Change.org DNS and CDN Migration Case Study
Author
Ludovic Francois
Date Published
Change.org is a global technology platform that enables millions of people to start and support petitions on issues ranging from social justice to public policy. With a highly distributed audience and traffic patterns that can spike rapidly around campaigns, the platform depends on resilient, low-latency, and cost-efficient edge and networking infrastructure.
Challenge
The customer relied on a third-party provider for both Domain Name Service (DNS) and Content Delivery Network (CDN) capabilities. While the existing setup met baseline requirements, it introduced limitations around long-term cost optimization, operational flexibility, and tighter integration with the rest of the cloud infrastructure.
The challenge was to migrate both DNS and CDN services with minimal risk to availability or performance, while avoiding overlapping vendor costs.
Implementation

Solution Architecture
A phased DNS and CDN transition strategy was designed to reduce risk while maintaining cost efficiency.
The process began with the DNS migration. Domain management was transitioned first, allowing traffic resolution to be validated independently of content delivery. This approach established a stable foundation before introducing changes at the edge.
In parallel, a new CDN environment was designed and deployed in a staging setup. This environment was fully built and tested ahead of production use, enabling configuration validation, performance testing, and failover scenarios without impacting live traffic.
The final CDN cutover was deliberately timed to occur immediately before the existing third-party CDN contract renewal date. This sequencing avoided dual CDN costs while ensuring the new environment had already been exercised under realistic conditions. The result was a controlled, low-risk transition that balanced technical rigor with financial discipline.
AWS Services Used
- Amazon Route 53: Handles DNS records and global traffic resolution, providing a stable foundation for a low-risk migration.
- Amazon CloudFront: Delivers content through a globally distributed edge network with native integration into the AWS ecosystem.
- Amazon S3: Stores static assets and persistent configuration data such as WAF IP blocklists.
- AWS Web Application Firewall (WAF): Protects the platform against abusive and malicious traffic using custom rules and stateful blocking logic.
- AWS Lambda: Executes serverless logic for dynamic image transformations and automated security workflows.
- CloudFront Functions: Performs lightweight request processing at the edge, including header inspection and request normalization.
Image Optimization
Unlike their previous provider, which offered a one-click image optimization toggle, moving to AWS required a re-architecture of how media assets were delivered. CloudFront acts as a content-agnostic pipe, meaning it does not optimize images by default.
To replicate and improve upon the previous functionality, AWS’s Dynamic Image Transformation solution was deployed using AWS Lambda and the Sharp library.
- On-the-fly Processing: When a user requests an image (e.g., for a petition header), the Lambda function intercepts the request and dynamically resizes or compresses the image based on the user's device and viewport.
- Next-Gen Formats: The configuration of CloudFront Cache Policies was critical to the implementation. By whitelisting the Accept header, the Lambda function detects browser support for modern formats such as WebP or AVIF and serves the most efficient format without changing the source URL, significantly reducing bandwidth usage and improving LCP (Largest Contentful Paint) scores for end users.

Custom Blocking Rule for WAF
Securing a high-visibility platform like Change.org required more than standard rate limiting. The team identified that native AWS WAF Rate-Based rules function statelessly: blocking attackers only while they exceed the threshold, but releasing them immediately once traffic slows (the "Revolving Door" problem).
To achieve persistent security, a custom Penalty Box architecture was implemented:
- Stateful Logic: A "Sensor" rule in the WAF detects IP addresses exceeding specific request thresholds.
- Automated Enforcement: Instead of a temporary block, an EventBridge trigger invokes a Lambda function that captures offending IPs and commits them to a persistent WAF IP Set (Blocklist) stored in S3.
- Granular Control: Allows for variable ban durations (e.g., 24 hours for aggressive spam) and correctly handles the complexity of managing separate IPv4 and IPv6 blocking lists, ensuring full coverage against attacks.

Outcome
The phased migration approach allowed Change.org to transition critical edge services without service interruption. DNS and CDN responsibilities were fully consolidated within AWS, simplifying operational workflows and aligning edge delivery more closely with the platform’s existing cloud architecture.
By separating DNS migration from CDN cutover and allowing sufficient time for validation, the project significantly reduced deployment risk. The timing of the CDN cutover also ensured that the migration did not introduce unnecessary cost overhead during the transition period.
Measured Results
- Zero downtime during DNS and CDN migration
- Reduced operational risk through staged validation and testing
- Elimination of overlapping CDN contract costs
- Improved integration between edge services and core AWS infrastructure
- Greater long-term cost predictability and operational control
Image Optimization Impact
Image delivery represented a significant portion of the platform’s traffic, with more than 950 million images served each month. The implemented image optimization solution reduced monthly image delivery costs to approximately $2,000 while maintaining performance and reliability.
Related Posts

Akamai, Fastly, Cloudflare, or Amazon CloudFront? Which CDN Should I Choose?

Case Study: CDN Migration from Fastly to Amazon CloudFront
How TrackIt migrated a virtual events platform from Fastly to CloudFront, improving streaming reliability, reducing latency, and enabling dynamic origin routing.

Case Study: CDN Migration from Akamai to Amazon CloudFront
How TrackIt helped a leading advertising technology company migrate from Akamai to CloudFront, enabling scalable analytics, faster insights, and cost efficiency.