Increasing security and reliability using Amazon CloudFront with Atlassian

Like many SaaS providers, Atlassian is often targeted by distributed denial of service (DDoS) attacks. Prior to 2023, the company served its enterprise customers using AWS infrastructure powered by Amazon Elastic Compute Cloud (Amazon EC2), which provides secure and resizable compute capacity. To manage security threats, the company used a mix of off-the-shelf products and internally developed solutions.

As Atlassian’s customer base grew, so did the frequency and scale of DDoS attacks, sometimes reaching hundreds of millions of requests. To maintain consistent performance for its global user base, the company needed stronger defenses. At the same time, Atlassian had to provide fixed IP addresses for its products—a key requirement for its enterprise customers that rely on allowlisting to manage firewalls and security controls.

Atlassian evaluated several solutions, looking at costs, features, and performance, as well as how the solution integrated with its existing tools and workflows. The company ultimately chose to supplement its Amazon EC2–based architecture with AWS edge and security services. This approach would help Atlassian to provide a high level of security and reliable performance while keeping costs under control.

Drawing on its years of partnership with the AWS team, Atlassian collaborated with the AWS team to choose the right services and features for its solution. Atlassian chose Amazon CloudFront to improve customer experience with reduced latency and AWS WAF to help create security rules that limit malicious traffic and block common event patterns.

The company also adopted AWS Shield Advanced to help protect against volumetric attacks. Using these services in front of its Amazon EC2 infrastructure, Atlassian achieved significant cost avoidance through zero-rated billing.

“We selected AWS for a few reasons,” says Ben McAlary, principal network engineer at Atlassian. “First, AWS is our cloud partner, and we have a really strong support relationship with them. Second, AWS provides this kind of economy of scale where everything integrates with everything else nicely. Finally, costs are key. When you use Amazon CloudFront with AWS as your origin, that gets rid of a lot of costs.”

Atlassian worked alongside AWS Enterprise Support, AWS technical account managers, and AWS solutions architects to design the solution. Because static IPs are crucial to Atlassian’s service delivery, AWS provided Atlassian access to Anycast static IPs for Amazon CloudFront through beta program access. Using this feature, the company could associate three unique IP addresses to identify its Jira and Confluence products. AWS also provided early access to custom origin routing using CloudFront Functions. This made it possible for Atlassian to directly route traffic to customers’ data residency region, avoiding a costly and performance-impairing cross-region hop. During testing for this feature, Atlassian provided feedback to the AWS service teams, helping to validate, refine, and optimize traffic distribution. This mutually beneficial and collaborative approach underscores the value of the partnership between the two companies.

Atlassian worked closely with the AWS teams throughout the solution adoption process. “When we built our AWS WAF rule set, the AWS team looked at it and came back with eight recommendations on how to improve it,” says McAlary. “They go really deep. I can tell that they’re fully understanding the solution, and all of the recommendations that they provided were valid.”

The collaborative process helped Atlassian to implement a powerful combination of AWS services and features that significantly strengthened its security posture. “We’ve been seeing these large DDoS attacks mitigated,” says McAlary. “But not only that, every hour, every second of every minute of every day, we’re seeing hundreds of thousands of malicious or inauthentic requests blocked by AWS WAF.”

 

Atlassian has achieved a 50 percent reduction in cross-region data transfer costs using the origin region selection feature of CloudFront Functions while improving performance. AWS global infrastructure covers 36 geographic regions, so Atlassian’s customers experience high availability and performance, no matter their location. For example, customers in Brazil and South Africa experienced a 20 percent improvement in page load times.

Looking ahead, Atlassian is creating proofs of concept to test the advanced security features of WAF L7 Anti-DDoS Amazon Managed Rule and Bot Control. It also plans to implement CloudFront Virtual Private Cloud Origins, which prevent end users from discovering or bypassing Amazon CloudFront to access web applications directly.

Through its adoption of AWS security services, Atlassian’s team spends more time developing products and less time responding to security incidents. “Using AWS security services takes a load off our security team, our anti-abuse team, and our infrastructure team,” says McAlary. “We’ve been able to get more done, and we’ve been able to get more sleep.”