Migrate from AWS to Azion

A platform migration usually begins long before the first configuration file is changed. It starts when a team notices that its current environment no longer gives the same level of clarity, speed, or control it once did.

For teams using AWS, this moment often comes after years of accumulated complexity: CloudFront distributions with layered cache behaviors, Lambda functions with runtime dependencies, S3 buckets with evolving access policies, DynamoDB tables with provisioned capacity, Route 53 zones with health checks, WAF rules with managed rule groups, and CloudWatch alarms with custom metrics. Each service works, but together they create operational overhead that slows development.

For teams currently using Amazon CloudFront, AWS Lambda, Amazon S3, Amazon DynamoDB, Amazon Route 53, AWS WAF, AWS Shield, Amazon CloudWatch, or other AWS services, Azion provides equivalent capabilities through Applications, Functions, Object Storage, KV Store, Edge DNS, Web Application Firewall, DDoS Protection, Real-Time Metrics, and Real-Time Events.

The strongest reason to migrate is not simply to replace one vendor with another. It is to consolidate compute, storage, database, delivery, security, and observability into a unified platform designed for globally distributed applications.

How AWS to Azion Migration Works

Traditional platform migrations often require rewriting application logic, reconfiguring infrastructure from scratch, and managing multiple disconnected services. This approach creates operational risk, extends timelines, and fragments team knowledge across different configuration patterns.

The Azion migration approach preserves your application logic while transitioning to a unified platform:

Incremental migration path. Start with a single project, validate each layer independently, and expand with confidence. No need to migrate everything at once.
Preserved application logic. Functions, cache policies, origin configurations, and data services map directly to Azion equivalents with minimal code changes—primarily syntax updates for environment access and service imports.
Unified platform model. Instead of managing compute, storage, databases, security, and observability as disconnected layers, Azion brings these capabilities together with consistent APIs and configuration patterns.

Feature Mapping

The following tables provide a comprehensive mapping of AWS products to their Azion equivalents. A dash (-) indicates that Azion does not currently offer a direct equivalent.

AWS Product	Description	Azion Equivalent
Amazon CloudFront	AWS CDN for delivering static content, dynamic content, APIs, applications, and video globally.	Applications
CloudFront Distributions	Main CloudFront delivery resource for domains, origins, cache behavior, certificates, security, and edge delivery settings.	Applications
CloudFront Alternate Domain Names	Configure custom domains for CloudFront distributions.	Workloads
CloudFront Cache Behaviors	Path-based delivery behavior, cache policy, origin request policy, allowed methods, and edge function associations.	Rules Engine for Applications
CloudFront Cache Policies	Control cache keys, TTLs, headers, cookies, query strings, and compression.	Cache
CloudFront Origin Request Policies	Control which request values CloudFront forwards to origin.	Rules Engine
CloudFront Response Headers Policies	Add or modify response headers such as security headers and CORS headers.	Rules Engine for Applications
CloudFront Origin Shield	Additional centralized caching layer to reduce origin load and improve cache hit ratio.	Tiered Cache
CloudFront Invalidation	Remove content from CloudFront edge caches before expiration.	Real-Time Purge
CloudFront Functions	Lightweight JavaScript execution at the edge for redirects, rewrites, headers, and cache-key normalization.	Functions for Applications
Lambda@Edge	Node.js or Python functions triggered by CloudFront events to customize delivery.	Functions for Applications
Lambda@Edge for security logic	Use CloudFront-triggered functions for request validation, authentication, or blocking logic.	Functions for Firewall
CloudFront Device Detection	Detect device type and pass device metadata to the origin.	Device Groups
AWS Elemental MediaLive	Real-time live video encoding.	Live Ingest
AWS Elemental MediaPackage	Package and originate live video streams for HLS, DASH, and related formats.	Live Ingest + Applications
CloudFront for live streaming	Deliver live video globally using CloudFront with AWS Media Services.	Applications + Live Ingest
AWS Lambda	General-purpose serverless compute for event-driven code execution.	Functions for Applications
Amazon API Gateway	Create and manage REST, HTTP, and WebSocket APIs with backend integrations.	Applications + Functions
API Gateway request validation / throttling	Apply API request controls, throttling, and validation rules.	Rules Engine + Firewall
AWS Amplify Hosting	Git-based CI/CD and hosting for static and server-side rendered web apps.	Applications + Azion CLI
AWS App Runner	Deploy source code or container images to managed web applications.	Applications + Orchestrator
Amazon Bedrock	Foundation model access and generative AI application development.	AI Inference
Amazon Bedrock model inference	Invoke foundation models for text, image, embedding, and generative AI use cases.	AI Inference
Amazon Bedrock Fine-Tuning	Customize foundation models with fine-tuning for specific use cases.	LoRA Fine-Tune
Amazon Bedrock Custom Model Import	Import customized foundation models into Bedrock.	AI Inference + LoRA Fine-Tune
Amazon SageMaker AI Real-Time Inference	Deploy ML models to managed real-time inference endpoints.	AI Inference
Amazon S3	Object storage for unstructured data, static assets, backups, archives, and websites.	Object Storage
Amazon S3 Static Website Hosting	Host static websites from S3 buckets.	Object Storage + Applications
S3 Object Lambda	Transform S3 objects with Lambda before returning them to the requester.	Object Storage + Functions
S3 Object Lambda for image transformation	Resize, watermark, redact, or transform content retrieved from S3.	Image Processor + Functions
Amazon Aurora DSQL	Serverless distributed relational SQL database for transactional workloads.	SQL Database
Amazon DynamoDB	Serverless key-value and document database.	KV Store
DynamoDB Global Tables	Multi-Region replication for globally distributed NoSQL data.	KV Store
AWS WAF	Web application firewall for protecting applications and APIs.	WAF / Firewall
AWS Managed Rules for AWS WAF	Managed rule groups for common vulnerabilities and unwanted traffic.	WAF Rule Sets
AWS WAF custom rules	Create custom match conditions and actions for web requests.	Rules Engine for Firewall
AWS WAF Bot Control	Managed bot detection and mitigation.	Bot Manager
AWS WAF Rate-Based Rules	Rate limit requests based on IP, headers, URI, method, or other keys.	Rules Engine + Network Shield
AWS WAF IP Sets	Reusable IP/CIDR lists for allow or block rules.	Network Lists
AWS Shield Standard	Standard DDoS protection for AWS resources.	DDoS Protection
AWS Shield Advanced	Advanced DDoS protection with additional visibility and mitigation options.	DDoS Protection
Shield Advanced automatic DDoS mitigation	Automatically creates or updates WAF protections during application-layer attacks.	DDoS Protection + WAF
AWS Network Firewall	Managed VPC network firewall.	Network Shield
Elastic Load Balancing	Distributes traffic across multiple targets and availability zones.	Load Balancer
Application Load Balancer	Layer 7 HTTP/HTTPS load balancing with application-level routing.	Load Balancer
Network Load Balancer	Layer 4 TCP/UDP/TLS load balancing.	Load Balancer
AWS Global Accelerator	Global Anycast IPs and optimized routing over the AWS global network.	Applications + Load Balancer
CloudFront Origin Access Control	Secure S3 origins so users access content through CloudFront instead of directly from S3.	Connectors + Origin Shield
CloudFront Signed URLs / Signed Cookies	Restrict access to private content using signed URLs or cookies.	Rules Engine + Functions
CloudFront Geographic Restrictions	Allow or block content access by country.	Rules Engine + Network Shield
Amazon Route 53	Authoritative DNS, domain registration, routing policies, and health checks.	Edge DNS
AWS Certificate Manager	Provision, import, manage, deploy, and renew SSL/TLS certificates.	Certificate Manager
AWS Private CA	Create and operate private certificate authorities.	Certificate Manager
AWS Private CA for client authentication	Private PKI patterns for certificate-based client authentication.	mTLS
AWS IoT Greengrass	Run AWS-managed edge components and local processing on edge devices.	Orchestrator
AWS IoT Greengrass deployments	Deploy components and configurations to edge devices.	Orchestrator
Amazon ECS Anywhere	Register and manage on-premises or external servers in ECS clusters.	Orchestrator
AWS Outposts	Run AWS infrastructure and services on customer premises.	Orchestrator
AWS Systems Manager Hybrid Activations	Manage non-EC2 machines in hybrid and multicloud environments.	Orchestrator
Amazon CloudWatch Metrics	Collect, query, visualize, and alarm on service and application metrics.	Real-Time Metrics
Amazon CloudWatch Logs	Collect, monitor, query, and analyze logs.	Real-Time Events
CloudWatch Logs Insights	Query and investigate logs interactively.	Real-Time Events
Amazon Data Firehose	Deliver streaming data to destinations such as S3, Redshift, OpenSearch, and HTTP endpoints.	Data Stream
CloudWatch RUM	Real user monitoring for browser and mobile application performance.	Edge Pulse
AWS Marketplace	Discover, buy, deploy, and manage third-party software, data, and services.	Marketplace
AWS Management Console	Web interface for accessing and managing AWS services.	Azion Console
AWS APIs	Programmatic interface for AWS service operations.	Azion API
Amazon CloudWatch APIs / Metrics APIs	Query metrics, logs, alarms, and observability data programmatically.	GraphQL API
AWS CLI	Command-line interface for managing AWS services.	Azion CLI
AWS SDKs	Language-specific SDKs for building integrations with AWS services.	SDK
AWS SDK for JavaScript	JavaScript libraries for interacting with AWS services.	Azion Lib
AWS CloudFormation	Infrastructure as Code service for modeling and provisioning AWS resources.	Terraform Provider
AWS Cloud Development Kit	Define infrastructure using programming languages and synthesize to CloudFormation.	Terraform Provider + Azion API
Terraform AWS Provider	Terraform provider for managing AWS resources.	Terraform Provider
Lambda runtime environment	Runtime layer used by Lambda functions.	Azion Runtime
CloudFront edge runtime	Runtime environment for CloudFront Functions and Lambda@Edge.	Azion Runtime

Migration Strategy

The migration is organized around Azion’s four product categories, allowing teams to plan and execute each layer independently:

Build: deploy applications, configure builds and environment variables, migrate Lambda functions, CloudFront behaviors, routing, headers, load balancing, cache, image optimization, and AI workloads.
Secure: migrate custom domains, Route 53 DNS, SSL/TLS certificates, WAF rules, DDoS protection, bot management, and rate limiting.
Store: migrate S3 objects, DynamoDB tables, and Aurora databases to Object Storage, KV Store, and SQL Database.
Observe: migrate CloudWatch metrics, logs, and alarms to Azion’s real-time observability stack.

