Getting Started

In just a few clicks, businesses can deploy the Conversions API Gateway from a self-serve flow within Meta Events Manager. The setup flow deploys a server instance on the business’ behalf, using their third-party cloud provider,such as Amazon Web Service (AWS) or Google Cloud Platform (GCP).

To deploy Conversions API Gateway, businesses can use a self-serve flow within Meta Events Manager. In a few clicks, a server instance is configured and deployed on the business’ behalf within their third-party cloud provider account.

Conversions API Gateway is then served from a subdomain of the website that reports web events, also called the first-party domain (this domain must be in the same eTLD+1 as the reporting Meta Pixel). When configured with a first-party domain, Conversions API Gateway can help direct the flow of data through the business’s trusted infrastructure only.

Prerequisites

Before you can deploy Conversions API Gateway, you’ll need the following properties and access:

  • Meta Pixel ID
  • Admin access for the Events Manager associated with the Meta Pixel (partial access won’t work)
  • Access to update all website domains associated with this Meta Pixel
  • Access to make updates using the DNS provider for these domains (you will need to be able to configure your subdomain)
  • Admin access for a cloud provider service (for example, AWS or GCP)

Recommended: Enable Advanced Matching on your Meta Pixel to help maximize the performance of your Conversions API Gateway integration. With Advanced Matching, you can send hashed customer contact information along with your Pixel events, which can help you attribute more conversions and reach more people. See more details here.

Network and Security

Cloud account isolation

Businesses can choose to deploy Conversions API Gateway on their existing third-party cloud account, or on a new cloud account separated from their main assets. Both options provide infrastructure isolation, as Conversions API Gateway is designed to have no interaction with business’ server-side assets. Conversions API Gateway is provisioned within the default Virtual Private Cloud network (VPC).

Allowed network traffic

To function correctly, Conversions API Gateway requires the following inbound and outbound network traffic to be open. The default configuration only allows the required traffic.

SourceDestinationProtocol/PortDescription

Conversions API Gateway instance

0.0.0.0/0

All

Allow outbound connection to the internet from Conversions API Gateway to pass events to Meta and download packages from external repositories such as:

  • Download software in Docker Containers from ECR
  • Send logs to AWS Cloudformation Logs
  • If opted-in to System Health Information data transmission, periodically send system status data about your business’ use/operation of its Conversions API Gateway installation to Meta for monitoring and troubleshooting problems.
  • Communicate with AWS EKS service

0.0.0.0/0

Conversions API Gateway instance

TCP/80

Allow inbound HTTP connection to Conversions API Gateway

This port is automatically redirected to TCP/443

0.0.0.0/0

Conversions API Gateway instance

TCP/443

Allow inbound HTTPS connection to Conversions API Gateway

Used by browsers to send events through websockets secure (WSS) or HTTPS

Endpoints and In-Transit Data

Endpoints are secured via TLS and SSL, and in-transit data is encrypted. Conversions API Gateway exposes two internet-facing endpoints:

  • HTTPS and Websocket secure (WSS) endpoint for receiving events from browsers
  • HTTPS admin front end for administering the server

These endpoints are secured through TLS (TLS 1.2 and 1.3 are supported) and by using an SSL (default cipher list) certificate generated automatically during the server provisioning. The default certificate has a one year life time and renews regularly as long as two DNS records set up during installation are unchanged.

The default domain uses AWS Cloudfront endpoint. If a user sets up a custom domain, it uses AWS managed certificates. TLS is terminated at load balancer level before forwarding to private VPC.

Additional Security Protections

To help reinforce the protections of Conversions API Gateway endpoints, businesses can use their preferred cloud-based security solutions (Web Application Firewall, anti-DDOS) from AWS or other third-party providers. Such protections are configured by proxying the Conversions API Gateway traffic through the corresponding service provider and allowing inbound traffic only from this service provider.

Data Storage and Retention Policy

Conversions API Gateway stores configuration data and operational logs such as event statistics, and uses the instance disk storage for storing logs.

Instances using AWS as their third-party cloud provider will have logs stored in CloudWatch, and access to these logs is determined by AWS data access policies and any additional policies implemented within their organization. You may choose to share operational logs with your support contact.Learn more about extracting logs.

Scalability

Conversions API Gateway server capacity is determined by the maximum number of instances configured. It can be decided during the installation or on the Conversions API Gateway Admin UI after installation.

Note that:

  • Each instance can support 100 queries per second.
  • At least two instances must be running.