AWS Partner Network (APN) Blog

Multiple-Domain Migration to Amazon CloudFront for Faster and Secured Content Delivery

By Durai Krishnan, Sr. Customer Solutions Manager – AWS
Manikanth Pasumarti, Sr. Solutions Architect – AWS
Paras Babbar, Sr. Technical Account Manager – AWS
Kevin Shaholli, Senior Engineer – D3Clarity, Inc, Alec Brasier, Client Success Director – D3Clarity, Inc.
Prabhakar Manuel, Engineering Director – Avis Budget Group
Jaganath Devarajan, Solutions Architect – Avis Budget Group
Ajith Sivaprasad, Sr. Solutions Architect – Avis Budget Group

D3Clarity-AWS-Partners
D3Clarity

.

Avis Budget Group (ABG) is a global mobility solutions leader with brands such as Avis, Budget, and Zipcar that have a footprint across 180+ countries with over 11,000 rental locations. Its commitment to innovation and superior customer service drives it to offer diverse services—from hourly and one-way rentals to long-term vehicle rentals, and car-sharing solutions—focusing on seamless digital and mobile technologies for enhanced customer experience.

However, like many large-scale and successful organizations, ABG has a complex technical landscape with a blend of modern, cloud-native applications and legacy systems yet to be modernized. This mix posed a challenge to the company’s goal of optimizing its web and mobile application performance, security, and reliability.

ABG’s European geography ecommerce system serves a diverse customer base through 150+ domains which was using third-party content delivery network (CDN) products. The previous CDN products and web application firewall (WAF) resulted in high data transfer costs, application performance issues, and security threats in WAF configurations.

In addition, managing domain-specific security rules in 150+ domains added operational overhead. ABG was looking for a robust, secured, and cost-effective solution to provide seamless experience to their diverse customer base.

ABG engaged Amazon Web Services (AWS) and D3Clarity, an AWS Specialization Partner and AWS Marketplace Seller that’s an expert in data-first business process, enterprise architecture, data, cloud engineering, and full-service cloud operations. D3Clarity holds the AWS Migration Consulting Competency.

AWS and D3Clarity collaborated to develop a solution for ABG’s needs using Amazon CloudFront and AWS WAFCloudFront is a fast CDN service that securely delivers data, videos, applications, and APIs to customers with low latency and high transfer speeds. AWS WAF allows to secure the web application and APIs to block requests before they reach the servers.

Challenges Faced During the Discovery Phase

During the discovery phase, the team encountered a set of complex challenges:

  • Understanding and translating a multitude of existing non-standard caching behaviors and heavily-customized cache policies from the previous CDN system to Amazon CloudFront. Each caching behavior required careful examination to ensure accurate translation.
  • Translating the existing web application firewall rules into AWS WAF rules, which required careful analysis and understanding of both systems.
  • The organization hosted the content distribution origin in an on-premises data center behind a private network, which introduced an additional level of complexity and required intricate network solutions.

Planning to Mitigate Challenges

The D3Clarity team, with AWS, reviewed the existing configurations and their mapping to native CloudFront capabilities, and then identified a detailed list of enhancement opportunities.

  • Devised Unique CloudFront functions and Lambda@Edge tasks to facilitate the addition of custom headers, such as true-client-ip, and to dynamically cache objects based on response codes, path parameters, and query strings. This provided the ability to manage necessary configurations dynamically within the AWS framework as infrastructure as code (IaC).
  • Performed an exhaustive analysis and translation of the existing WAF rules using AWS WAF Web Access Control Lists (ACLs). This approach included the application of numerous AWS-managed rules, along with the integration of exceptions to safeguard legitimate traffic. The strategy successfully struck the desired balance between robust security and optimal functionality, paving the way for a smooth transition and top-tier performance for ABG’s diverse web and mobile applications.

High-Level Solution Overview

For Avis Budget Group’s on-premises backend applications, established secure and highly available private network connections using AWS Direct Connect and a transit network, and created an Application Load Balancer (ALB) for each application and configured it to accept requests only from CloudFront. CloudFront adds an additional layer of security by adding a secret header to the requests which the ALB then validates. The transit network forwards these requests via Direct Connect to the on-premises application

Figure 1 – High-level architecture of the web applications migrated to CloudFront with the associated observability and perimeter security components.

To ensure efficiency, reusability, and precision, the entire solution was automated using Terraform. The integration of AWS services with the IaC tool, Terraform played a pivotal role in the automation and maintenance of this project. It provided an environment that could easily be created, modified, or destroyed as needed.

After setting up the robust infrastructure, the project required a comprehensive real-time logging, troubleshooting, and alerting system which helps in identifying the issue in near real-time.

To provide upper management with a means to visualize the traffic flowing through WAF and CloudFront, configured CloudFront, AWS WAF, and ALB’s output logs to a private Amazon Simple Storage Service (Amazon S3) bucket.

Using Amazon Athena, the team could efficiently query log data and extract valuable insights. For data visualization, used Amazon QuickSight to create interactive dashboards for a clear overview of the request traffic data. To ensure rapid troubleshooting, configured Amazon CloudWatch alarms for real-time monitoring and notifications.

This comprehensive approach ensured full-cycle data management, from secure storage and efficient analysis to alerting and visualization.

Results Since Deployment on AWS

The maintenance effort since deployment has been minimal. With over a year of live data, no vulnerabilities or patches have been required, ensuring 100% uptime and security in the AWS environment. The time to first byte for both static assets and dynamic requests has significantly improved.

A more important success metric was the cost reduction. By leveraging the native AWS services and security features in the solution, customer is saving more than 60% of the cost compared to the on-premises spend.

Conclusion

The blog discusses how Avis Budget Group migrated 150+ domains to Amazon CloudFront and AWS WAF to overcome challenges with their legacy CDN and improve security, performance, and cost-effectiveness. The migration involved overcoming complex challenges, such as translating existing caching behaviors and WAF rules, and establishing secure network connections to the origins. This allowed ABG to achieve 100% uptime, enhanced security, improved performance, and 60% cost savings.

D3Clarity – AWS Partner Spotlight

D3Clarity is an AWS Advanced Partner with the exclusive Migration Competency. D3Clarity’s collaborative approach ensures knowledge sharing & strong partnerships, leveraging their extensive AWS experience for customers success.

Contact D3Clarity | Partner Overview | AWS Marketplace