Migration - Upgrades

How to Migrate ColdFusion to AWS EC2 Instances

by Aaron Longnion
11 min read
Contents show

Why this Migration matters

ColdFusion applications power many critical business workflows. Moving them to AWS EC2 can yield tangible benefits: elastic Scalability for traffic spikes, improved reliability using Multi-AZ patterns, tighter Security with network isolation and secrets management, and lower total cost through right-sized instances and autoscaling. Beyond Infrastructure wins, the Migration is a chance to modernize ColdFusion runtime versions, update Java/JDBC drivers, standardize on Infrastructure as Code, and streamline CI/CD for faster releases.

Prerequisites / Before You Start

Inventory and versioning

  • List all ColdFusion instances and versions (e.g., Adobe ColdFusion 2018/2021/2023 or Lucee 5.x).
  • Confirm Java JDK/JRE versions and compatibility with your ColdFusion runtime.
  • Capture current ColdFusion Administrator settings: datasources (JDBC), mail servers, mappings, caches, JVM arguments, Scheduled tasks, sandboxes, and Security settings.
  • Identify all CFML libraries and Custom tags (e.g., cfchart, cfdocument, cfimage) and their dependencies (Ghostscript, ImageMagick, fonts).

Dependencies and integrations

  • Databases (SQL Server, MySQL, Oracle, PostgreSQL) and network paths/ports.
  • Caches/session stores (ehcache, Redis, Memcached).
  • File storage locations (shared folders, NAS) and whether they move to Amazon S3 or EFS.
  • SMTP servers (consider Amazon SES).
  • Authentication providers (LDAP/AD, SAML/OIDC).
  • Web server Integration (IIS, Apache HTTPD, NGINX).

Licensing and Compliance

  • Decide on Adobe ColdFusion Licensing: BYOL or AWS Marketplace AMI with license included (Standard vs Enterprise Features like Enterprise Manager, Distributed caching).
  • Review third-party library licenses.
  • Ensure Compliance for data residency and PII handling (VPC, subnets, KMS encryption, S3 policies).

Backups and exports

  • Full backup of code, Configuration, and data:
    • Application code repository snapshot.
    • Database backups and schema scripts.
    • Export ColdFusion Admin config. For Adobe CF, consider using CFConfig (via CommandBox) to export settings to JSON.
  • Files and assets: tar/zip archives, plan for S3 bucket migration.

Networking and security

  • AWS account ready with a VPC, subnets (public/private), NAT Gateway if private subnets, Security Groups, and IAM roles.
  • SSL/TLS certificates (ACM for ALB or imported certs).
  • DNS plan with Route 53.
  • Secrets approach: AWS Secrets Manager or SSM Parameter Store.

Reference Architecture on AWS

  • Private subnets host EC2 instances running ColdFusion (Adobe CF or Lucee).
  • An Application Load Balancer (ALB) terminates HTTPS and forwards to EC2 targets.
  • RDS (MySQL/PostgreSQL/SQL Server/Oracle) for database.
  • S3 for assets/binaries, optional CloudFront for CDN.
  • ElastiCache (Redis) for Session replication or caching.
  • CloudWatch logs/metrics, AWS Backup, and Systems Manager for patching.
  • Optional EFS for shared file writes.
See also  How to Migrate from ColdFusion to Lucee (Open Source)

Component highlights:

  • Compute: EC2 in an Auto Scaling group (ASG) with an AMI baked via Packer.
  • Network: VPC with at least two AZs; Security Groups control inbound/outbound.
  • Observability: CloudWatch metrics and alarms; X-Ray for tracing if you proxy through a Java agent.

Step-by-Step Migration guide

1) Design and prepare the AWS foundation

  1. Create or validate your VPC:
    • Two or more private subnets for EC2, two public subnets for ALB, across different AZs.
  2. Define Security Groups:
    • ALB: inbound 443 (0.0.0.0/0), outbound to EC2 on app port (e.g., 8080) or AJP if used.
    • EC2: inbound only from ALB SG; allow SSH/RDP from your bastion or VPN CIDR.
  3. Create IAM roles:
    • EC2 role granting read access to SSM Parameter Store/Secrets Manager, S3 read, CloudWatch logs.