Build

The Build category covers application deployment, compute, routing, and configuration. Start here to bring your application onto Azion and establish the foundation for the rest of the migration.

1. Project Setup on Azion

The first step brings your application into Azion in a way that feels familiar to teams that deploy modern web projects on AWS. If you have used AWS CloudFormation, SAM, or CDK, you already understand the pattern: define infrastructure as code, configure build settings, deploy the output, and validate the generated URL.

Azion follows a similar workflow but with a broader platform context. Your project becomes part of an environment where application delivery, Functions, rules, security, and observability can be managed together.

Key Differences

Aspect	AWS	Azion
Config file	`template.yaml` (SAM) / `cdk.json` (CDK)	`azion.config.js` (JavaScript)
Framework detection	Manual configuration	20+ frameworks with auto-detection
Cold starts	Common (regional Lambda)	Minimized (distributed nodes)
Compliance	SOC 2, ISO 27001, HIPAA	PCI DSS 4.0.1 Level 1, SOC 2 Type II

Connect Your Repository

Open Azion Console.
Click + Create > Import from GitHub.
Authorize the Azion GitHub App.
Select the repository you want to migrate.

Configure Your Build

Azion auto-detects your framework and configures build settings. Override the detected preset in azion.config.js:

import { defineConfig } from 'azion'

export default defineConfig({
name: 'my-project',
preset: 'nextjs', // Override auto-detection if needed
})

Deploy and Verify

Deploy from the Azion Console or CLI. Your temporary Azion URL follows this pattern:

https://xxxxxxxxxx.map.azionedge.net/

Validate the deployment:

curl https://xxxxxxxxxx.map.azionedge.net/

Reference documentation

2. Converting Build Configuration

A migration can appear successful when the build passes but fail later when runtime behavior differs. Review build and deployment configuration carefully instead of treating it as a mechanical command replacement.

CLI Quick Reference

Task	AWS CLI	Azion CLI
Install	`pip install awscli`	`curl -fsSL https://cli.azion.app/install.sh \| bash`
Login	`aws configure`	`azion login`
Local dev	`sam local start-api`	`azion dev`
Deploy	`sam deploy --guided` or `cdk deploy`	`azion deploy`
View logs	`aws logs tail /aws/lambda/my-function`	`azion logs`

Build Configuration Comparison

Aspect	AWS SAM/CDK	Azion
Infrastructure as Code	YAML/TypeScript templates	JavaScript config
Local testing	SAM local emulator	Built-in dev server
Deployment	CloudFormation stacks	Direct deployment
Rollback	Stack rollback	Version history

Reference documentation

3. Migrating Environment Variables

Environment variables contain API keys, database credentials, authentication secrets, service endpoints, feature flags, and environment-specific configuration. Migrating them incorrectly causes runtime failures even when deployment succeeds.

Key Differences

Aspect	AWS	Azion
Access	`process.env.VARIABLE`	`Azion.env.get('VARIABLE')`
Secrets management	AWS Secrets Manager / Systems Manager Parameter Store	Variables in Functions Instances
Environment stages	Stage name in function ARN	Environment context in config

Evaluate Your Variables

Before changing code, identify every variable in:

AWS Lambda: Environment variables in function configuration
AWS Secrets Manager: Secret values and rotation policies
Systems Manager Parameter Store: Parameters and paths
Elastic Beanstalk: Environment properties
CI/CD environment settings (CodePipeline, CodeBuild)
Runtime configuration in source code

Create Variables in Azion

Access Azion Console.
Navigate to Build > Variables.
Click Add Variable.
Enter the variable name and value.
Click Save.

curl -X POST 'https://api.azionapi.net/variables' --header 'Accept: application/json; version=3' --header 'Authorization: Token [TOKEN VALUE]' --header 'Content-Type: application/json' --data '{
"key": "key-test",
"value": "value-test"
}'

Update Your Code

// Before: AWS Lambda / Node.js
const apiKey = process.env.API_KEY;
const dbHost = process.env.DB_HOST;

// Before: AWS with Secrets Manager (async)
const { SecretsManager } = require('@aws-sdk/client-secrets-manager');
const client = new SecretsManager();
const secret = await client.getSecretValue({ SecretId: 'my-secret' });
const secretValue = JSON.parse(secret.SecretString);

// After: Azion
const apiKey = Azion.env.get('API_KEY');
const dbHost = Azion.env.get('DB_HOST');

Reference documentation

4. Migrating CloudFront to Applications

CloudFront distributions deliver content from edge locations with caching and origin configuration. Azion Applications provide similar capabilities with integrated Rules Engine for request/response manipulation.

Key Differences

Aspect	AWS CloudFront	Azion Applications
Distribution config	XML/JSON in CloudFormation	JavaScript config or Console
Origins	S3, ALB, Custom origins	Connectors (HTTP, Object Storage)
Behaviors	Cache behaviors with paths	Rules Engine with criteria
SSL certificates	ACM (us-east-1 only)	Digital Certificates
Lambda@Edge	Edge functions (4 triggers)	Functions (request/response phases)

Configuration Steps

Access Azion Console.
Navigate to Build > Applications.
Click Add Application.
Configure your Main Settings:
- Name your application
- Set origin type (HTTP, Object Storage)
- Configure origin address
Set up Cache Settings for TTL configuration.
Configure Rules Engine for path-based routing.
Add Custom Domains when ready.

curl -X POST 'https://api.azionapi.net/v4/workspace/applications' --header 'Authorization: Token YOUR_TOKEN' --header 'Content-Type: application/json' --data '{
  "name": "my-app",
  "origins": [
    {
      "name": "origin-main",
      "addresses": [
        {
          "address": "origin.example.com",
          "weight": 1
        }
      ]
    }
  ],
  "cache_settings": {
    "default_ttl": 3600
  }
}'

Distribution Configuration Migration

// CloudFront distribution config (CloudFormation YAML converted to Azion JS)
import { defineConfig } from 'azion'

export default defineConfig({
name: 'my-distribution',
applications: [{
  name: 'main-app',
  origins: [{
    name: 's3-origin',
    type: 'object_storage',
    addresses: [{
      address: 'my-bucket.azionedge.net',
      weight: 1
    }]
  }],
  cache: {
    ttl: 86400,
    staleWhileRevalidate: 300
  },
  rules: {
    request: [{
      name: 'API Routes',
      criteria: [{
        variable: 'uri',
        operator: 'starts_with',
        argument: '/api/'
      }],
      behavior: {
        bypassCache: true,
        runFunction: 'api-handler'
      }
    }]
  }
}]
})

Origin Request vs Viewer Request

In CloudFront, Lambda@Edge functions trigger at different points. Azion maps these to Rules Engine phases:

CloudFront Trigger	Azion Equivalent
Viewer Request	Rules Engine > Request Phase
Origin Request	Rules Engine > Request Phase (after cache check)
Origin Response	Rules Engine > Response Phase
Viewer Response	Rules Engine > Response Phase

Reference documentation

5. Migrating API Gateway to Applications + Functions

API Gateway provides REST and HTTP API management with authorizers, throttling, and stage management. Azion Applications combined with Functions deliver similar capabilities with distributed execution.

Key Differences

Aspect	AWS API Gateway	Azion Applications + Functions
API types	REST API, HTTP API	Functions with routing
Authorizers	Lambda, Cognito, JWT	Functions with custom logic
Stages	Stage variables and deployments	Environment configuration
Throttling	Usage plans + rate limiting	Rate Limit rules
Custom domains	Domain mappings	Application domains

Configuration Steps

Access Azion Console.
Navigate to Build > Functions.
Create Functions for each API endpoint.
Navigate to Build > Applications.
Create an Application for your API.
Configure Rules Engine to route paths to Functions.
Set up rate limiting rules.
Add authentication via Functions.

# Create a Function
curl -X POST 'https://api.azionapi.net/v4/workspace/functions' --header 'Authorization: Token YOUR_TOKEN' --header 'Content-Type: application/json' --data '{
  "name": "api-handler",
  "code": "export default { async fetch(request) { return new Response(JSON.stringify({ message: "Hello" }), { headers: { "Content-Type": "application/json" } }); } }"
}'

# Create Application with routing rules
curl -X POST 'https://api.azionapi.net/v4/workspace/applications' --header 'Authorization: Token YOUR_TOKEN' --header 'Content-Type: application/json' --data '{
  "name": "api-gateway",
  "rules": {
    "request": [{
      "name": "API Route",
      "criteria": [{ "variable": "uri", "operator": "starts_with", "argument": "/api/" }],
      "behavior": { "runFunction": "api-handler" }
    }]
  }
}'

API Gateway Authorizer Migration

// Before: AWS Lambda Authorizer
exports.handler = async (event) => {
const token = event.authorizationToken;
try {
  const decoded = jwt.verify(token, process.env.JWT_SECRET);
  return {
    principalId: decoded.sub,
    policyDocument: {
      Version: '2012-10-17',
      Statement: [{
        Action: 'execute-api:Invoke',
        Effect: 'Allow',
        Resource: event.methodArn
      }]
    }
  };
} catch (err) {
  throw new Error('Unauthorized');
}
};

// After: Azion Function for Authorization
export default {
async fetch(request) {
  const authHeader = request.headers.get('Authorization');
  if (!authHeader) {
    return new Response('Unauthorized', { status: 401 });
  }

  const token = authHeader.replace('Bearer ', '');
  try {
    const secret = Azion.env.get('JWT_SECRET');
    const decoded = await verifyJWT(token, secret);

    // Store user info in request metadata for downstream functions
    request.metadata['user_id'] = decoded.sub;
    return request; // Continue to next handler
  } catch (err) {
    return new Response('Unauthorized', { status: 401 });
  }
}
};

Route Migration Example

// API Gateway routes → Azion Rules Engine

// Before: API Gateway resource paths
// GET /users/{id}
// POST /users
// PUT /users/{id}
// DELETE /users/{id}

// After: Azion Rules Engine configuration
import { defineConfig } from 'azion'

export default defineConfig({
applications: [{
  name: 'api-app',
  rules: {
    request: [
      {
        name: 'GET /users/:id',
        criteria: [
          { variable: 'uri', operator: 'matches_regex', argument: '^/users/([0-9]+)$' },
          { variable: 'request_method', operator: 'equals', argument: 'GET' }
        ],
        behavior: { runFunction: 'get-user' }
      },
      {
        name: 'POST /users',
        criteria: [
          { variable: 'uri', operator: 'equals', argument: '/users' },
          { variable: 'request_method', operator: 'equals', argument: 'POST' }
        ],
        behavior: { runFunction: 'create-user' }
      }
    ]
  }
}]
})

Reference documentation

6. Migrating Lambda to Functions

Functions are the computational engine of modern distributed applications. They often contain the most business-critical logic: authentication, personalization, API orchestration, and integrations with third-party systems.

