Architecture details
This section describes the components and AWS services that make up this solution and the architecture details on how these components work together.
AWS services in this solution
| AWS service | Description |
|---|---|
|
Amazon CloudFront |
Core. Serve client requests to Prebid Server application. |
|
AWS DataSync |
Core. Automate transfer of Prebid Server application logs and metrics from Amazon EFS to Amazon S3. |
|
Amazon ECS |
Core. Host and manage containerized Prebid Server application. |
|
Amazon EFS |
Core. Centralize storage of Prebid Server application logs and metrics across containers. |
|
Elastic Load Balancing |
Core. Provide high availability and automate scaling of Prebid Server application containers hosted on Amazon ECS. |
|
Amazon EventBridge |
Core. Send and receive messages between solution resources handling Prebid Server application metrics and logs. |
|
AWS Glue |
Core. Transform, catalog, and partition metrics data into Amazon S3 and AWS Glue Data Catalog. |
|
AWS Identity and Access Management (IAM) |
Core. Restricts solution resource permissions to least privilege access for security. |
|
AWS KMS |
Core. Encrypt and decrypt the data in Amazon S3. |
|
AWS Lambda |
Core. Facilitate deployment and deletion of the solution through Lambda-backed custom resources, cleaning archived log and metrics files from Amazon EFS after being moved to Amazon S3 for long term storage, and triggering AWS Glue. |
|
Amazon S3 |
Core. Provide long term storage of Prebid Server application logs and metrics from Amazon EFS. |
|
AWS Systems Manager |
Core. Provide application-level resource monitoring and visualization of resource operations and cost data. |
|
Amazon VPC |
Core. Control network permissions between solution resources. |
|
AWS WAF |
Core. Provide layer of security around Amazon CloudFront. |
|
AWS CloudTrail |
Supporting. Track activity across solution S3 buckets and Lambda functions. |
|
Amazon CloudWatch |
Supporting. View logs and subscribe to alarms for AWS Lambda and AWS Glue. |
|
Amazon Athena |
Optional. Access AWS Glue Data Catalog and query the Prebid Server application metrics in Amazon S3. |
CloudFront distribution
The solution uses Amazon CloudFront as the unified network entry point. It receives the incoming auction requests and handles outgoing responses. CloudFront speeds up the distribution of your content by routing each user request through the AWS backbone network to the edge location that can best serve your content. CloudFront provides a TLS endpoint for privacy of requests and responses in transit with the pubic internet. ALB is the configured origin for CloudFront. Direct access to ALB is restricted by using a custom header, enhancing security.
AWS WAF
AWS Web Application Firewall (AWS WAF) and AWS Shield Standard are used as a protection mechanism from Distributed Denial of Service (DDoS) attacks against the Prebid Server cluster. AWS WAF can activate one or more managed rule groups by default after extended testing including rules in the Baseline Rule Group and the IP Reputation Rule Group. You have the option to activate, purchase, or use existing rule subscriptions, or add regular expression or CIDR matching rules as needed.
Note
If you want to opt out of using CloudFront and AWS WAF and directly send requests to the ALB, see How to opt out.
Application Load Balancer (ALB)
ALB distributes incoming request traffic for Prebid Server through the cluster of containers. It provides a single entry point into the cluster and is the primary origin for the CloudFront distribution.
Amazon VPC
The Amazon Virtual Private Cloud (Amazon VPC) is configured with redundant subnets, routes, and NAT gateways. Security groups permit traffic to and from the subnets. The Amazon VPC contains the network interfaces for the Prebid Server container cluster nodes. It is configured for private IP addresses only and container networks configured within the Amazon VPC use the NAT gateway as a default route to the internet for communication.
Amazon ECS
Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that helps you easily deploy, manage, and scale containerized Prebid Server application. These resources define the configuration, count, and thresholds to scale-out and scale-in the total container count in the ECS cluster. The ECS task and service resource define the operating environment for the cluster and thresholds for scaling and health. Scaling changes are based on CPU, process load, and network traffic (requests per target). For cost optimization, ECS uses a weighted combination of Fargate and Fargate Spot instances. There's a cost benefit to using more Fargate Spot instances, but the risk of unavailability goes up. You might find that after running the solution for a while that a different ratio is better for you.
Prebid Server container
This is a docker container that runs the open source Prebid Server and is hosted in
Amazon Elastic Container Registry
Amazon EFS
The EFS file system is mounted and shared among all container instances in the ECS cluster. This file system is used for log capture (operational and metrics), and has the potential to be expanded to include shared configuration and storage related to more advertisement types (for example, video and mobile).
DataSync (EFS to S3)
DataSync is configurated to periodically move rotated log files from each Prebid Server
container’s EFS location to an equivalent location in the DataSyncLogsBucket S3
bucket. After each file is copied to S3 and verified, it is removed from the EFS file system
through a clean-up Lambda function. Essentially, only actively written log files are retained
on the EFS file system until the Prebid Server process closes it, rotates it, and starts a new
file. Rotated log files are migrated with DataSync. Runtime logs are rotated every 24 hours or
when reaching 100 MB. Metrics logs are rotated every one hour or when reaching 100 MB.
Glue ETL (Metrics processing)
AWS Glue is a serverless data integration service that makes it easy for analytics users
to discover, prepare, move, and integrate data from multiple sources. You can use it for
analytics, machine learning, and application development. It also includes additional
productivity and data ops tooling for authoring, running jobs, and implementing business
workflows. This resource is responsible for periodically processing new metrics log files in
the DataSyncLogsBucket S3 bucket. The CSV-formatted metrics are transformed into
several tables and partitioned. After ETL processing completes, the new data is available to
clients through AWS Glue Data Catalog.
AWS Glue Data Catalog
AWS AWS Glue Data Catalog provides access for clients to the Prebid Server metric data through Athena or other compatible clients, such as Amazon SageMaker AI, Amazon QuickSight, and JDBC clients. Clients can query and view the Prebid Server metrics data, generate graphs, summaries or inferences using AI/ML.
Amazon CloudWatch
CloudWatch alarms monitor specific metrics in real-time and proactively notify AWS Management Console users when predefined conditions are met. This solution has several CloudWatch alarms to help monitor its health and performance. These alarms are enabled automatically when the CloudFormation stack is deployed. For details, see the CloudWatch Alarms section.
Note
All resources are created in a single Region specified by the user except for CloudFront and
AWS WAF. CloudFront is considered a global resource, and AWS WAF is always created in the
us-east-1 (N.Virginia) Region for configuration with CloudFront.
