How Remote Configuration Works

Remote configuration is not available on the US1-FED Datadog site.

Overview

Remote Configuration is a Datadog capability that allows you to remotely configure the behavior of Datadog resources (for example, Agents, tracing libraries, and Observability Pipelines Worker) deployed in your infrastructure, for select product features. Use Remote Configuration to apply configurations to Datadog resources in your environment on demand, decreasing management costs, reducing friction between teams, and accelerating issue resolution times.

For Datadog security products, Application Security Management and Cloud Workload Security, Remote Configuration-enabled Agents and compatible tracing libraries provide real-time security updates and responses, enhancing security posture for your applications and cloud infrastructure.

How it works

Once you enable Remote Configuration on the Datadog Agent, it periodically polls the configured Datadog site, to determine whether there are configuration changes to apply to your Remote Configuration-enabled Agents or tracing libraries.

After you submit configuration changes in the respective Datadog product UI for a Remote Configuration-enabled product feature, the changes are stored in Datadog.

The following diagram illustrates how Remote Configuration works:

1. You configure select product features in the Datadog UI.
2. The product feature configurations are securely stored within Datadog.
3. Agents in your environments securely poll, receive, and automatically apply configuration updates from Datadog.

Note: Configuration changes applied through Remote Configuration are not shown in your Agent configuration file.

Product and feature capabilities

The following products and features are supported with Remote Config:

Application Security Management (ASM)

• 1-click ASM activation: Enable ASM in 1-click from the Datadog UI.
• In-App attack patterns updates: Receive the newest Web Application Firewall (WAF) attack patterns automatically as Datadog releases them, following newly disclosed vulnerabilities or attack vectors.
• Protect: Block attackers’ IPs, authenticated users, and suspicious requests that are flagged in ASM Security Signals and Traces temporarily or permanently through the Datadog UI.

Application Performance Monitoring (APM)

• Remotely instrument your Kubernetes services with APM: Remotely instrument your services in Kubernetes with Datadog APM via Datadog Library Injection, and manage your deployments all within the Datadog UI. Available for Java, Node and Python applications.
• Remotely set Agent sampling rate: Remotely configure the Datadog Agent to change its trace sampling rates and set rules to scale your organization’s trace ingestion according to your needs, without needing to restart your Datadog Agent.

Dynamic Instrumentation

• Send critical metrics, traces, and logs from your live applications with no code changes.

Cloud Workload Security (CWS)

• Automatic default agent rule updates: Automatically receive and update the default Agent rules maintained by Datadog as new Agent detections and enhancements are released.

Observability Pipelines

• Remotely deploy and update Observability Pipelines Workers (OPW): Build and edit pipelines in the Datadog UI, rolling out your configuration changes to OPW instances running in your environment.

Security Considerations

Datadog implements the following safeguards, designed to protect the confidentiality, integrity, and availability of configurations received and applied to your Agents and tracing libraries:

• Agents deployed in your infrastructure request configurations from Datadog.
• Datadog never sends configurations unless requested by Agents, and only sends configurations relevant to the requesting Agent.
• Because the configuration requests are initiated from your Agents to Datadog over HTTPS (port 443), there is no need to open additional ports in your network firewall.
• The communication between your Agents and Datadog is encrypted using HTTPS, and is authenticated and authorized using your Datadog API key.
• Only users with the right RBAC permissions are authorized to enable Remote Configuration capability on the API key and use the supported product features.
• Your configuration changes submitted through the Datadog UI are signed and validated on the Agent and tracing libraries, verifying integrity of the configuration.

Enabling Remote Configuration

Prerequisites

• Datadog Agent version 7.41.1 (7.42.0 for APM sampling rate) or higher installed on your hosts or containers.
• For features that use tracing libraries, the following minimum versions of Datadog tracing libraries:

Setup

To activate Remote Configuration:

1. Ensure your RBAC permissions include org_management, so you can enable Remote Configuration for your organization.

2. Ensure your RBAC permissions include api_keys_write, so you can create a new API key with the Remote Configuration capability, or add the capability to an existing API key. Contact your organization’s Datadog administrator to update your permissions if you don’t have it. A key with this capability allows you to authenticate and authorize your Agent to use Remote Configuration.

3. On the Remote Configuration page, enable Remote Configuration. This enables Datadog resources across your organization to receive configurations from Datadog.

4. Select an existing API key or create a new API key, and enable the Remote Config capability on the key:

5. Update your Agent configuration file:

api_key: xxx
remote_configuration:
  enabled: true

DD_API_KEY=xxx
DD_REMOTE_CONFIGURATION_ENABLED=true

After you perform these steps, your Agent requests its configuration from Datadog, and the features that use remote configuration are enabled:

• CWS default agent rules update automatically as released.
• APM Agent-level sampling rates are applied.
• Dynamic Instrumentation is enabled.
• ASM 1-Click enablement, IP blocking, and attack pattern updates are enabled.