Key Differences

Aspect	AWS Lambda	Azion Functions
Function signature	`exports.handler = async (event) => {}`	`export default { async fetch(request) {} }`
Runtime	Node.js, Python, Java, Go, .NET, Ruby	JavaScript (V8 isolates)
Memory	128 MB - 10,240 MB	512 MB (default)
Timeout	1 sec - 15 min	Configurable per execution
Cold starts	Common (regional, VPC-cold)	Minimized (distributed nodes)
Event sources	SQS, SNS, Kinesis, DynamoDB, API Gateway	HTTP requests, scheduled triggers

Update Function Signature

// Before: AWS Lambda
exports.handler = async (event) => {
const body = JSON.parse(event.body);
const pathParams = event.pathParameters;
const queryParams = event.queryStringParameters;

// Process request
return {
  statusCode: 200,
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ message: 'Hello', data: body })
};
};

// After: Azion Functions
export default {
async fetch(request) {
  const body = await request.json();
  const url = new URL(request.url);
  const queryParams = Object.fromEntries(url.searchParams);

  // Process request
  return new Response(JSON.stringify({ message: 'Hello', data: body }), {
    status: 200,
    headers: { 'Content-Type': 'application/json' }
  });
}
};

Event Context Migration

// Before: AWS Lambda event context
exports.handler = async (event, context) => {
const requestId = context.awsRequestId;
const functionName = context.functionName;
const remainingTime = context.getRemainingTimeInMillis();

// Request metadata from API Gateway
const sourceIp = event.requestContext.identity.sourceIp;
const userAgent = event.requestContext.identity.userAgent;
const country = event.headers['CloudFront-Viewer-Country'];

return { statusCode: 200, body: 'OK' };
};

// After: Azion Functions
export default {
async fetch(request, env, ctx) {
  // Request metadata
  const requestId = request.headers.get('x-request-id');
  const userAgent = request.headers.get('user-agent');
  const country = request.metadata['geoip_country_code'];
  const city = request.metadata['geoip_city'];

  // Geo metadata available directly
  const region = request.metadata['geoip_region'];

  return new Response('OK', { status: 200 });
}
};

Environment Variables Migration

// Before: AWS Lambda
const dbUrl = process.env.DATABASE_URL;
const apiKey = process.env.API_KEY;

// After: Azion Functions
const dbUrl = Azion.env.get('DATABASE_URL');
const apiKey = Azion.env.get('API_KEY');

Cold Start Comparison

AWS Lambda cold starts vary significantly based on runtime, memory allocation, and VPC configuration. Azion Functions minimize cold starts through distributed node placement:

Scenario	AWS Lambda Cold Start	Azion Functions Cold Start
Node.js (no VPC)	100-300ms	Minimal
Node.js (with VPC)	500ms-2s	N/A (no VPC concept)
Java/Spring	1-5s	N/A
Python	100-500ms	N/A

Reference documentation

7. Migrating Load Balancing (ALB/NLB to Load Balancer)

Load balancing distributes traffic across multiple origins for high availability and performance. Azion Load Balancer provides health checks, steering policies, and origin failover at the distributed infrastructure.

Key Differences

Aspect	AWS ALB/NLB	Azion Load Balancer
Health checks	HTTP, HTTPS, TCP	HTTP, HTTPS, TCP
Steering policies	Round-robin, Least connections, IP hash	Round-robin, Least connections, Geo
Failover	Target group failover	Origin-level failover
Session affinity	Cookie, IP hash	Cookie, IP hash
Targets	EC2, Lambda, IP addresses	Connectors (origins)
Protocol	Layer 4 (NLB), Layer 7 (ALB)	Layer 7 (HTTP/HTTPS)

Configuration Steps

Access Azion Console.
Go to Products menu > Connectors.
Create a Connector for each origin server.
Configure health checks for each origin.
In your Application, configure origins with load balancing settings.
Set origin weights for weighted distribution.
Enable session affinity if needed.

# Create a Connector with multiple addresses for load balancing
curl -X POST 'https://api.azionapi.net/v4/workspace/connectors' --header 'Authorization: Token YOUR_TOKEN' --header 'Content-Type: application/json' --data '{
  "name": "Origin-Pool-US",
  "type": "http",
  "attributes": {
    "addresses": [
      {
        "address": "us-east-origin1.example.com",
        "active": true,
        "modules": {
          "load_balancer": {
            "weight": 3,
            "method": "round_robin"
          }
        }
      },
      {
        "address": "us-east-origin2.example.com",
        "active": true,
        "modules": {
          "load_balancer": {
            "weight": 1,
            "method": "round_robin"
          }
        }
      }
    ]
  }
}'

Load Balancer Module Configuration

// Load balancer settings within Connector address modules
{
"weight": 3,                    // Relative weight for weighted distribution
"method": "round_robin",        // Options: "round_robin", "least_conn", "ip_hash"
"max_retries": 3,               // Maximum retry attempts on failure
"connection_timeout": 10,       // Connection timeout in seconds
"read_write_timeout": 30        // Read/write timeout in seconds
}

ALB Target Group Migration

AWS ALB Config	Azion Equivalent
Target Group	Connector
Health Check Path	Connector health check path
Health Check Interval	Connector health check interval
Healthy Threshold	Health check success threshold
Unhealthy Threshold	Health check failure threshold

Reference documentation

8. Migrating Cache Configuration

Caching configuration determines how content is stored and served from node locations. Azion Cache provides fine-grained control with Tiered Cache support for improved hit ratios.

Key Differences

Aspect	AWS CloudFront Cache	Azion Cache
Cache levels	Regional edge caches + Edge locations	Tiered Cache + Cache + Browser Cache
Cache key	Cache policy + origin request policy	Customizable via Rules Engine
Purge	Invalidations (path-based)	URL, Cache Key, Wildcard purge
Stale content	Origin shield, stale-while-revalidate	Stale-while-revalidate
TTL limits	Default 24h, max 1 year	Per-rule configuration

CloudFront Cache Policies to Azion Cache Settings

CloudFront Cache Policy	Azion Equivalent
CachingOptimized	Default Cache Settings with high TTL
CachingDisabled	Bypass Cache behavior in Rules Engine
Elemental-MediaPackage	Custom Cache Settings for streaming
Custom policy	Cache Settings + Rules Engine

Configuration Steps

Access Azion Console.
Edit your Application.
Navigate to Cache Settings.
Configure default cache TTL.
Enable Tiered Cache for improved hit ratio.
Add custom cache rules via Rules Engine.

# Update cache settings for an application
curl -X PATCH 'https://api.azion.com/v4/workspace/applications/{application_id}/cache_settings/{cache_setting_id}' --header 'Authorization: Token YOUR_TOKEN' --header 'Content-Type: application/json' --data '{
  "name": "my-cache-setting",
  "browser_cache": {
    "ttl": 3600
  },
  "modules": {
    "cache": {
      "ttl": 86400
    },
    "tiered_cache": {
      "enabled": true
    }
  }
}'

Cache Key Customization

In CloudFront, cache keys are defined by cache policies. In Azion, use Advanced Cache Key in Cache Settings:

Example: Vary cache by query strings

// In Cache Settings
{
"name": "api-cache",
"cache_key": {
  "query_string": {
    "include_all": false,
    "include": ["version", "lang"]
  }
}
}

CloudFront Invalidation to Azion Purge

# Before: AWS CloudFront invalidation
aws cloudfront create-invalidation --distribution-id E123456789ABCD --paths "/images/*" "/css/*"

# After: Azion cache purge
curl -X POST 'https://api.azion.com/v4/workspace/purge/wildcard' --header 'Authorization: Token YOUR_TOKEN' --header 'Content-Type: application/json' --data '{
  "items": [
    "https://example.com/images/*",
    "https://example.com/css/*"
  ],
  "layer": "cache"
}'

Reference documentation

9. Migrating Image Optimization

Image optimization reduces image file sizes while maintaining visual quality. Azion Image Processor transforms, optimizes, and delivers images from the distributed locations with automatic format selection.

Key Differences

Aspect	AWS CloudFront + Lambda@Edge	Azion Image Processor
Storage	S3 origin	Object Storage integration
Transformations	Custom Lambda@Edge	Built-in transformations
URL format	Custom implementation	`?ims=<OPTIONS>` query parameter
Format support	Custom implementation	WebP, AVIF, JPEG, PNG
Signed URLs	CloudFront signed URLs	Secure Token

URL Format Comparison

# AWS CloudFront (requires Lambda@Edge or custom origin)
# Typically custom URL structure:
https://d12345.cloudfront.net/images/photo.jpg?w=400&q=80

# Azion Image Processor
https://example.com/images/photo.jpg?ims=400x400

Transformation Parameters

Azion Image Processor uses the ims query parameter for transformations:

Syntax	Description	Example
`?ims=WxH`	Resize to width x height	`?ims=400x300`
`?ims=Wx`	Resize to width (auto height)	`?ims=400x`
`?ims=xH`	Resize to height (auto width)	`?ims=x300`
`?ims=WxH:fill`	Crop to exact dimensions	`?ims=400x300:fill`
`?ims=WxH:fit`	Fit within dimensions	`?ims=400x300:fit`

Configuration Steps

Access Azion Console.
Edit your Application.
Navigate to Image Processor settings.
Enable Image Processor.
Configure default quality and format settings.
Set up Object Storage as image source (optional).

# Enable Image Processor within application modules
curl -X PATCH 'https://api.azionapi.net/v4/workspace/applications/{application_id}' --header 'Authorization: Token YOUR_TOKEN' --header 'Content-Type: application/json' --data '{
  "modules": {
    "image_processor": {
      "enabled": true
    }
  }
}'

Reference documentation

10. Migrating AI Workloads (Bedrock to AI Inference)

AI inference enables low-latency AI-powered features in applications. Azion AI Inference provides GPU-backed inference for text and visual models at the distributed infrastructure.

