AWS for Industries

How Storygize and Sharethrough are using AWS PrivateLink to reduce costs and increase revenue

In this blog, we will walk you through how Amazon Web Services (AWS) ad tech customers Storygize and Sharethrough used AWS PrivateLink, which establishes connectivity between virtual private clouds (VPCs) and AWS services without exposing data to the internet, to improve security, reduce networking costs, and increase revenue.

Storygize is a demand-side platform (DSP), which provides technology to automate the purchase of digital advertising for media buyers, and Sharethrough is a supply-side platform (SSP), which content owners use to manage and sell ad inventory. The Storygize platform connects with many ad inventory partners, like Sharethrough, processing and responding to ad opportunities in less than 100 ms, hundreds of thousands of times per second. Similarly, Sharethrough connects with content owners and platforms, like Storygize, to conduct auctions over two million times per second. Going forward, we will refer to DSP as a service owner-provider and SSP as a service consumer.

Many ad tech platforms communicate with partners over the internet through public IPs, potentially exposing key transactional infrastructure to online threats. These traditional approaches to private connectivity between partner networks are fraught with challenges, including overlapping address spaces, service discovery, and network security hardening. Advertising platforms must also define their own end points and connect to their partners’ target end points in each region of operation, which often results in unbalanced or inefficient routing.

AWS identified AWS PrivateLink as an opportunity to address some of these challenges while reducing the cost of data transfer by 95 percent.

Increased security

AWS PrivateLink traffic doesn’t traverse the public internet and stays on the AWS network. Customers don’t require an internet gateway to connect over AWS PrivateLink, so customers can improve their security posture by creating private networks, reducing network exposure to outside threat vectors.

AWS PrivateLink service owners (DSPs) control the type of consumers (SSPs) who can access their service. Connectivity is only consumer-initiated, and consumers can solely access the service in the service owner’s VPC and not any other resource.

Ease of use

AWS PrivateLink lets service owners expose their services to end consumers, who can privately and securely connect at scale. It also simplifies network management because service providers and consumers don’t have to manage classless interdomain routing (CIDR) ranges or configure complicated firewall rules, path definitions, and route tables. Service providers can expose their services using a private Domain Name System (DNS) of their choice. AWS PrivateLink facilitates connectivity across different accounts and Amazon Virtual Private Cloud (Amazon VPC), which gives you full control over your virtual networking environment, in the same region.

Reduced cost

As of April 2022, AWS PrivateLink service providers no longer pay for intraregion data transfers routed through the service. Upstream partners that use AWS PrivateLink pay only data processing fees, which are equivalent to intraregion data transfer rates and discounted at higher volumes. Click here for more information on AWS PrivateLink pricing.

Private network architecture

As mentioned above, the SSP of Sharethrough acts as a consumer, and the DSP of Storygize is a service provider. Below, see the reference architecture, which illustrates how ad traffic flows from the SSP to the DSP. You can download it here.

  1. When a reader accesses a webpage, an ad request is sent to the publisher ad server.
  2. The publisher ad server processes the request and sends it to the end point URL that is provided by the SSP to fill the ad impression. The elastic load balancer (ELB) on the SSP’s VPC forwards the request to the auction server, which sends out a bid request to the end point web address (URL) of participating DSPs.
  3. The SSP VPC does a DNS lookup with the VPC DNS or the private hosted zone and routes the request either through the interface end point or out to the internet.
  4. If the DSP is set up with AWS PrivateLink, the bid request is then routed to the end point elastic network interface (ENI) in the SSP’s private subnet. The request is then forwarded to the end point service on the DSP side.
  5. The end point service then routes the bid request to the associated network load balancer (NLB), which load balances the bid request to the bidder fleet. The bidder instance will process the request and return a bid response back to the SSP auction server. All the requests and responses are routed through the AWS backbone network.
  6. For DSPs to use a private host name for their end point URL, the DSP should verify the domain by creating a text record on their DNS. This architecture assumes that the DSP uses Amazon Route 53, a highly available and scalable DNS web service, for DNS.
  7. Both the SSP and the DSP can set up dashboards in Amazon CloudWatch—which collects and visualizes near-real-time logs, metrics, and event data—to gain visibility into active connections and bytes processed per end point.

Results

Storygize and Sharethrough facilitated network connectivity using AWS PrivateLink. Below are the three key benefits:

  1. All traffic was routed securely between private subnets and over the AWS network backbone.
  2. Storygize reduced the cost of working with Sharethrough by 95 percent, only incurring the costs of operating an NLB.

AWS PrivateLink was straightforward to set up and resulted in great cost savings. The cost savings resulted in Sharethrough being more competitive within our system.” —Eugene Yusim, vice president of engineering, Storygize

  1. From the SSP standpoint, Sharethrough observed a 15 percent growth in business revenue from Storygize. This was attributed to faster bid-request and response times due to the AWS PrivateLink network.

“AWS PrivateLink is a definite win for us, and we would like to use AWS PrivateLink for additional DSP partners in the future. We were able to reduce our data transfer cost along with a reduction in latency.” —Christopher Nguyen, ops and infra lead, Sharethrough

Conclusion

To facilitate monitoring the end points, Amazon CloudWatch metrics are available by default for all end points and services. If you encounter any issues during the configuration, please refer to the AWS PrivateLink documentation for DSP here and SSP here or reach out to AWS Support. Find the link to the AWS PrivateLink for AdTech Solutions Guidance page here.

TAGS: , , , , , , , , , , , , , ,
Eugene Yusim

Eugene Yusim

Eugene Yusim is the vice president of software engineering at Storygize, where he has over 15 years of experience in the AdTech industry. He is known for his ability to lead high-performing teams and has played a key role in driving innovation and growth at Storygize.

Christopher Nguyen

Christopher Nguyen

Christopher Nguyen is an engineering manager, DevOps, at Sharethrough. His core interests include data analytics, serverless, and container technologies. Chris is based in the Los Angeles, California, area and enjoys Brazilian jiujitsu and riding bikes with his family.

Akhil Aendapally

Akhil Aendapally

Akhil Aendapally is a senior solutions architect, specializing in advertising and marketing technologies with a primary focus on performance and cost optimization of high-throughput, low-latency ad platforms.

Sharik Pahwa

Sharik Pahwa

Sharik Pahwa is an AWS technical account manager, focused on helping customers in their AWS journey. He is a containers enthusiast with over 15 years of experience working with Linux and cloud platforms. Sharik is based in the San Francisco, California, area and enjoys short drives with his family.

Dan Smith

Dan Smith

Dan Smith is a senior solutions specialist, focused on helping advertising platforms scale and operate more efficiently. Dan is based in the New York City area and enjoys great food, spending time with his family, and playing tennis.

Gene Ting

Gene Ting

Gene Ting is a principal solutions architect at Amazon Web Services. He is focused on helping enterprise customers build and operate workloads securely on AWS. In his free time, Gene enjoys teaching kids technology and sports, as well as following the latest on cybersecurity.