Conversions API Gateway: Configuration

To deploy Conversions API Gateway, businesses are required to configure it in a self-serve flow within Meta Events Manager. In a few clicks, a server instance is deployed on the business’ behalf within their third-party cloud provider account (for example, AWS).

Conversions API Gateway is served from a subdomain of the website that reports web events, also called first-party domain (must be in the same eTLD+1 as the reporting Meta Pixel). Conversions API Gateway with a first-party domain configured can help the data flow only go through the business’s trusted infrastructure.

Prerequisites

Before you can deploy Conversions API Gateway, ensure that you have:

  • Meta Pixel ID
  • Events Manager Admin access (partial access won’t work)
  • All website domains
  • DNS Provider access (required to configure your sub-domain)
  • Cloud provider admin access (for example, AWS)

Recommended: Enable Advanced Matching on your Meta Pixel to help maximize the performance of your Conversions API Gateway integration. With Advanced Matching, you can send hashed customer contact information along with your Pixel events, which can help you attribute more conversions and reach more people. See more details here.

The current version of Conversions API Gateway only supports Amazon Web Services (AWS) as a third-party cloud provider:

  • If you do not have an AWS account, you can create one by following this guide.

Network and Security

Cloud account isolation

Businesses could deploy Conversions API Gateway on their existing third-party AWS account, or alternatively, on a new AWS account separated from their main assets. Both options provide infrastructure isolation as Conversions API Gateway is designed to have no interaction with business’ server-side assets. Conversions API Gateway is provisioned within the default Virtual Private Cloud network (VPC).

Allowed network traffic

Conversions API Gateway requires the following inbound and outbound network traffic to be open to work correctly. The default configuration only allows the required traffic.

SourceDestinationProtocol/PortDescription

Conversions API Gateway instance

0.0.0.0/0

All

Allow outbound connection to the internet from Conversions API Gateway to pass events to Meta and download packages from external repositories such as:

  • Download software in Docker Containers from ECR
  • Send logs to AWS Cloudformation Logs
  • If opted-in to System Health Information data transmission, periodically send system status data about your business’ use/operation of its Conversions API Gateway installation to Meta for monitoring and troubleshooting problems.
  • Communicate with AWS EKS service

0.0.0.0/0

Conversions API Gateway instance

TCP/80

Allow inbound HTTP connection to Conversions API Gateway

This port is automatically redirected to TCP/443

0.0.0.0/0

Conversions API Gateway instance

TCP/443

Allow inbound HTTPS connection to Conversions API Gateway

Used by browsers to send events through websockets secure (WSS) or HTTPS

Endpoints and In-Transit Data

Endpoints are secured via TLS and SSL, and in-transit data is encrypted. Please see below. Conversions API Gateway exposes two internet-facing endpoints:

  • HTTPS and Websocket secure (WSS) endpoint for receiving events from browsers
  • HTTPS admin front end for administering the server

These endpoints are secured through TLS (TLS 1.2 and 1.3 are supported) and by using an SSL (default cipher list) certificate generated automatically during the server provisioning. The default certificate has a one year life time and it renews itself regularly as long as two DNS records set up during installation are unchanged.

The default domain uses AWS Cloudfront endpoint. If a user sets up a custom domain, it uses AWS managed certificates. TLS is terminated at load balancer level before forwarding to private VPC.

Additional Security Protections

To help reinforce the protections of Conversions API Gateway endpoints, businesses can use their preferred cloud-based security solutions (Web Application Firewall, anti-DDOS) from AWS or other third-party providers. Such protections are configured by proxying the Conversions API Gateway traffic through the corresponding service provider and allowing inbound traffic only from this service provider.

Data Storage and Retention Policy

Conversions API Gateway stores configuration data and operational logs such as event statistics, and uses the instance disk storage for storing logs.

If your third-party cloud provider is AWS, logs are stored in CloudWatch, and access to these logs is determined by AWS data access policies and any additional policies implemented within your organization. You may choose to share operational logs with your support contact. Please refer to this guide on how to extract logs.

Scalability

Conversions API Gateway server capacity is determined by the maximum number of instances configured. It can be decided during the installation or on the Conversions API Gateway Admin UI after installation.

  • Each one instance can support 100 queries per second.
  • We require at least two instances running.