Example AWS CLI to create a security group and open port 8080 (replace placeholders):

aws ec2 create-security-group –group-name cf-app-sg –description “CF App SG” –vpc-id vpc-xxxxxxxx
aws ec2 authorize-security-group-ingress –group-id sg-xxxxxxxx –protocol tcp –port 8080 –source-group sg-albxxxxxxxx

2) Choose OS, AMI, and instance types

  • OS: Amazon Linux 2023, RHEL, Ubuntu, or Windows Server (if using IIS).
  • Instances: Start with t3/t4g/c6i families depending on workload; enable detailed monitoring. Consider memory-optimized instances for PDF/chart-heavy workloads.
  • Storage: Use gp3 EBS volumes; size for IOPS/throughput and logs.
  • If using Adobe ColdFusion Marketplace AMI, ensure region availability and licensing terms.

3) Provision EC2 with user data

  • Use an Auto Scaling group for stateless servers.
  • Include a bootstrap script (user data) to install Java, web server, and ColdFusion.

Example user data for Linux + Lucee (CommandBox) quick start:

!/bin/bash

set -e
yum update -y
amazon-linux-extras install java-openjdk11 -y
rpm –import https://downloads.ortussolutions.com/debs/gpg
curl -fsSL https://downloads.ortussolutions.com/rpm/ortussolutions-rpm.repo | tee /etc/yum.repos.d/commandbox.repo
yum install -y commandbox
useradd -r -s /sbin/nologin cfuser || true
mkdir -p /opt/cfapp && chown -R cfuser:cfuser /opt/cfapp
cat >/opt/cfapp/server.json <<‘JSON’
{
“app”: { “cfengine”: “lucee@5.4” },
“web”: { “host”: “0.0.0.0”, “http”: { “port”: 8080 } }
}
JSON
su -s /bin/bash -c “cd /opt/cfapp && box server start” cfuser

Example for Adobe ColdFusion silent installer (BYOL) on Linux:

!/bin/bash

set -e
yum update -y
amazon-linux-extras install java-openjdk11 -y
curl -O https://Download.macromedia.com/pub/coldfusion/2023/coldfusion2023-lnx64.bin
chmod +x coldfusion2023-lnx64.bin
cat > /tmp/cf-response.txt <<‘EOF’
INSTALLER_UI=silent
USER_INSTALL_DIR=/opt/cfusion
JDK_LOCATION=/usr/lib/jvm/java-11
ADMIN_USER=admin
ADMIN_PASSWORD=ChangeMe123!
ENABLE_RHEL_SERVICE=1
INSTALL_WEBHELP=0
EOF
./coldfusion2023-lnx64.bin -f /tmp/cf-response.txt -i silent
/opt/cfusion/cfusion/bin/coldfusion start

Adjust for your version and security.

4) Configure ColdFusion (portable Configuration)

Use CFConfig to export/import CF Admin settings as JSON for repeatable deployments.

Export (from source):

box install commandbox-cfconfig
cfconfig export from=http://oldserver.local:8500 username=admin password=** to=cfconfig.json

Import (on EC2 target):

cfconfig import from=/opt/cfapp/cfconfig.json to=http://127.0.0.1:8500

Example snippet of cfconfig.json (datasource):

{
“datasources”: {
“MainDB”: {
“class”: “com.microsoft.sqlserver.jdbc.SQLServerDriver”,
“connectionString”: “jdbc:sqlserver://mydb.xxxxxx.rds.amazonaws.com:1433;databaseName=prod;encrypt=true;trustServerCertificate=false”,
“username”: “dbuser”,
“password”: “${ssm:/prod/db/password}”,
“validate”: true
}
}
}

Use placeholders resolved at deploy-time from SSM.

5) Web server Integration (Apache/NGINX/IIS)

  • Linux + Apache HTTPD with AJP or HTTP proxy:

<VirtualHost :80>
ServerName app.example.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.) https://%{HTTP_HOST}%{REQUEST_URI}

<VirtualHost *:443>
ServerName app.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/app.crt
SSLCertificateKeyFile /etc/ssl/private/app.key

ProxyPreserveHost On
ProxyPassMatch ^/(CFIDE|jrunscripts|WEB-INF) – [F]
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

  • Windows + IIS: use Adobe CF/IIS connector or BonCode AJP connector for Lucee/Tomcat. Ensure URL rewrite rules and request filtering match your legacy server.

6) Migrate application code and assets

  • Pull from Git/Bitbucket to EC2 or bake into AMI.
  • Externalize user-generated content:
    • Move to S3 and reference via S3 SDK/CF functions or mount via s3fs (read-heavy).
    • For shared write access across instances, consider EFS.
  • Ensure file permissions for temp, logs, and cfdocument directories.
See also  How to Move ColdFusion to a Kubernetes Cluster

7) Database migration or connectivity

  • If moving DB to Amazon RDS, create parameter groups and import backups.
  • Update JDBC drivers to current versions.
  • Validate timezones and character sets (UTF-8 recommended).
  • Test connection pools, isolation levels, and connection validation queries.

