這份文件已更新。
中文(香港) 的翻譯尚未完成。
英文更新時間:11月11日
中文(香港) 更新時間:7月21日

Conversions API Gateway: AWS App Runner Architecture

Below is a diagram and a list of the main AWS resources and services used by the Conversions API Gateway on App Runner, the number of instances created per resource or service type and, when applicable, their purpose.

The diagram and the list contain only the most important AWS resources and services used by the Conversions API Gateway. Other AWS resources and services not listed here will be used by your instance.

The diagram below shows the main resources instantiated and how they interact between them.


Component Details

App Runner

App Runner is a fully managed service that allows containerized web applications to run in a private AWS VPC. It abstracts away container management, load balancing, NAT Gateway and Internet Gateway. App Runner also provides custom domain provisioning, certificate management, auto scaling, free default HTTPS service url and blue green deployment.

The Conversions API Gateway uses App Runner as its primary compute resource for running data plane and control plane containers. By default, a single container is created for data plane and control plane and the limits can be changed based on auto scaling configuration.

DynamoDB

DynamoDB is a serverless, NoSQL, fully managed database service from AWS. The Conversions API Gateway uses DynamoDB for storing configuration data for the instance. More details about the data is included in the Configuration section.

Timestream (to be removed in a future version)

Timestream is an AWS service for easy-to-manage time-series databases. The Conversions API Gateway uses Timestream to store time-series metrics that power the control plane UI as well as telemetry about event count. Retention for time-series metrics is set to 30 days.

EventBridge Scheduler

Eventbridge Scheduler is an AWS service that allows the creation of schedules for cron triggers. The Conversions API Gateway uses Eventbridge Scheduler for cron triggers for periodic jobs like telemetry, backup, infrastructure updates, etc.

Amazon Managed Prometheus

Amazon managed prometheus is an AWS service for container monitoring. The Conversions API Gateway uses Amazon managed prometheus to store time-series metrics that power the control plane UI as well as telemetry about event count.

Key Management Service

Key Management Service is an AWS service for encrypting data. The Conversions API Gateway uses KMS to encrypt sensitive data before storing it in the database.

Lambda

Lambda is an AWS service for serverless code execution. The Conversions API Gateway uses Lambda for multiple use cases:

  • A custom resource during installation and uninstallation to execute custom provisioning and deprovisioning logic.
  • When Eventbridge scheduler triggers Lambda, which further triggers the App Runner service for telemetry and backup jobs.
  • Infrastructure update management is also triggered using Lambda which subscribes to a SNS topic in a Meta-owned AWS account.

Elastic Container Service (ECS) and Related Services

  • ECS is a fully managed container orchestration service. The Conversions API Gateway uses ECS for long running jobs like telemetry, backup, offline processing, etc.
  • Virtual Private Cloud (VPC) is a virtual network, logically isolated from other virtual networks in the AWS Cloud, where AWS resources can be launched. The Conversions API Gateway creates one VPC and one availability zone in it.
  • Public subnet is a subnet that can reach the internet through an internet gateway or an egress-only gateway. In the Conversions API Gateway, one public subnet is created per each availability zone. The ECS tasks are created in the public subnet.
  • Internet gateway is a VPC component that allows communication between a VPC and the Internet. It supports IPv4 and IPv6 traffic. The Conversions API Gateway for instantiates one Internet gateway and uses it for outbound communication with AWS services and Meta.
  • Security group controls the traffic that is allowed to reach and leave the resources that it is associated with. The Conversions API Gateway creates one Security group which allows only outbound access and no inbound access.

Cognito

Cognito is a customer identity and access management service provided by AWS. The Conversions API Gateway uses Cognito for user authentication.

Codebuild

Codebuild is a fully managed continuous integration service provided by AWS. The Conversions API Gateway uses Codebuild for executing updates and maintenance on the instance.

Cloudfront

Cloudfront is a CDN service provided by AWS. The Conversions API Gateway uses Cloudfront as CDN and also as a reverse proxy for accessing the control plane and data plane container UI.

Cloudwatch Logs

Cloudwatch is a logging service provided by AWS. The Conversions API Gateway will store installation and application logs in the Cloudwatch service.

IAM

AWS Identity and Access Management (IAM) is an AWS service that helps securely control access to AWS resources. IAM is used to control who is authenticated (signed in) and authorized (has permissions) to use resources.

S3

Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and performance. The Conversions API Gateway uses AWS S3 mainly for the automatic backup feature.

Budgets

Budgets is an AWS service for tracking costs and usage. The Conversions API Gateway uses Budgets for cost monitoring for the instance and providing alerts based on budget (for example, if a budget limit is exceeded). The default budget is set to $50 per month.