Key Differences

Aspect	AWS Bedrock	Azion AI Inference
Model access	Managed foundation models	Custom model deployment
Inference API	Bedrock Runtime API	REST API + Functions
Model types	Claude, Llama, Titan, Stable Diffusion	Custom models, LLMs
GPU support	Managed infrastructure	Dedicated GPU instances
Pricing	Per-token / per-image	Per-inference

Configuration Steps

Access Azion Console.
Go to AI Inference (via Marketplace or Functions).
Deploy a model or use pre-built templates.
Configure inference endpoint.
Integrate with your application via Functions.

// AI inference in Azion Functions
export default {
async fetch(request) {
  const body = await request.json();

  // Call AI inference endpoint
  const response = await fetch('https://ai-inference.azion.com/v1/predict', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${Azion.env.get('AI_API_KEY')}`
    },
    body: JSON.stringify({
      model: 'text-generation',
      prompt: body.prompt,
      max_tokens: 100
    })
  });

  return response;
}
};

Bedrock to Azion Migration Example

// Before: AWS Bedrock
import { BedrockRuntime } from '@aws-sdk/client-bedrock-runtime';

const client = new BedrockRuntime({ region: 'us-east-1' });

const response = await client.invokeModel({
modelId: 'anthropic.claude-3-sonnet-20240229-v1:0',
contentType: 'application/json',
accept: 'application/json',
body: JSON.stringify({
  anthropic_version: 'bedrock-2023-05-31',
  max_tokens: 1024,
  messages: [{ role: 'user', content: 'Hello, world!' }]
})
});

// After: Azion AI Inference
export default {
async fetch(request) {
  const response = await fetch('https://ai-inference.azion.com/v1/chat/completions', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${Azion.env.get('AI_API_KEY')}`
    },
    body: JSON.stringify({
      model: 'claude-3-sonnet',
      messages: [{ role: 'user', content: 'Hello, world!' }],
      max_tokens: 1024
    })
  });

  return response;
}
};

Reference documentation

11. Migrating Orchestration (Step Functions, EventBridge)

AWS Step Functions and EventBridge provide workflow orchestration and event routing. Azion achieves similar patterns through Functions chaining and Data Streaming for event-driven architectures.

Key Differences

Aspect	AWS Step Functions	Azion Functions Chaining
Workflow definition	ASL (Amazon States Language)	JavaScript/TypeScript
State management	Built-in state machine	Custom implementation
Error handling	Retry, catch, fallback	Try/catch in Functions
Visualization	Workflow Studio	Code-based

Aspect	AWS EventBridge	Azion Data Streaming
Event routing	Rules and targets	Data Streaming + Functions
Event patterns	Pattern matching	Custom Functions logic
Targets	100+ AWS services	HTTP endpoints, Functions

Step Functions to Functions Chaining

// Before: AWS Step Functions (ASL)
{
"Comment": "Order processing workflow",
"StartAt": "ValidateOrder",
"States": {
  "ValidateOrder": {
    "Type": "Task",
    "Resource": "arn:aws:lambda:us-east-1:123456789:function:validate-order",
    "Next": "ProcessPayment"
  },
  "ProcessPayment": {
    "Type": "Task",
    "Resource": "arn:aws:lambda:us-east-1:123456789:function:process-payment",
    "Catch": [{
      "ErrorEquals": ["PaymentFailed"],
      "Next": "NotifyFailure"
    }],
    "Next": "FulfillOrder"
  },
  "FulfillOrder": {
    "Type": "Task",
    "Resource": "arn:aws:lambda:us-east-1:123456789:function:fulfill-order",
    "End": true
  },
  "NotifyFailure": {
    "Type": "Task",
    "Resource": "arn:aws:lambda:us-east-1:123456789:function:notify-failure",
    "End": true
  }
}
}

// After: Azion Functions (orchestrator pattern)
// orchestrator.js
export default {
async fetch(request) {
  const order = await request.json();

  try {
    // Step 1: Validate
    const validated = await validateOrder(order);

    // Step 2: Process payment
    const payment = await processPayment(validated);

    // Step 3: Fulfill order
    const fulfillment = await fulfillOrder(payment);

    return new Response(JSON.stringify(fulfillment), {
      headers: { 'Content-Type': 'application/json' }
    });
  } catch (error) {
    // Error handling
    await notifyFailure({ order, error: error.message });
    return new Response(JSON.stringify({ error: error.message }), {
      status: 500,
      headers: { 'Content-Type': 'application/json' }
    });
  }
}
};

// Individual function modules
async function validateOrder(order) {
// Validation logic
if (!order.items || order.items.length === 0) {
  throw new Error('Invalid order: no items');
}
return { ...order, validated: true };
}

async function processPayment(order) {
// Payment processing
const response = await fetch('https://payment-api.example.com/charge', {
  method: 'POST',
  body: JSON.stringify({ amount: order.total, currency: 'USD' })
});

if (!response.ok) {
  throw new Error('PaymentFailed');
}

return { ...order, paid: true };
}

async function fulfillOrder(order) {
// Fulfillment logic
return { ...order, fulfilled: true, fulfilledAt: new Date().toISOString() };
}

async function notifyFailure(context) {
// Send failure notification
await fetch('https://notifications.example.com/failure', {
  method: 'POST',
  body: JSON.stringify(context)
});
}

EventBridge to Data Streaming

// Before: AWS EventBridge rule
{
"source": ["com.mycompany.orders"],
"detail-type": ["OrderCreated"],
"detail": {
  "amount": [{ "numeric": [">", 100] }]
}
}

// Target: Lambda function for processing

// After: Azion Data Streaming + Functions
// Configure Data Streaming to send events to your Function endpoint
// Then process in Function:

export default {
async fetch(request) {
  const events = await request.json();

  for (const event of events) {
    if (event.source === 'com.mycompany.orders' &&
        event.type === 'OrderCreated' &&
        event.data.amount > 100) {
      // Process high-value order
      await processHighValueOrder(event.data);
    }
  }

  return new Response('OK');
}
};

Reference documentation

Secure

The Secure category covers domains, DNS, certificates, firewall rules, and protection against malicious traffic. Plan these migrations as controlled cutovers, since they affect how users reach your application and how it is protected in production.

1. Migrating Custom Domains

Custom domain migration is one of the most sensitive parts of any platform transition. It affects users, SEO, brand trust, and production availability. Plan domain migration as a controlled cutover, not a last-minute DNS change.

Migration Strategies

Strategy	Best For	DNS Control
CNAME	Quick subdomain migration	Keep Route 53 as DNS provider
Nameserver	Full DNS control and apex domains	Transfer DNS to Azion

Create the Certificate

Create your SSL/TLS certificate before pointing your domain to Azion. This ensures users can access the application securely over HTTPS when the domain starts resolving to the new infrastructure.

Azion provides free Let’s Encrypt certificates with automatic renewal.

Configure the Domain

Create a workload in Azion Console and associate your custom domain. See Workloads Documentation.

Point the Domain to Azion

Update your Route 53 hosted zone to point the subdomain to Azion:

www CNAME xxxxxxxxxx.map.azionedge.net

This keeps Route 53 as your DNS provider while routing traffic through Azion.

Configure your domain to use Azion DNS nameservers at your domain registrar:

ns1.aziondns.net
ns2.aziondns.com
ns3.aziondns.org

This gives Azion full DNS control, required for apex domains.

Verify Propagation

dig www.yourdomain.com CNAME +short

Reference documentation

2. Migrating DNS to Edge DNS

DNS configuration is foundational to application delivery. Migrating from Route 53 to Edge DNS requires careful planning to avoid downtime during the nameserver switch.

Key Differences

Aspect	Route 53	Azion Edge DNS
Nameservers	Assigned per hosted zone	`ns1.aziondns.net`, `ns2.aziondns.com`, `ns3.aziondns.org`
Record types	A, AAAA, CNAME, MX, TXT, SRV, NS, SOA, PTR, CAA	A, AAAA, CNAME, MX, TXT, SRV, NS, CAA, PTR
Routing policies	Simple, Weighted, Latency, Failover, Geolocation	Round-robin, Geo
Health checks	Route 53 health checks	Connector health checks
DNSSEC	Supported	Supported
API	REST API	REST API v4
Anycast	Global Anycast	Global Anycast

Migration Steps

Access Azion Console.
Go to Products menu > Edge DNS.
Click + Zone to create a new DNS zone.
Enter your domain name.
Add DNS records matching your Route 53 configuration.
Note the Azion nameservers assigned to your zone.
Update nameservers at your domain registrar (not in Route 53).

# Create a DNS zone
curl -X POST 'https://api.azionapi.net/v4/workspace/dns/zones' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "my-zone",
  "domain": "example.com",
  "active": true
}'

# Add DNS records
curl -X POST 'https://api.azionapi.net/v4/workspace/dns/zones/{zone_id}/records' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "record_type": "A",
  "entry": "www",
  "ttl": 3600,
  "rdata": ["192.168.1.1"]
}'

Record Type Mapping

Route 53 Record	Azion Edge DNS	Notes
A	A	Direct IP mapping
AAAA	AAAA	IPv6 address
CNAME	CNAME	Alias to another domain
MX	MX	Mail exchange (include priority)
TXT	TXT	Text records (SPF, DKIM)
SRV	SRV	Service records
CAA	CAA	Certificate Authority Authorization
NS	NS	Nameserver delegation
PTR	PTR	Reverse DNS lookup

Routing Policy Migration

Route 53 Policy	Azion Equivalent	Implementation
Simple	Standard record	Single record with one or more values
Weighted	Not directly supported	Use Functions for custom logic
Latency	Not directly supported	Applications handles routing
Failover	Not directly supported	Configure via Rules Engine
Geolocation	Geo routing	Available in Edge DNS

DNSSEC Configuration

To enable DNSSEC:

Navigate to your zone in Edge DNS.
Go to DNSSEC tab.
Enable DNSSEC.
Copy the DS record to your domain registrar.

# Verify DNSSEC
dig example.com DNSSEC +dnssec

Verify Propagation

# Check nameserver propagation
dig example.com NS +short

# Check specific record
dig www.example.com A +short

# Check from specific DNS server
dig @ns1.aziondns.net example.com A

# Compare Route 53 and Azion records
dig @ns-1234.awsdns-12.com example.com A
dig @ns1.aziondns.net example.com A

Reference documentation

3. Migrating SSL/TLS to Certificate Manager

SSL/TLS certificates ensure secure communication between clients and your application. Azion provides automatic certificate provisioning and supports custom certificates from AWS Certificate Manager (ACM).