8) Sessions, caching, and state

  • Avoid server-local sessions when scaling. Options:
    • Enable sticky sessions on ALB with a proper cookie, or
    • Externalize sessions in Redis (ElastiCache) or a database.
  • Configure ehcache or cf distributed cache for multi-node.
  • Store CF Administrator passwords and DSN credentials in Secrets Manager.

9) Logging and monitoring

  • Stream logs to CloudWatch Logs via the unified agent.
  • Collect JVM metrics (heap, GC) and OS metrics (CPU, IO).
  • Set alarms on 5XX rates on ALB, high latency, low healthy host count.

CloudWatch Agent config example:

{
“logs”: {
“logs_collected”: {
“files”: {
“collect_list”: [
{ “file_path”: “/opt/cfusion/cfusion/logs/*.log”, “log_group_name”: “/cf/prod/app”, “log_stream_name”: “{instance_id}” }
]
}
}
}
}

10) SSL/TLS and DNS

  • Use ACM certificate on ALB; forward to EC2 on HTTP (private).
  • Configure Route 53 DNS A/AAAA alias to the ALB.
  • Enforce HSTS and modern TLS policies.

11) AMI baking and Auto Scaling

  • After a pristine configuration, create an AMI from the instance (or use Packer).
  • Launch Template + Auto Scaling Group with health checks on an HTTP endpoint (/health).
  • Keep servers immutable; push config via cfconfig and environment variables.

12) Schedulers and background jobs

  • CF Scheduled tasks: ensure only one node runs them:
    • Use Enterprise Features (Task Clustering) or a leader-election approach (e.g., lock in Redis).
    • Alternative: migrate to EventBridge + Lambda or AWS Batch for background jobs.

13) Secrets and configuration

  • Store DSN passwords, SMTP creds in Secrets Manager.
  • Pull at boot or runtime. Make sure EC2 role has least-privilege access.

14) CI/CD and deployments

  • Options: CodePipeline/CodeDeploy, GitHub Actions, Jenkins.
  • Deploy artifacts (WAR/CFML code) to S3 and pull on instance boot, or bake into AMI for blue/green.
  • Validate with a pre-traffic hook and allow instant rollback.

15) Cutover strategy

  • Use blue/green: keep legacy environment as blue, new EC2 stack as green.
  • Run smoke tests via ALB test domain.
  • Switch DNS or update ALB target group weights for canary.
  • Keep blue available for quick rollback until stability is confirmed.

Risks, Common Issues, and How to Avoid Them

  • Version mismatches:

    • Risk: Moving to Java 11/17 breaks older CFML or PDF generation.
    • Mitigation: Stage in a non-prod environment, test cfdocument/cfchart, update libraries.

  • JDBC and driver changes:

    • Risk: Old SQL Server jTDS driver incompatibilities on RDS/Aurora.
    • Mitigation: Use official Microsoft or vendor drivers, validate SSL params (encrypt=true).

  • Session stickiness vs stateless:

    • Risk: Users logged out or losing carts during scale-out.
    • Mitigation: Enable ALB stickiness or move sessions to Redis.

  • File I/O and shared storage:

    • Risk: Instances write to local disk causing inconsistency.
    • Mitigation: Externalize to S3/EFS; ensure path updates and permissions.

  • Scheduler duplication:

    • Risk: Jobs running multiple times across nodes.
    • Mitigation: Single runner via cluster-aware scheduling, distributed locks, or EventBridge.

  • JVM heap and GC tuning:

    • Risk: OutOfMemoryError or high GC pause.
    • Mitigation: Tune -Xms/-Xmx based on instance RAM; choose G1GC; monitor GC logs.

  • Security group and firewall blocks:

    • Risk: DB connectivity fails.
    • Mitigation: Open correct ports, restrict by SG references, test using telnet/nc.

  • SELinux/Windows UAC:

    • Risk: Connector or file write failures.
    • Mitigation: Proper policies, run services under dedicated user with least privilege.

  • Email deliverability:

    • Risk: Emails blocked or marked spam when moving SMTP.
    • Mitigation: Use Amazon SES, set up SPF/DKIM/DMARC, warm up sending.

  • Licensing pitfalls:

    • Risk: Non-compliant Adobe CF usage.
    • Mitigation: Verify license terms, cores-per-license, and Marketplace AMI rules.
See also  How to Migrate ColdFusion Custom Tags to CFCs

Post-Migration Checklist

  • Application functionality

    • Key user journeys tested (login, search, checkout, File upload, report generation).
    • Scheduled tasks executed once, on the correct node.

