CASE 127 · TASSEL · 2025
Off Cloudflare, onto the cloud the rest of the stack already lives on.
A SaaS analytics company had Cloudflare in front of their AWS-hosted application — paying a Cloudflare bill, terminating TLS twice, and operating two CDN configurations. We migrated edge, WAF, and DNS to CloudFront + AWS WAF + Route 53 with zero customer-visible disruption.
SaaS analytics
MIGRATION
2025
RESULTS
What changed, by the numbers.
EDGE STACK BILL
−$8.2K/mo
TLS TERMINATIONS
2 → 1
CUSTOMER DOWNTIME
0
WAF RULE PARITY
100%
HOW IT WENT
The team’s reluctance had been "Cloudflare just works." It did — but at a cost that was hard to justify when AWS sat directly behind it. Every request paid for two TLS terminations, two CDN bills, and two WAF policies that had drifted apart over time.
We translated the Cloudflare Workers and WAF rules into CloudFront Functions, Lambda@Edge, and AWS WAF rule equivalents. Route 53 took the DNS. The migration ran via DNS weighting — 5%, 25%, 50%, 100% over three weeks, with the ability to roll back at any step.
Edge stack bill dropped $8,200/month on the new path. TLS path simplified to a single termination at CloudFront. WAF rule parity confirmed at 100% — including a few rules we’d already wanted to deprecate that we cleaned up in the same engagement.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.