Key Differences

Area	AWS Certificate Manager	Azion Certificate Manager
Certificate types	Public, Private, Imported	Let’s Encrypt, Custom, Azion SAN
Validation	DNS, Email	DNS-01, HTTP-01
Renewal	Automatic	Automatic (Let’s Encrypt)
Scope	Regional (us-east-1 for CloudFront)	Global Network
mTLS	Supported (Private CA)	Supported (Trusted CA)
Cost	Free for AWS resources	Free (Let’s Encrypt)

Automatic Certificate Provisioning

Azion automatically provisions Let’s Encrypt certificates for custom domains:

Access Azion Console.
Create or edit a Workload.
Add your custom domain.
Azion automatically provisions a Let’s Encrypt certificate.
Verify domain ownership (if required).
Wait for certificate activation (typically 5-15 minutes).

# Create a workload with TLS configuration
# First, create a certificate via Certificate Manager, then reference it by ID
curl -X POST 'https://api.azionapi.net/v4/workspace/workloads' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "my-workload",
  "domains": ["www.example.com"],
  "tls": {
    "certificate": 12345,
    "minimum_version": "tls12",
    "ciphers": 1
  },
  "active": true,
  "infrastructure": 1
}'

Custom Certificate Upload

For organizations with existing certificates from ACM or external CAs:

Export your certificate from ACM (if applicable).
Go to Products menu > Certificate Manager.
Click + Certificate.
Select Custom Certificate.
Upload your certificate (PEM format).
Upload your private key.
Upload intermediate CA chain (if applicable).
Associate the certificate with your workload.

# Upload custom certificate
curl -X POST 'https://api.azionapi.net/v4/workspace/tls/certificates' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "my-custom-cert",
  "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
}'

mTLS Configuration

For mutual TLS authentication:

Navigate to Certificate Manager.
Upload your CA certificate as a Trusted CA.
Configure your workload to require client certificates.
See the mTLS configuration guide for detailed steps.

Reference documentation

4. Migrating WAF to Web Application Firewall

Web Application Firewall protects applications from malicious traffic, SQL injection, cross-site scripting (XSS), and other application-layer attacks. Migrating AWS WAF rules requires careful mapping of rule logic and understanding differences in rule construction.

Key Differences

Aspect	AWS WAF	Azion WAF
Rule language	JSON-based rules	Rules Engine criteria
Managed rules	AWS Managed Rules, Marketplace rules	Azion-managed rulesets
Custom rules	Web ACL with rules	Rules Engine for Firewall
OWASP coverage	Core rule set via managed rules	OWASP Top 10 coverage
Scope	Regional or CloudFront	Global Network
Mode options	Count, Block	Learning, Blocking

Migration Steps

Access Azion Console.
Go to Products menu > Firewall.
Select or create a Firewall instance.
Navigate to WAF tab.
Enable desired managed rulesets (SQL Injection, XSS, etc.).
Configure sensitivity level per ruleset.
Create custom rules in Rules Engine tab.
Associate the Firewall with your application.

# Create a WAF instance
curl -X POST 'https://api.azion.com/v4/workspace/wafs' \
--header 'Accept: application/json' \
--header 'Authorization: Token [TOKEN]' \
--header 'Content-Type: application/json' \
--data '{
  "active": true,
  "name": "My WAF",
  "product_version": "1.0",
  "engine_settings": {
    "engine_version": "2021-Q3",
    "type": "score",
    "attributes": {
      "rulesets": [1],
      "thresholds": [
        { "threat": "sql_injection", "sensitivity": "medium" }
      ]
    }
  }
}'

Rule Migration Example

Convert AWS WAF rule to Azion Rules Engine:

AWS WAF JSON rule:

{
"Name": "BlockAdminAccess",
"Priority": 1,
"Statement": {
  "AndStatement": {
    "Statements": [
      {
        "ByteMatchStatement": {
          "SearchString": "/admin",
          "FieldToMatch": { "UriPath": {} },
          "PositionalConstraint": "CONTAINS"
        }
      },
      {
        "NotStatement": {
          "Statement": {
            "IPSetReferenceStatement": { "IPSet": "allowed-ips" }
          }
        }
      }
    ]
  }
},
"Action": { "Block": {} }
}

Azion criteria:

Variable: ${uri}
Operator: matches
Argument: /admin

AND

Variable: ${remote_addr}
Operator: does not match
Argument: 10.0.0.0/8

AWS Managed Rules to Azion Rulesets Mapping

AWS Managed Rule Group	Azion Equivalent
AWSManagedRulesCommonRuleSet	General Attack Detection
AWSManagedRulesSQLiRuleSet	SQL Injection ruleset
AWSManagedRulesXSSRuleSet	XSS ruleset
AWSManagedRulesLinuxRuleSet	OS Command Injection
AWSManagedRulesPHPAppRuleSet	Included in General Detection

Reference documentation

5. Migrating DDoS Protection

DDoS protection guards against volumetric attacks, protocol attacks, and application layer attacks. Azion provides automatic DDoS mitigation with no configuration required for most attack types.

Key Differences

Aspect	AWS Shield	Azion DDoS Protection
Standard protection	Automatic, no cost	Automatic, no cost
Advanced protection	AWS Shield Advanced (additional cost)	Managed rules + Rules Engine
Layer coverage	L3, L4, L7	L3, L4, L7
DDoS response team	Shield Advanced only	Enterprise support
Cost protection	Shield Advanced includes cost protection	Standard protection

Automatic Protection

Azion DDoS Protection activates automatically for all applications. No manual configuration is required for standard protection against:

Volumetric attacks (UDP floods, ICMP floods)
Protocol attacks (SYN floods, packet fragmentation)
Application layer attacks (HTTP floods, slowloris)

Advanced Configuration

For applications requiring specific DDoS policies:

Access Azion Console.
Go to Products menu > Firewall.
Select your Firewall instance.
Navigate to DDoS Protection tab.
Configure threshold settings.
Enable/disable specific mitigation rules.
Set up alert notifications.

# DDoS protection is configured as a module within Firewall
# Update the Firewall with DDoS module settings
curl -X PATCH 'https://api.azion.com/v4/workspace/firewalls/{firewall_id}' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "modules": {
    "ddos_protection": {
      "enabled": true,
      "sensitivity": "high"
    }
  }
}'

Network Shield

For network-layer protection, use Azion Network Shield:

Provides L3/L4 DDoS protection
Works with Edge DNS for traffic filtering
Integrates with Firewall for unified security

Reference documentation

6. Migrating Bot Management

Bot management protects applications from automated threats while allowing legitimate bots. Azion Bot Manager provides detection, challenge, and mitigation capabilities.

Key Differences

Aspect	AWS Bot Control	Azion Bot Manager
Detection	Machine learning, heuristics, fingerprinting	Machine learning, behavioral analysis, fingerprinting, Reputation Intelligence
Challenge	CAPTCHA, silent challenge	JavaScript injection (fingerprinting), ALTCHA (via redirect)
Actions	Allow, Count, Block, CAPTCHA	Allow, Deny, Drop, Redirect, Custom HTML, Random Delay, Hold Connection
Lite version	Not available	Bot Manager Lite (Marketplace)

Bot Manager Lite (Marketplace)

For basic bot protection, install Bot Manager Lite from Azion Marketplace:

Access Azion Console.
Go to Marketplace.
Search for Bot Manager Lite.
Click Install.
Configure detection sensitivity.
Set up response actions (challenge, block).
Associate with your Firewall instance.

Custom Bot Rules

Create custom rules to handle specific bots:

Criteria: ${user_agent} contains "BadBot"
Behavior: Deny (403)

Criteria: ${user_agent} contains "Googlebot"
Behavior: Allow

Verification

# Test bot detection
curl -A "BadBot/1.0" https://yourdomain.com/
# Expected: 403 Forbidden or challenge page

curl -A "Mozilla/5.0" https://yourdomain.com/
# Expected: Normal response

Reference documentation

7. Migrating Rate Limiting

Rate limiting protects applications from abuse by limiting request rates per client. Azion provides rate limiting through Firewall rules and Functions.

Key Differences

Aspect	AWS WAF Rate Limiting	Azion Rate Limiting
Configuration	Rate-based rules in Web ACL	Firewall rules + Functions
Granularity	Path, method, IP, header	Path, method, IP, custom
Actions	Block, Count	Block, Log
Window	1 minute to 1 hour	Customizable
Scope	Regional or CloudFront	Global Network

Firewall-Based Rate Limiting

Configure rate limiting in Firewall Rules Engine:

Access Azion Console.
Go to Firewall > Rules Engine.
Create a new rule.
Set criteria (path, method, etc.).
Add Rate Limit behavior.
Configure requests per second/minute.
Set action (Block, Log).

# Create rate limiting rule
curl -X POST 'https://api.azionapi.net/v4/workspace/firewalls/{firewall_id}/request_rules' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "Rate Limit API",
  "criteria": [[{"variable": "${uri}", "operator": "starts_with", "argument": "/api/"}]],
  "behaviors": [
    {"type": "rate_limit", "attributes": {"rps": 100, "window": 60, "action": "block"}}
  ]
}'

Reference documentation

8. Migrating Security Services

AWS provides multiple security services for threat detection and vulnerability management. Azion offers comparable protection through Firewall and Network Lists.

Key Differences

Aspect	AWS Security Services	Azion Equivalent
Threat detection	GuardDuty	Firewall + Network Lists
Vulnerability scanning	Inspector	External scanning + Firewall
Security Hub	Centralized findings	Real-Time Events + Firewall logs
Threat intelligence	GuardDuty threat feeds	Network Lists (Tor, known malicious IPs)

Network Lists for Threat Intelligence

Azion provides Network Lists that include threat intelligence data:

Access Azion Console.
Go to Products menu > Network Lists.
View available Azion-maintained lists:
- Tor Nodes: Known Tor exit nodes
- Malicious IPs: Known malicious IP addresses
- Geo-blocking: Country-based lists
Create custom lists for your specific needs.
Reference lists in Firewall rules.

