Getting Started
In just a few clicks, businesses can deploy the Conversions API Gateway from a self-serve flow within Meta Events Manager. The setup flow deploys a server instance on the business’ behalf, using their third-party cloud provider,such as Amazon Web Service (AWS) or Google Cloud Platform (GCP).
To deploy Conversions API Gateway, businesses can use a self-serve flow within Meta Events Manager. In a few clicks, a server instance is configured and deployed on the business’ behalf within their third-party cloud provider account.
Conversions API Gateway is then served from a subdomain of the website that reports web events, also called the first-party domain (this domain must be in the same eTLD+1 as the reporting Meta Pixel). When configured with a first-party domain, Conversions API Gateway can help direct the flow of data through the business’s trusted infrastructure only.
Prerequisites
Before you can deploy Conversions API Gateway, you’ll need the following properties and access:
- Meta Pixel ID
- Admin access for the Events Manager associated with the Meta Pixel (partial access won’t work)
- Access to update all website domains associated with this Meta Pixel
- Access to make updates using the DNS provider for these domains (you will need to be able to configure your subdomain)
- Admin access for a cloud provider service (for example, AWS or GCP)
Recommended: Enable Advanced Matching on your Meta Pixel to help maximize the performance of your Conversions API Gateway integration. With Advanced Matching, you can send hashed customer contact information along with your Pixel events, which can help you attribute more conversions and reach more people. See more details here.
Network and Security
Cloud account isolation
Businesses can choose to deploy Conversions API Gateway on their existing third-party cloud account, or on a new cloud account separated from their main assets. Both options provide infrastructure isolation, as Conversions API Gateway is designed to have no interaction with business’ server-side assets. Conversions API Gateway is provisioned within the default Virtual Private Cloud network (VPC).
Allowed network traffic
To function correctly, Conversions API Gateway requires the following inbound and outbound network traffic to be open. The default configuration only allows the required traffic.
| Source | Destination | Protocol/Port | Description |
|---|---|---|---|
Conversions API Gateway instance | 0.0.0.0/0 | All | Allow outbound connection to the internet from Conversions API Gateway to pass events to Meta and download packages from external repositories such as:
|
0.0.0.0/0 | Conversions API Gateway instance | TCP/80 | Allow inbound HTTP connection to Conversions API Gateway This port is automatically redirected to TCP/443 |
0.0.0.0/0 | Conversions API Gateway instance | TCP/443 | Allow inbound HTTPS connection to Conversions API Gateway Used by browsers to send events through websockets secure (WSS) or HTTPS |
Endpoints and In-Transit Data
Endpoints are secured via TLS and SSL, and in-transit data is encrypted. Conversions API Gateway exposes two internet-facing endpoints:
- HTTPS and Websocket secure (WSS) endpoint for receiving events from browsers
- HTTPS admin front end for administering the server
These endpoints are secured through TLS (TLS 1.2 and 1.3 are supported) and by using an SSL (default cipher list) certificate generated automatically during the server provisioning. The default certificate has a one year life time and renews regularly as long as two DNS records set up during installation are unchanged.
The default domain uses AWS Cloudfront endpoint. If a user sets up a custom domain, it uses AWS managed certificates. TLS is terminated at load balancer level before forwarding to private VPC.
Additional Security Protections
To help reinforce the protections of Conversions API Gateway endpoints, businesses can use their preferred cloud-based security solutions (Web Application Firewall, anti-DDOS) from AWS or other third-party providers. Such protections are configured by proxying the Conversions API Gateway traffic through the corresponding service provider and allowing inbound traffic only from this service provider.
Data Storage and Retention Policy
Conversions API Gateway stores configuration data and operational logs such as event statistics, and uses the instance disk storage for storing logs.
Instances using AWS as their third-party cloud provider will have logs stored in CloudWatch, and access to these logs is determined by AWS data access policies and any additional policies implemented within their organization. You may choose to share operational logs with your support contact.Learn more about extracting logs.
Scalability
Conversions API Gateway server capacity is determined by the maximum number of instances configured. It can be decided during the installation or on the Conversions API Gateway Admin UI after installation.
Note that:
- Each instance can support 100 queries per second.
- At least two instances must be running.