AWS Certificate Manager (ACM)

ACM is an AWS Service for provisioning and managing SSL/TLS certificates. The Conversions API Gateway uses ACM to provision and attach a first-party domain certificate to Cloudfront.

Data Flow and Storage

The Conversions API Gateway treats four types of data:

  • Action (event) data sent by the Meta Pixel and only transiting the Conversions API Gateway.
  • Customer information sent by the pixel and only transiting the Conversions API Gateway.
  • Conversions API Gateway configuration data stored in the instance.
  • Conversions API Gateway logs stored in the instance.

Data Received by the Conversions API Gateway from the Meta Pixel

The data received by the Conversions API Gateway from the Meta Pixel consists of events and customer information. These are not stored on the instance, they just transit the Conversions API Gateway to be then sent to Meta's Conversions API.

Conversions API Gateway Configuration Data

The Conversions API Gateway configuration data, detailed below, is stored in AWS DynamoDB, AWS Timestream and AWS Cognito. This data includes:

  • Host users (email, password, permissions)
  • SMTP configuration
  • Accounts and respective access rights
  • Users (email, password, permissions)
  • Connected Pixel IDs and respective configuration details (activation status, publishing status)
  • Pixel events names, volumes, and publishing status
  • Website domains where the pixels fire, domain allow list, and domain block list
  • Data routing configuration

The Conversions API Gateway is effectively a gateway to transition this data to Meta, and once sent, the data cannot be retrieved back or changed by the engaged Conversions API Gateway owner. The users will be able to see those events (as per our current browser Pixel sending events directly to Meta) from the Events Manager.

Gateway Logs

The Conversions API Gateway uses the AWS Cloudwatch service to log installation and application running information. All logs have a retention period of 5 days to keep the costs of logging low.

Application logs are written for as long as the Conversions API Gateway software and resources are running. Application running logs include:

  • User actions on the Conversions API Gateway UI.
  • Software and resource usage logs.

The AWS Cloudwatch service does not log any event or contact information.

Telemetry

To learn more about telemetry, see Conversions API System Health Information.

Cost

The cost of the Conversions API Gateway depends on the cost of the service and resource instances used. AWS provides a tool to estimate the cost of an implementation. For reference, see the pricing calculator for processing 10 million events per month.

The cost information provided in this section are estimates obtained using the AWS pricing calculator in the us-west-2 (Oregon) region, and should serve as a reference. The actual cost of your instance may vary based on usage. AWS Free Tier pricing could also change the costs upwards or downwards. The default setup can only support up to 250 million events per month and auto scaling needs to be enabled to support higher load. Note that enabling auto scaling will not automatically bump up the prices, as compute capacity scales based on the number of events flowing through the system.

The estimated monthly base cost might look like the breakdown below based on different event volumes:

Note: the table shows estimated monthly cost @ us-west-2 (Oregon). Figures are in US$.

Resource Type10M events250M events2500M events

App Runner data plane container fixed cost

16.50

16.50

165

App Runner data plane container data transfer cost

0.90


22.50


225


App Runner control plane container

6.60


6.60


6.60

Amazon Managed Prometheus

0.24


2.4


23.65

S3

0.02


0.02


0.02

DynamoDB

0.80


1.20


1.93

ECS

0.85


0.85


0.85

Lambda

0.38


0.38


0.38

Eventbridge Scheduler

0


0


0

Cognito

0


0


0

Codebuild

0.15


0.15


0.15

Cloudwatch logs

1.52


1.52


1.52

Key Management Service

1


1


1

IAM

0


0


0

Cloudfront

0.10


0.10


0.10

ACM

0


0


0

Budgets

0


0


0

Total cost

29.06


52.22


425.20

Network and Security

Allowed Network Traffic

The Conversions API Gateway requires the following inbound and outbound network traffic to work as documented. The default configuration only allows the required traffic. App Runner provides inbuilt load balancer and access control which can’t be changed. The only inbound access to App Runner service is on port 443. We have a security group attached to the ECS cluster which doesn’t allow any inbound traffic but allows outbound traffic so that telemetry can be sent to Meta in case of failures if telemetry consent is provided.

Endpoints and In-Transit Data

The Conversions API Gateway requires the following inbound and outbound network traffic to work as documented. The default configuration only allows the required traffic.

Endpoints are secured via TLS and SSL, and in-transit data is encrypted. Conversions API Gateway exposes two internet-facing endpoints:

  • HTTPS endpoint for receiving events from browsers
  • HTTPS admin front end for administering the server

These endpoints are secured through TLS and by using an SSL certificate generated automatically during the server provisioning.