# Create a custom network list
curl -X POST 'https://api.azionapi.net/v4/workspace/network_lists' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "Blocked IPs",
  "list_type": "ip_cidr",
  "items": ["192.168.1.0/24", "10.0.0.1"]
}'

# Use network list in firewall rule
curl -X POST 'https://api.azionapi.net/v4/workspace/firewalls/{firewall_id}/request_rules' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "Block Malicious IPs",
  "criteria": [[{"variable": "${remote_addr}", "operator": "is_in_network_list", "argument": "network_list_id"}]],
  "behaviors": [{"type": "deny", "attributes": {"status_code": 403}}]
}'

Migration Considerations

When migrating from AWS security services:

GuardDuty findings: Export findings and create corresponding Firewall rules for IP-based threats.
Inspector vulnerabilities: Address application vulnerabilities before migration; Azion WAF provides runtime protection.
CloudTrail logs: Configure Real-Time Events for comparable visibility.
Security Hub: Use Azion Real-Time Events and external SIEM integration.

Reference documentation

Store

The Store category covers data services. Migrate objects, key-value data, and relational databases with attention to consistency, access patterns, and application compatibility.

1. Migrating S3 to Object Storage

Object storage powers files that matter to users and business operations: images, documents, static assets, media files, uploads, and generated content. Azion Object Storage provides S3-compatible storage with zero data transfer out cost.

Key Differences

Aspect	Amazon S3	Azion Object Storage
Endpoint	`https://s3.amazonaws.com/bucket`	`https://s3.us-east-005.azionstorage.net`
S3 endpoint	`s3.amazonaws.com`	`s3.us-east-005.azionstorage.net`
Region	Multiple regions	`us-east-005`
Data transfer out	Charged per GB	Zero cost
Storage class	Standard, Intelligent-Tiering, Glacier	Standard
Bucket limits	100 per account (default)	100 per account (default)

Update Configuration

Update your S3 client configuration to use Azion Object Storage:

import { S3Client } from '@aws-sdk/client-s3';

// Before: AWS S3
const s3Client = new S3Client({
region: 'us-east-1',
credentials: {
  accessKeyId: process.env.AWS_ACCESS_KEY_ID,
  secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
}
});

// After: Azion Object Storage
const s3Client = new S3Client({
region: 'us-east-005',
endpoint: 'https://s3.us-east-005.azionstorage.net',
credentials: {
  accessKeyId: Azion.env.get('AZION_ACCESS_KEY'),
  secretAccessKey: Azion.env.get('AZION_SECRET_KEY')
}
});

Create S3 Credentials

Access Azion Console.
Go to Object Storage.
Navigate to S3 Credentials tab.
Click + Credential.
Select the bucket or account scope.
Configure capabilities (read, write, delete, list).
Save the access key and secret key securely.

# Create S3 credentials
curl -X POST 'https://api.azionapi.net/v4/workspace/storage/s3_credentials' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "bucket": "my-bucket",
  "capabilities": ["readFiles", "writeFiles", "deleteFiles", "listFiles"]
}'

Migrate Data with s3cmd

s3cmd is a command-line tool for managing S3-compatible storage services. It’s an effective option for migrating data from Amazon S3 to Azion Object Storage.

Install s3cmd and run s3cmd --configure to set up your Azion credentials:

Access Key / Secret Key: Enter the keys generated for Azion Object Storage.
Default Region: us-east-005 (s3cmd also accepts us-east for interactive configuration).
S3 Endpoint: s3.us-east-005.azionstorage.net.
DNS template: %(bucket).s3.us-east-005.azionstorage.net.
Use HTTPS protocol: true.

Use the following commands to migrate your data:

Command	Description
`s3cmd ls`	Lists all buckets.
`s3cmd put file.png s3://my-bucket/`	Uploads an object.
`s3cmd get s3://my-bucket/file.png`	Downloads an object.
`s3cmd sync s3://aws-bucket/ s3://azion-bucket/`	Syncs between buckets.

Migrate Data with AWS CLI

Configure AWS CLI with Azion credentials:

# Configure AWS CLI profile for Azion
aws configure --profile azion
# Access Key: [your Azion access key]
# Secret Key: [your Azion secret key]
# Region: us-east-005

# List buckets
aws s3 ls --profile azion --endpoint-url https://s3.us-east-005.azionstorage.net

# Sync from AWS S3 to Azion
aws s3 sync s3://source-bucket/ s3://dest-bucket/ \
--profile azion \
--endpoint-url https://s3.us-east-005.azionstorage.net

Migrate Data with rclone

rclone supports syncing between different storage providers:

# Configure rclone for AWS S3 (source)
rclone config
# Name: aws-s3
# Storage: s3
# Provider: AWS
# env_auth: true

# Configure rclone for Azion (destination)
rclone config
# Name: azion
# Storage: s3
# Provider: Other
# endpoint: https://s3.us-east-005.azionstorage.net
# acl: private

# Sync from AWS to Azion
rclone sync aws-s3:source-bucket azion:dest-bucket --progress

Use Bucket as Origin

Configure Object Storage as an origin for your Application:

Access Azion Console.
Go to Connectors.
Create a new Connector with type Object Storage.
Select your bucket.
Configure the prefix (optional).
Associate the Connector with your Application.

# Create a Connector using Object Storage as origin
curl -X POST 'https://api.azionapi.net/v4/workspace/connectors' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "My Object Storage Origin",
  "type": "object_storage",
  "attributes": {
    "bucket": "my-bucket",
    "prefix": "assets/"
  }
}'

Reference documentation

2. Migrating DynamoDB to KV Store / SQL Database

DynamoDB is a serverless key-value and document database. The migration destination depends on your use case: key-value operations map to KV Store, while complex queries map to SQL Database.

Key Differences

Aspect	Amazon DynamoDB	Azion KV Store	Azion SQL Database
Data model	Key-value, document	Key-value	Relational (SQLite)
Query capability	Key lookups, queries, scans	Key lookups, hash operations	Full SQL
Global replication	Global Tables (multi-Region)	Global by default	Main/Replicas architecture
Consistency	Eventually consistent, strong	Eventual	Strong (ACID)
Indexing	GSI, LSI	Not supported	Full SQL indexing
Capacity mode	On-demand, provisioned	Serverless	Serverless

Migration Decision Guide

DynamoDB Feature	Recommended Azion Service
Primary key lookups	KV Store
Simple key-value operations	KV Store
Session storage	KV Store
Feature flags, configuration	KV Store
Complex queries with filters	SQL Database
Secondary index queries	SQL Database
Aggregations, joins	SQL Database
Relational data model	SQL Database

Migrate to KV Store

For key-value workloads, use KV Store with a Redis-like API:

import { createClient } from 'azion/kv';

// Create KV client
const client = await createClient({
namespace: 'my-namespace'
})
.on('error', (err) => console.error('KV Error:', err))
.connect();

// Before: DynamoDB GetItem
// const result = await dynamodb.getItem({
//   TableName: 'Users',
//   Key: { userId: { S: '123' } }
// }).promise();

// After: KV Store get
const userData = await client.get('user:123');

// Before: DynamoDB PutItem
// await dynamodb.putItem({
//   TableName: 'Users',
//   Item: { userId: { S: '123' }, name: { S: 'John' } }
// }).promise();

// After: KV Store set
await client.set('user:123', JSON.stringify({ name: 'John' }), {
expiration: { type: 'EX', value: 3600 } // 1 hour TTL
});

Create a KV Store

Access Azion Console.
Go to KV Store.
Click + Store.
Enter a name for your store.
Configure settings.
Click Save.

# Create a KV Store
curl -X POST 'https://api.azionapi.net/v4/workspace/kv/namespaces' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "my-kv-store",
  "description": "Migrated from DynamoDB"
}'

Migrate to SQL Database

For complex query workloads, migrate to SQL Database:

import { Database } from 'azion:sql';

// Open database connection
const db = await Database.open('my-database');

// Before: DynamoDB Query with filter
// const result = await dynamodb.query({
//   TableName: 'Orders',
//   IndexName: 'CustomerIdIndex',
//   KeyConditionExpression: 'customerId = :cid',
//   FilterExpression: 'orderDate > :date'
// }).promise();

// After: SQL Database query
const orders = await db.query(
'SELECT * FROM orders WHERE customer_id = ? AND order_date > ?',
['customer-123', '2024-01-01']
);

// Iterate results
let row = await orders.next();
while (row) {
console.log(row.getString(0)); // access column by index
row = await orders.next();
}

Create a SQL Database

Access Azion Console.
Go to SQL Database.
Click + Database.
Enter a name for your database.
Create tables using SQL Shell or API.
Import your data.

# Create a SQL Database
curl -X POST 'https://api.azionapi.net/v4/workspace/sql/databases' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "my-database",
  "description": "Migrated from DynamoDB"
}'

Export DynamoDB Data

Export DynamoDB data and transform for import:

# Export DynamoDB table to S3
aws dynamodb export-table-to-point-in-time \
--table-name Users \
--s3-bucket my-export-bucket \
--export-format DYNAMODB_JSON

# Convert and import to Azion
# For KV Store: Transform to key-value pairs
# For SQL Database: Transform to SQL INSERT statements

Global Tables Migration

DynamoDB Global Tables provide multi-Region replication. KV Store is global by default:

DynamoDB Global Tables	Azion KV Store
Multi-Region replication	Global by default
Conflict resolution: Last writer wins	Automatic synchronization
Eventual consistency	Low-latency global access
Additional cost per replicated write	No additional replication cost

Reference documentation

3. Migrating RDS/Aurora to SQL Database

Relational database migration moves your transactional data and SQL workloads to Azion SQL Database. Azion SQL Database is SQLite-compatible and provides ACID compliance with a distributed Main/Replicas architecture.

Key Differences

Aspect	Amazon RDS/Aurora	Azion SQL Database
Engine	MySQL, PostgreSQL, MariaDB, Oracle, SQL Server	SQLite
Compatibility	Engine-specific	PostgreSQL-compatible API
Architecture	Primary/Replicas	Main/Replicas (distributed)
Connection	Connection string, connection pooling	Runtime API (no connection pooling needed)
Transactions	ACID	ACID
Scaling	Vertical scaling, read replicas	Distributed architecture
Region	Single or multi-Region	Global Network

PostgreSQL to SQL Database Migration

For PostgreSQL workloads, Azion SQL Database provides a familiar SQL interface:

import { Database } from 'azion:sql';

// Open database connection
const db = await Database.open('my-database');

// Before: PostgreSQL query
// const result = await pgClient.query(
//   'SELECT id, name, email FROM users WHERE status = $1',
//   ['active']
// );

// After: SQL Database query
const result = await db.query(
'SELECT id, name, email FROM users WHERE status = ?',
['active']
);

// Process results
let row = await result.next();
while (row) {
const id = row.getString(0);
const name = row.getString(1);
const email = row.getString(2);
console.log(`User: ${name} <${email}>`);
row = await result.next();
}

Create a SQL Database

Access Azion Console.
Go to SQL Database.
Click + Database.
Enter a name for your database.
Click Save.
Use SQL Shell to create tables and import data.

