TrackIt
TrackIt
Contact us
Case Studies

Change.org DNS and CDN Migration Case Study

Author

Ludovic Francois

Date Published

Change.org is a global technology platform that enables millions of people to start and support petitions on issues ranging from social justice to public policy. With a highly distributed audience and traffic patterns that can spike rapidly around campaigns, the platform depends on resilient, low-latency, and cost-efficient edge and networking infrastructure.

Challenge

The customer relied on a third-party provider for both Domain Name Service (DNS) and Content Delivery Network (CDN) capabilities. While the existing setup met baseline requirements, it introduced limitations around long-term cost optimization, operational flexibility, and tighter integration with the rest of the cloud infrastructure.

The challenge was to migrate both DNS and CDN services with minimal risk to availability or performance, while avoiding overlapping vendor costs. 

Implementation

Change.Org CDN and DNS Migration Solution Architecture

Solution Architecture

A phased DNS and CDN transition strategy was designed to reduce risk while maintaining cost efficiency.

The process began with the DNS migration. Domain management was transitioned first, allowing traffic resolution to be validated independently of content delivery. This approach established a stable foundation before introducing changes at the edge.

In parallel, a new CDN environment was designed and deployed in a staging setup. This environment was fully built and tested ahead of production use, enabling configuration validation, performance testing, and failover scenarios without impacting live traffic.

The final CDN cutover was deliberately timed to occur immediately before the existing third-party CDN contract renewal date. This sequencing avoided dual CDN costs while ensuring the new environment had already been exercised under realistic conditions. The result was a controlled, low-risk transition that balanced technical rigor with financial discipline.

AWS Services Used

  • Amazon Route 53: Handles DNS records and global traffic resolution, providing a stable foundation for a low-risk migration.
  • Amazon CloudFront: Delivers content through a globally distributed edge network with native integration into the AWS ecosystem.
  • Amazon S3: Stores static assets and persistent configuration data such as WAF IP blocklists.
  • AWS Web Application Firewall (WAF): Protects the platform against abusive and malicious traffic using custom rules and stateful blocking logic.
  • AWS Lambda: Executes serverless logic for dynamic image transformations and automated security workflows.
  • CloudFront Functions: Performs lightweight request processing at the edge, including header inspection and request normalization.

Image Optimization

Unlike their previous provider, which offered a one-click image optimization toggle, moving to AWS required a re-architecture of how media assets were delivered. CloudFront acts as a content-agnostic pipe, meaning it does not optimize images by default.

To replicate and improve upon the previous functionality, AWS’s Dynamic Image Transformation solution was deployed using AWS Lambda and the Sharp library.

  • On-the-fly Processing: When a user requests an image (e.g., for a petition header), the Lambda function intercepts the request and dynamically resizes or compresses the image based on the user's device and viewport.
  • Next-Gen Formats: The configuration of CloudFront Cache Policies was critical to the implementation. By whitelisting the Accept header, the Lambda function detects browser support for modern formats such as WebP or AVIF and serves the most efficient format without changing the source URL, significantly reducing bandwidth usage and improving LCP (Largest Contentful Paint) scores for end users.
Image Optimization Flow Change.Org


Custom Blocking Rule for WAF

Securing a high-visibility platform like Change.org required more than standard rate limiting. The team identified that native AWS WAF Rate-Based rules function statelessly: blocking attackers only while they exceed the threshold, but releasing them immediately once traffic slows (the "Revolving Door" problem).

To achieve persistent security, a custom Penalty Box architecture was implemented:

  • Stateful Logic: A "Sensor" rule in the WAF detects IP addresses exceeding specific request thresholds.
  • Automated Enforcement: Instead of a temporary block, an EventBridge trigger invokes a Lambda function that captures offending IPs and commits them to a persistent WAF IP Set (Blocklist) stored in S3.
  • Granular Control: Allows for variable ban durations (e.g., 24 hours for aggressive spam) and correctly handles the complexity of managing separate IPv4 and IPv6 blocking lists, ensuring full coverage against attacks.
Custom Blocking Rule WAF - Change.Org

Outcome

The phased migration approach allowed Change.org to transition critical edge services without service interruption. DNS and CDN responsibilities were fully consolidated within AWS, simplifying operational workflows and aligning edge delivery more closely with the platform’s existing cloud architecture.

By separating DNS migration from CDN cutover and allowing sufficient time for validation, the project significantly reduced deployment risk. The timing of the CDN cutover also ensured that the migration did not introduce unnecessary cost overhead during the transition period.

Measured Results

  • Zero downtime during DNS and CDN migration
  • Reduced operational risk through staged validation and testing
  • Elimination of overlapping CDN contract costs
  • Improved integration between edge services and core AWS infrastructure
  • Greater long-term cost predictability and operational control

Image Optimization Impact

Image delivery represented a significant portion of the platform’s traffic, with more than 950 million images served each month. The implemented image optimization solution reduced monthly image delivery costs to approximately $2,000 while maintaining performance and reliability.