloudFront alone generated $1,005.63 in charges - part of a combined 10-day bill of $1,057.26 across CloudFront and S3, extrapolating to approximately $3,172 per month. With a fixed NGO budget, this left no room to grow the platform without growing the deficit.
With CloudFront sitting in front of S3, every learner file access triggered charges across both services simultaneously - storage, GET/PUT requests, and data transfer fees stacking on both layers. There was no mechanism to absorb or cap traffic-driven cost spikes.
AWS CloudFront's pricing model penalizes high-volume traffic originating from South Asia. With no alternative CDN layer, platform growth directly worsened the client's financial position: every new student added to the cost problem rather than the mission.
The platform serves protected learning content requiring access control, preventing unauthorized downloads while keeping the experience seamless for legitimate users. The solution needed to enforce security at the delivery layer without introducing additional compute costs unless genuinely required.
The platform's mobile and web applications relied on existing CDN endpoints and file URLs. Any migration had to happen without disrupting active learners requiring precise DNS cutover planning, a clean one-way content transfer, and credential handover within a controlled window. GoDaddy DNS propagation carries a maximum downtime window of up to 24 hours, which had to be factored into the cutover plan.
We replaced AWS S3 and CloudFront with Cloudflare R2 and Cloudflare's zone-level security layer - an architecture that eliminates egress fees entirely while adding built-in security capabilities not available in the prior setup.
R2 charges only for storage and operations with no data transfer egress fees. This single change removed the primary cost driver. All learning assets were transferred from S3 to R2 via a one-way copy; once integrity was confirmed, the S3 bucket was cleared and R2 became the sole content origin.
WAF rules and cache policies were configured at the Cloudflare zone level (applied to the platform's domain), not at the R2 bucket. R2 carries no WAF capability; protection and caching are enforced through Cloudflare's zone configuration. Cloudflare's WAF is included at no additional cost on the free plan, removing the need for a separate security layer.
Where the platform required protected content delivery such as SCORM sub-resources - a Cloudflare Worker was deployed implementing HMAC signed URLs, KV-backed single-use tokens, and cookie-based authentication. Worker CPU and request costs are billable; platforms without signed URL requirements can skip this layer entirely for an even lower cost baseline.

Executed a structured one-way copy of all assets from S3 to R2 using rclone, followed by a final delta transfer to capture any files uploaded during the migration window. Once integrity was confirmed, the S3 bucket was emptied - eliminating residual S3 storage costs and establishing R2 as the sole content store going forward.
GoDaddy nameservers were updated to point to Cloudflare, routing all platform traffic through the new delivery layer. The cutover was planned around GoDaddy's maximum 24-hour propagation window. Endpoint and credential handover to the middleware team was completed within this window with no user-facing downtime.
AI tooling was applied at the architectural level - analyzing the existing application, mapping service dependencies, and producing workflow designs before implementation began. This reduced integration risk across multiple services and accelerated the development phases that followed, from configuration scripting through to validation.
We executed in four structured phases, moving from diagnosis to live cutover while keeping the platform continuously available throughout.
Analysed the full AWS billing breakdown across CloudFront, S3, data transfer, and request charges. Identified India-region egress as the dominant driver and mapped all services requiring code changes for the migration. Assessed whether a Cloudflare Worker was needed for access control - scoping it only where signed URL protection was genuinely required to avoid unnecessary compute billing.
Provisioned the R2 bucket, configured zone-level WAF rules and cache policies on the platform's domain, and where access control was required - deployed the Worker with HMAC signed URLs, KV single-use tokens, and cookie-based SCORM authentication. The new endpoint was validated against all application requirements before any content transfer began.
Executed a one-way copy of all assets from S3 to R2 using rclone, followed by a final delta transfer immediately before DNS cutover to capture any files uploaded during the migration window. Content integrity was confirmed across both stores before the S3 bucket was cleared, and R2 established as the sole content origin.
Updated GoDaddy nameservers to Cloudflare within the 24-hour maximum propagation window. Handed over the new endpoint and credentials to the middleware team for final application configuration - completing the migration with no disruption to active learners.
For an educational NGO, every dollar spent on infrastructure is a dollar not reaching learners. A $3,000 monthly cloud bill driven almost entirely by delivering study materials to students in India was not a scaling problem. It was an architecture problem.
By replacing a cost structure penalized by geography with one that eliminates egress fees entirely, we turned a recurring financial pressure into a solved problem. The platform now serves learners at a fraction of the prior cost and is structured to stay predictable even as the community grows. Where access control was needed, we implemented it precisely; where it wasn't, we left it out - keeping the cost floor as low as possible.
This engagement also illustrates that not every migration looks the same. The right combination of R2, zone-level security, and a deliberately scoped Worker layer fit this platform exactly - but the principle applies broadly: audit what you need, eliminate what you don't, and build only what earns its cost.
We help mission-driven organizations and product teams identify the architectural changes that deliver the greatest cost and performance impact - then execute them cleanly, without disruption. Whether you're facing runaway CDN bills, an S3 egress cost problem, or a broader cloud cost optimization challenge, we can help you move fast and move right.