# Create a SQL Database
curl -X POST 'https://api.azionapi.net/v4/workspace/sql/databases' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "production-db",
  "description": "Migrated from Aurora PostgreSQL"
}'

# Execute SQL to create tables
curl -X POST 'https://api.azionapi.net/v4/workspace/sql/databases/{database_id}/query' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "query": "CREATE TABLE users (id TEXT PRIMARY KEY, name TEXT, email TEXT, created_at TIMESTAMP)"
}'

Export and Import Data

Export data from RDS/Aurora and import to SQL Database:

# Export from RDS PostgreSQL
pg_dump -h my-db.xxxx.region.rds.amazonaws.com \
-U admin \
-d mydb \
--data-only \
--inserts \
> export.sql

# For Aurora, you can also use Snapshot Export to S3
aws rds start-export-task \
--export-task-identifier my-export \
--source-arn arn:aws:rds:region:account:cluster:my-aurora-cluster \
--s3-bucket-name my-export-bucket \
--export-only data

# Import to Azion SQL Database via SQL Shell
# Connect to SQL Shell and run the export.sql file
# Or use the import API

Data Type Mapping

PostgreSQL Type	SQLite Equivalent
INTEGER, BIGINT, SMALLINT	INTEGER
SERIAL, BIGSERIAL	INTEGER (auto-increment)
VARCHAR(n), CHAR(n), TEXT	TEXT
BOOLEAN	INTEGER (0 or 1)
REAL, DOUBLE PRECISION	REAL
DECIMAL, NUMERIC	REAL
DATE, TIME, TIMESTAMP	TEXT (ISO 8601 format)
JSON, JSONB	TEXT (use JSON functions)
UUID	TEXT
BYTEA	BLOB

Reference documentation

4. Migrating ElastiCache to Cache / KV Store

ElastiCache provides in-memory caching with Redis or Memcached. Azion provides caching through Cache and key-value storage through KV Store.

Key Differences

Aspect	Amazon ElastiCache	Azion Cache	Azion KV Store
Type	In-memory cache	Cache	Distributed key-value
Engines	Redis, Memcached	HTTP cache	Redis-like API
Persistence	Optional (Redis AOF/RDB)	Time-based TTL	Persistent
Data structures	Strings, hashes, lists, sets, sorted sets	HTTP responses	Strings, hashes
Replication	Cluster mode, replication groups	Global Network	Global by default
Access	TCP connection	HTTP request/response	Runtime API

Migration Decision Guide

ElastiCache Use Case	Recommended Azion Service
HTTP response caching	Cache
Session storage	KV Store
Rate limiting counters	KV Store
Feature flags	KV Store
Database query caching	Cache + Functions
Pub/Sub messaging	Functions + KV Store
Leaderboards, sorted sets	SQL Database
Complex data structures	SQL Database

Migrate Redis Caching to KV Store

For Redis-like key-value operations, use KV Store:

import { createClient } from 'azion/kv';

// Create KV client with Redis-like API
const client = await createClient()
.on('error', (err) => console.error('KV Error:', err))
.connect();

// Before: Redis SET with expiration
// await redis.set('session:abc123', JSON.stringify(sessionData), 'EX', 3600);

// After: KV Store set with expiration
await client.set('session:abc123', JSON.stringify(sessionData), {
expiration: { type: 'EX', value: 3600 }
});

// Before: Redis GET
// const data = await redis.get('session:abc123');

// After: KV Store get
const data = await client.get('session:abc123');

// Before: Redis DEL
// await redis.del('session:abc123');

// After: KV Store delete
await client.delete('session:abc123');

Reference documentation

Observe

The Observe category covers analytics, metrics, logs, and distributed tracing. Migrating observability ensures you keep production visibility, troubleshooting capabilities, and compliance reporting after the cutover.

1. Migrating CloudWatch Metrics to Real-Time Metrics

CloudWatch Metrics provides monitoring for AWS resources and applications. Azion Real-Time Metrics delivers comparable capabilities through a GraphQL API and integrated dashboards with near real-time data aggregation.

Key Differences

Aspect	Amazon CloudWatch Metrics	Azion Real-Time Metrics
Data freshness	Near real-time (1-5 minutes)	Near real-time (up to 10 minutes)
Retention	15 months (standard)	2 years
Query method	GetMetricStatistics API, CloudWatch Insights	GraphQL API, Console dashboards
Metrics	Custom metrics, namespace-based	Request, bandwidth, latency, cache, WAF, DNS
Granularity	1 second to 1 day	Adaptive intervals (minute/hour/day)
Dashboards	CloudWatch Dashboards	Real-Time Metrics + Grafana plugin
Alarms	CloudWatch Alarms	External monitoring via Data Stream

Available Metrics

Azion Real-Time Metrics provides comprehensive monitoring across product categories:

Build metrics:

Applications: Total requests, data transferred, status codes, bandwidth saving, average request time
Functions: Total invocations, execution time
Image Processor: Total requests, requests per second
Tiered Cache: Caching offload, L2 offload

Secure metrics:

WAF: Threats vs requests, SQL injection, XSS, RFI, threats by country
Edge DNS: Total queries
Bot Manager: Bot hits, bad bot hits, good bot hits, traffic classification

Observe metrics:

Data Stream: Total data streamed, total requests

Configuration Steps

Access Azion Console.
Go to Products menu > Real-Time Metrics.
Select a category tab (Build, Secure, Observe).
Select a product tab to view specific metrics.
Configure Time range (Last Hour, 24 Hours, 7 Days, 30 Days, 6 Months).
Use Filters to refine analysis by host, status code, or other dimensions.
Click the context menu on any chart to export CSV or copy the GraphQL query.

query HttpMetrics {
http(
  filter: { tsRange: { begin: "2024-01-01T00:00:00", end: "2024-01-02T00:00:00" } }
  aggregate: { sum: requests }
  groupBy: [ts]
  orderBy: [ts_DESC]
  first: 100
) {
  ts
  sum
}
}

GraphQL Query Examples

Query requests by status code:

query RequestsByStatus {
http(
  filter: {
    tsRange: { begin: "2024-01-01T00:00:00", end: "2024-01-01T23:59:59" }
  }
  aggregate: { sum: requests }
  groupBy: [status]
  orderBy: [sum_DESC]
  first: 20
) {
  status
  sum
}
}

Query WAF threats by country:

query WafThreatsByCountry {
waf(
  filter: {
    tsRange: { begin: "2024-01-01T00:00:00", end: "2024-01-02T00:00:00" }
  }
  aggregate: { sum: threats }
  groupBy: [country]
  orderBy: [sum_DESC]
  first: 10
) {
  country
  sum
}
}

Query data transferred for specific host:

query DataTransferredByHost {
http(
  filter: {
    tsRange: { begin: "2024-01-01T00:00:00", end: "2024-01-07T00:00:00" }
    host: { eq: "www.example.com" }
  }
  aggregate: { sum: dataTransferred }
  groupBy: [ts]
  first: 500
) {
  ts
  sum
}
}

CloudWatch Alarm Migration

CloudWatch Alarms notify on metric thresholds. Azion doesn’t provide built-in alerting, but you can achieve similar functionality:

CloudWatch Alarm	Azion Equivalent
Metric threshold alarm	Configure alerts in external monitoring (Datadog, Splunk) via Data Stream
Composite alarms	Functions with custom logic + Data Stream
Anomaly detection	External SIEM/analytics platforms

Grafana Integration

Use the Azion Grafana plugin for custom dashboards:

# Install Azion Grafana plugin
grafana-cli plugins install aziontech-azion-plugin

Reference the Grafana plugin documentation for dashboard configuration.

Reference documentation

2. Migrating CloudWatch Logs to Real-Time Events

CloudWatch Logs collects and stores log data from AWS resources. Azion Real-Time Events provides immediate log access through Console or GraphQL API for real-time troubleshooting and investigation.

Key Differences

Aspect	Amazon CloudWatch Logs	Azion Real-Time Events
Access method	GetLogEvents API, CloudWatch Logs Insights	Real-time query via Console or GraphQL API
Latency	Seconds to minutes	Seconds
Retention	1 day to 10 years (configurable)	7 days (168 hours), 2 years for Activity History
Query language	CloudWatch Logs Insights (SQL-like)	GraphQL queries
Log groups	Log groups with log streams	Data sources by product type
Metric filters	Create metrics from logs	Use Data Stream for custom processing

Data Sources Mapping

CloudWatch Log Group	Azion Real-Time Events Data Source
/aws/cloudfront/…	HTTP Requests
/aws/lambda/…	Functions
/aws/waf/…	HTTP Requests (WAF fields)
/aws/route53/…	Edge DNS
CloudTrail	Activity History

Configuration Steps

Access Azion Console.
Go to Products menu > Real-Time Events.
Select the Data Source tab (HTTP Requests, Functions, Edge DNS, etc.).
Configure Time filter (Last 15 minutes to Last 7 days, or Custom time range).
Add filters to narrow results (host, status, remote address, etc.).
Click Search to query logs.
Click any row to see detailed log information in More details view.

query HttpEvents {
http(
  filter: {
    tsRange: { begin: "2024-01-01T00:00:00", end: "2024-01-01T01:00:00" }
    status: { eq: "500" }
  }
  orderBy: [ts_DESC]
  first: 100
) {
  ts
  remoteAddress
  requestUri
  status
  upstreamResponseTime
  host
  requestMethod
}
}

CloudWatch Logs Insights to GraphQL Migration

Convert CloudWatch Logs Insights queries to Real-Time Events GraphQL:

CloudWatch Logs Insights query:

fields @timestamp, @message
| filter @logGroup = "/aws/cloudfront/distribution"
| filter status >= 500
| sort @timestamp desc
| limit 100

Azion GraphQL equivalent:

query ErrorRequests {
http(
  filter: {
    tsRange: { begin: "2024-01-01T00:00:00", end: "2024-01-01T23:59:59" }
    status: { gte: "500" }
  }
  orderBy: [ts_DESC]
  first: 100
) {
  ts
  status
  requestUri
  host
  remoteAddress
  upstreamStatus
  upstreamResponseTime
}
}

