Enabling AAP for Azure App Services

Docs > Plateforme de sécurité Datadog > Application Security Management > Enabling App and API Protection > Enabling AAP for Azure App Services

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Compatibility

Only web applications are supported. Azure Functions are not supported.

Note: Threat Protection through Remote Configuration is not supported. Use Workflows to block IPs in your WAF.

Type	OS	Threat Detection
Java	Windows, Linux
.NET	Windows, Linux
Node	Linux
Python	Linux
Ruby	Linux
PHP	Linux

Setup

Set application settings

To enable AAP on your application, begin by adding the following key-value pairs under Application Settings in your Azure configuration settings.

Azure App Service Configuration: the Application Settings, under the Configuration section of Settings in the Azure UI. Three settings are listed: DD_API_KEY, DD_SERVICE, and DD_START_APP.

DD_API_KEY is your Datadog API key.
DD_CUSTOM_METRICS_ENABLED (optional) enables custom metrics.
DD_SITE is the Datadog site parameter. Your site is . This value defaults to datadoghq.com.
DD_SERVICE is the service name used for this program. Defaults to the name field value in package.json.
DD_START_APP is the command used to start your application. For example, node ./bin/www (unnecessary for applications running in Tomcat).
DD_APPSEC_ENABLED value should be 1 in order to enable App and API Protection

Identifying your startup command

Linux Azure App Service Web Apps built using the code deployment option on built-in runtimes depend on a startup command that varies by language. The default values are outlined in Azure’s documentation. Examples are included below.

Set these values in the DD_START_APP environment variable. Examples below are for an application named datadog-demo, where relevant.

Runtime	`DD_START_APP` Example Value	Description
Node.js	`node ./bin/www`	Runs the Node PM2 configuration file, or your script file.
.NET Core	`dotnet datadog-demo.dll`	Runs a `.dll` file that uses your Web App name by default. Note: The `.dll` file name in the command should match the file name of your `.dll` file. In certain cases, this might not match your Web App.
PHP	`cp /home/site/wwwroot/default /etc/nginx/sites-available/default && service nginx reload`	Copies script to correct location and starts application.
Python	`gunicorn --bind=0.0.0.0 --timeout 600 quickstartproject.wsgi`	Custom startup script. This example shows a Gunicorn command for starting a Django app.
Java	`java -jar /home/site/wwwroot/datadog-demo.jar`	The command to start your app. This is not required for applications running in Tomcat.

Note: The application restarts when new settings are saved.

Set General Settings

Go to General settings and add the following to the Startup Command field:

curl -s https://raw.githubusercontent.com/DataDog/datadog-aas-linux/v1.4.0/datadog_wrapper | bash

Azure App Service Configuration: the Stack settings, under the Configuration section of Settings in the Azure UI. Underneath the stack, major version, and minor version fields is a 'Startup Command' field that is populated by the above curl command.

Download the datadog_wrapper file from the releases and upload it to your application with the Azure CLI command:

  az webapp deploy --resource-group <group-name> --name <app-name> --src-path <path-to-datadog-wrapper> --type=startup

Testing threat detection

To see App and API Protection threat detection in action, send known attack patterns to your application. For example, send a request with the user agent header set to dd-test-scanner-log to trigger a security scanner attack attempt:

curl -A 'dd-test-scanner-log' https://your-function-url/existing-route

A few minutes after you enable your application and exercise it, threat information appears in the Application Signals Explorer.