  • Performance and capacity

    • Load test compared to baseline; ASG scales as expected.
    • JVM heap/CPU/IOd metrics within targets.

  • Security and compliance

    • TLS 1.2+ enforced; no weak ciphers.
    • Security Groups least privilege; no open SSH/RDP to world.
    • Secrets not hardcoded; rotated post-cutover.

  • Observability

    • Logs visible in CloudWatch with meaningful retention.
    • Alarms set for 5XX, latency, low healthy targets, disk usage.

  • Data integrity

    • DB migration verified with checksums/row counts.
    • S3 assets available; permissions and bucket policies validated.

  • Cost and housekeeping

    • Right-sized instances; Remove unused EBS snapshots and orphaned resources.
    • Tagging applied (Environment, Owner, CostCenter, Application).

Useful Configuration Examples

Security Group rules (example)

  • ALB SG:

    • Inbound: 443 from 0.0.0.0/0
    • Outbound: TCP 8080 to EC2 SG

  • EC2 SG:

    • Inbound: TCP 8080 from ALB SG
    • Inbound: TCP 22 from Bastion SG or corporate CIDR
    • Outbound: 0.0.0.0/0 (or restricted to RDS/S3/SES endpoints as needed)

systemd service for CommandBox-based CFML app

[Unit]
Description=CFML App (CommandBox)
After=network.target

[Service]
User=cfuser
WorkingDirectory=/opt/cfapp
ExecStart=/usr/bin/box server start
ExecStop=/usr/bin/box server stop
Restart=always

[Install]
WantedBy=multi-user.target

Example NGINX Reverse proxy

server {
listen 443 ssl http2;
server_name app.example.com;

ssl_certificate     /etc/ssl/certs/app.crt;
ssl_certificate_key /etc/ssl/private/app.key;

location ~* /(CFIDE|WEB-INF) { return 403; }
location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
}

}

Optional Modernization paths

  • Containers: Package CFML in Docker and run on ECS Fargate or EKS. Benefits: faster rollouts, immutable builds, and tighter resource isolation.
  • AMI baking with Packer for predictable EC2 scale-out.
  • Infrastructure as Code with Terraform or AWS CDK to version your VPC, ALB, ASG, RDS, and policies.
  • Offload PDF/image generation to containerized Microservices if memory-heavy.

FAQ

Can I lift-and-shift a Windows + IIS + Adobe ColdFusion server as-is?

Yes, but treat it as a starting point. You can create an AMI from a hardened Windows Server with Adobe CF installed and place it in an Auto Scaling group. However, aim to externalize sessions, move shared files to S3 or EFS, and adopt CFConfig for configuration portability to avoid snowflake servers.

Should I use sticky sessions or distributed session storage?

Sticky sessions via ALB are fast to enable and work for small clusters. For resilience during deployments and scale events, store sessions in Redis (ElastiCache) or a database. This makes instances stateless and simplifies blue/green releases.

How do I handle ColdFusion scheduled tasks on multiple nodes?

Avoid duplicates by assigning a single scheduler node, enabling task clustering (Enterprise), or implementing a distributed lock (e.g., Redis SETNX). Alternatively, migrate recurring jobs to EventBridge + Lambda or Step Functions.

What instance size should I choose for Adobe CF or Lucee?

Start with t3.large/t3.xlarge (or c6i.large for CPU-heavy) for test environments. Measure JVM heap usage, PDF/chart workloads, and adjust. For production, right-size based on load tests; memory-heavy PDF generation may require m6i.xlarge or larger.

Is moving to Lucee a drop-in replacement for Adobe ColdFusion?

Lucee is a popular open-source CFML engine, but it is not 100% drop-in. Most tags/functions work, yet enterprise features and some PDF/document functions behave differently. Plan a code Audit, update libraries, and run comprehensive tests if considering a runtime switch.

About the author

Aaron Longnion

Aaron Longnion

Hey there! I'm Aaron Longnion — an Internet technologist, web software engineer, and ColdFusion expert with more than 24 years of experience. Over the years, I've had the privilege of working with some of the most exciting and fast-growing companies out there, including lynda.com, HomeAway, landsofamerica.com (CoStar Group), and Adobe.com.

I'm a full-stack developer at heart, but what really drives me is designing and building internet architectures that are highly scalable, cost-effective, and fault-tolerant — solutions built to handle rapid growth and stay ahead of the curve.

View all posts

You may also like