Available Variables by Data Source

HTTP Requests:

Request metadata: ts, remoteAddress, remotePort, host, requestUri, requestMethod, status
Performance: requestTime, upstreamResponseTime, upstreamHeaderTime
Bandwidth: bytesSent, requestLength, upstreamBytesReceived, upstreamBytesSent
Cache: upstreamCacheStatus
Security: wafBlock, wafMatch, wafScore, wafLearning
Geo: geoipCountryName, geoipRegionName, geoipAsn
TLS: sslCipher, sslProtocol

Functions:

functionId, functionsList, functionsTime, functionLanguage

Edge DNS:

level, qType, resolutionType, statusCode, zoneId

Log-Based Metrics

To create metrics from logs (equivalent to CloudWatch metric filters), use Data Stream:

Access Azion Console.
Go to Products menu > Data Stream.
Click + Stream.
Select Applications as data source.
Use Custom Template to select specific variables.
Choose an endpoint (Datadog, Splunk, Elasticsearch, etc.).
Configure the destination for log processing.
Activate the stream.

curl -X POST 'https://api.azion.com/v4/workspace/stream/streams' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "Log Metrics Stream",
  "source": {
    "type": "applications"
  },
  "template_id": 12345,
  "endpoint": {
    "type": "datadog",
    "name": "my-datadog-endpoint",
    "url": "https://http-intake.logs.datadoghq.com/v1/input",
    "api_key": "YOUR_DATADOG_API_KEY"
  },
  "active": true
}'

Reference documentation

3. Migrating X-Ray to Data Stream

AWS X-Ray provides distributed tracing and request tracing across services. Azion Data Stream enables streaming of observability data to external destinations for distributed tracing analysis.

Key Differences

Aspect	AWS X-Ray	Azion Data Stream
Trace collection	Automatic with X-Ray SDK	Stream logs to external tracing systems
Service map	Built-in service map visualization	External tools (Datadog, Jaeger, Splunk)
Trace analysis	X-Ray console	External tracing platforms
Annotations	Custom key-value pairs	Custom log templates
Sampling	Configurable sampling rules	Configurable sampling percentage
Destinations	X-Ray console, CloudWatch	10+ external destinations

Tracing Data Flow Migration

AWS X-Ray Concept	Azion Equivalent
Segments	Request/response log entries
Subsegments	Functions execution logs
Service graph	Built in external tracing tools (Datadog, Jaeger)
Trace ID propagation	Custom headers via Rules Engine or Functions
Annotations	Log variables in Data Stream template

Configuration Steps

Access Azion Console.
Go to Products menu > Data Stream.
Click + Stream.
Select Applications as data source for request tracing.
Select Functions as additional data source for function execution traces.
Create a Custom Template with trace-related variables:
- $request_id (unique trace identifier)
- $ts (timestamp)
- $upstream_addr (origin address)
- $upstream_response_time (response time)
- $request_uri, $status, $host
Choose a tracing-compatible endpoint (Datadog, Splunk, Elasticsearch, Kafka).
Configure destination credentials.
Activate the stream.

curl -X POST 'https://api.azion.com/v4/workspace/stream/streams' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "Distributed Tracing Stream",
  "source": {
    "type": "applications"
  },
  "template": {
    "name": "Custom Trace Template",
    "variables": [
      "$request_id",
      "$ts",
      "$host",
      "$request_uri",
      "$request_method",
      "$status",
      "$upstream_addr",
      "$upstream_response_time",
      "$upstream_status",
      "$remote_addr"
    ]
  },
  "endpoint": {
    "type": "datadog",
    "name": "tracing-endpoint",
    "url": "https://http-intake.logs.datadoghq.com/v1/input",
    "api_key": "YOUR_DATADOG_API_KEY"
  },
  "active": true
}'

Trace ID Propagation

To enable distributed tracing across services, propagate trace context via HTTP headers:

Using Rules Engine:

Criteria: All requests
Behavior: Add Request Header
Header Name: X-Trace-Id
Header Value: ${request_id}

Using Functions:

export default {
async fetch(request) {
  // Extract or generate trace ID
  const traceId = request.headers.get('x-trace-id') ||
                  crypto.randomUUID();

  // Add trace ID to upstream request
  const upstreamRequest = new Request(request, {
    headers: {
      ...Object.fromEntries(request.headers),
      'X-Trace-Id': traceId
    }
  });

  return fetch(upstreamRequest);
}
};

Supported Endpoints for Tracing

Data Stream supports multiple endpoints suitable for distributed tracing:

Endpoint	Use Case
Datadog	Full APM and distributed tracing
Splunk	Log analytics and tracing
Elasticsearch	Search and trace correlation
Apache Kafka	Stream to Jaeger, Zipkin, or custom tracing
Google BigQuery	Data warehouse for trace analysis
AWS Kinesis Data Firehose	Integration with AWS X-Ray or other AWS services
Standard HTTP/HTTPS POST	Custom tracing systems

Data Firehose Migration

AWS Kinesis Data Firehose delivers streaming data to destinations. Azion Data Stream provides similar capabilities:

AWS Kinesis Data Firehose	Azion Data Stream
S3 destination	S3 endpoint (any S3-compatible storage)
Redshift destination	BigQuery or custom HTTP endpoint
Elasticsearch destination	Elasticsearch endpoint
HTTP endpoint	Standard HTTP/HTTPS POST
Data transformation (Lambda)	Functions for preprocessing

Configure Data Stream for S3:

curl -X POST 'https://api.azion.com/v4/workspace/stream/streams' \
--header 'Authorization: Token YOUR_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
  "name": "S3 Archive Stream",
  "source": {
    "type": "applications"
  },
  "template_id": 12345,
  "endpoint": {
    "type": "s3",
    "name": "my-s3-endpoint",
    "host_url": "https://s3.amazonaws.com",
    "bucket_name": "my-logs-bucket",
    "region": "us-east-1",
    "access_key": "YOUR_ACCESS_KEY",
    "secret_key": "YOUR_SECRET_KEY",
    "object_key_prefix": "azion-logs"
  },
  "active": true
}'

CloudWatch RUM to Edge Pulse

CloudWatch RUM provides real user monitoring. Azion Edge Pulse delivers comparable capabilities:

Aspect	CloudWatch RUM	Azion Edge Pulse
Data collection	JavaScript SDK	JavaScript SDK
Metrics	Page load, Core Web Vitals, JavaScript errors	Real user metrics, performance data
Session replay	Available	Available via integration
Custom events	Custom events API	Custom events via SDK

Configure Edge Pulse for real user monitoring:

Access Azion Console.
Go to Products menu > Edge Pulse.
Create a new Pulse instance.
Configure the JavaScript snippet for your application.
Add the snippet to your application’s HTML.
Configure data collection settings.
View metrics in Real-Time Metrics under Edge Pulse.

Reference documentation

Data Stream
Data Stream first steps
Use Data Stream
Connectors: Amazon S3, Azion Object Storage, Datadog, Splunk, Elasticsearch, Kinesis, BigQuery
Edge Pulse

Troubleshooting

Problem	Likely Cause	Solution
DNS not resolving	Nameserver propagation delay	Wait up to 48 hours after updating nameservers; verify with `dig yourdomain.com NS`
Certificate validation fails	Domain ownership not verified	Confirm DNS TXT record or HTTP challenge is accessible; check Certificate Manager status
Function returns `process.env not defined`	Node.js environment variable syntax used	Use `Azion.env.get('VARIABLE_NAME')` instead of `process.env.VARIABLE_NAME`
Cache not purging as expected	Purge request still processing	Wait 5-10 minutes; verify purge via `curl -I` to check headers; use wildcard purge for broad changes
WAF rules blocking legitimate traffic	Sensitivity too high or false positive	Switch WAF to Learning mode first; review blocked requests in Real-Time Events; adjust sensitivity
Origin connection timeouts	Connector misconfiguration or origin unavailable	Verify Connector address and port; check origin health; increase timeout in Connector settings
SSL handshake failures	Certificate mismatch or incomplete chain	Verify certificate covers the domain; include intermediate CA in certificate chain; check TLS minimum version
CORS errors on API requests	Missing CORS headers in response	Add CORS headers via Rules Engine: `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`
Lambda function signature errors	CloudFront event structure differs from Azion	Update function to use `fetch(request, env, ctx)` signature; access request via `request` object
DynamoDB queries fail after migration	KV Store API syntax differs	Update code to use `KVStore` from `azion:kv`; check key naming conventions
S3 uploads fail with 403	Incorrect credentials or endpoint	Verify Access Key and Secret Key; confirm endpoint is `s3.us-east-005.azionstorage.net`
CloudWatch metrics not appearing	Data Stream not configured	Set up Data Stream to export metrics; verify destination credentials and format

Key Advantages After Migration

Capability	Before (AWS)	After (Azion)
Unified platform	Multiple consoles for CloudFront, Lambda, S3, Route 53, WAF, CloudWatch	Single console for compute, storage, security, and observability
Cold starts	Possible on Lambda (especially with VPC)	Minimized with distributed V8 isolates
Global distribution	Regions and edge locations (200+ PoPs)	Azion platform locations worldwide with consistent performance
Pricing model	Per-service billing, data transfer fees, request counts	Simpler consolidated billing; zero DTO cost for Object Storage
Observability	CloudWatch with separate dashboards, logs, and alarms	Real-Time Metrics and Events with instant access via Console or GraphQL API
Security integration	WAF, Shield, IAM as separate services	Built-in WAF, DDoS Protection, Bot Manager integrated with workloads

Next Steps

After your migration is complete:

Review Real-Time Metrics to monitor application performance
Set up Real-Time Events for production visibility
Configure Web Application Firewall for production security
Review the individual feature guides for advanced configuration
Set up Data Stream to export logs to your existing SIEM or analytics tools

Get Started with a Small Project

The best way to begin is not with the most complex application in your portfolio. Start with a project that is meaningful enough to validate the migration path, but small enough to move quickly and safely.

Choose an application or workload that includes representative pieces of your architecture: a CloudFront distribution, a few Lambda functions, an S3 bucket, maybe a DynamoDB table. Use that project to validate the workflow, document the process, and identify internal patterns your team can reuse.

From there, expand gradually. Migrate more complex cache behaviors. Move additional functions. Bring over storage and database workloads. Add observability. Review security rules. Then prepare production cutovers with greater confidence.

Recommended Next Steps

Need Help?

Get help from the Azion Support team, or join our Discord community to see how others are using Azion.