Enabling App and API Protection for Envoy

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
App and API Protection for Envoy is in Preview

To try the preview of App and API Protection for Envoy, use the following setup instructions.

You can enable App and API Protection for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking.

Prerequisites

Enabling threat detection

Get started

The App and API Protection Envoy integration uses the Envoy external processing filter.

  1. Deploy a new container with the Datadog External Processor Docker image. The image is available on the Datadog GitHub Registry.

    This service is a gRPC server that Envoy communicates with to have requests and responses analyzed by App and API Protection.

    The Datadog External Processor exposes some settings:

    Environment variableDefault valueDescription
    DD_SERVICE_EXTENSION_HOST0.0.0.0gRPC server listening address.
    DD_SERVICE_EXTENSION_PORT443gRPC server port.
    DD_SERVICE_EXTENSION_HEALTHCHECK_PORT80HTTP server port for health checks.
    DD_APPSEC_BODY_PARSING_SIZE_LIMIT0Maximum size of the bodies to be processed in bytes. If set to 0, the bodies are not processed. The recommended value is 10000000 (10MB). (To fully enable body processing, the allow_mode_override option should also be set in the External Processing filter configuration)
    DD_SERVICE_EXTENSION_OBSERVABILITY_MODEfalseEnable asynchronous analysis. This also disables blocking capabilities. (To fully enable observability mode, this option should also be set in the External Processing filter configuration)
    DD_SERVICEserviceextensionsService name shown in the Datadog UI.

    Configure the Datadog Agent to receive traces from the external processor using the following environment variables:

    Environment variableDefault valueDescription
    DD_AGENT_HOSTlocalhostHostname or IP of your Datadog Agent.
    DD_TRACE_AGENT_PORT8126Port of the Datadog Agent for trace collection.

  2. Update your Envoy configuration to add the external processing filter to your http_filters list, and define the corresponding gRPC cluster in your clusters section. For example:

    Http filters section

    http_filters:
  # This filter should be the first filter in the filter chain
  - name: envoy.filters.http.ext_proc
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
      grpc_service:
        envoy_grpc:
          cluster_name: datadog_aap_ext_proc_cluster

        ## Mandatory: Correctly show the service as an Envoy proxy in the UI.
        initial_metadata:
          - key: x-datadog-envoy-integration
            value: '1'

        ## A timeout configuration for the grpc connection exist but is not useful in our case.
        ## This timeout is for all the request lifetime. A timeout on the route is preferred.
        #timeout: 0s

      ## Optional: Enable fail open mode. Default is false.
      ## Normally, if the external processor fails or times out, the filter fails and Envoy
      ## returns a 5xx error to the downstream client. Setting this to true allows requests
      ## to continue without error if a failure occurs.
      failure_mode_allow: true # It won't cause 5xx error if an error occurs.

      ## Mandatory: Only enable the request and response header modes.
      ## If you want to enable body processing, please see the section below.
      processing_mode:
        request_header_mode: SEND
        response_header_mode: SEND

      ## Optional for headers analysis only but **mandatory** for body processing.
      ## The external processor can dynamically override the processing mode as needed instructing
      ## Envoy to forward request and response bodies to the external processor. Body processing is
      ## enabled when DD_APPSEC_BODY_PARSING_SIZE_LIMIT is set on the external processor container.
      allow_mode_override: true

      ## Optional: Set a timeout by processing message. Default is 200ms.
      ## There is a maxium of 2 messages per requests with headers only and 4 messages maximum
      ## with body processing enabled.
      ## Note: This timeout also includes the data communication between Envoy and the external processor.
      ## Optional: When the body processing is enabled, the timeout should be adjusted to accommodate
      ## the additional possible processing time. Larger payloads will require a longer timeout. 
      #message_timeout: 200ms

      ## Optional: Enable asynchronous mode analysis. Default is false.
      ## This mode will disable all blocking capabilities. The external processor should also be
      ## configured with the DD_SERVICE_EXTENSION_OBSERVABILITY_MODE environment variable.
      ## Beware, there is no flow control implemented in Envoy
      ## (cf https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto#envoy-v3-api-field-extensions-filters-http-ext-proc-v3-externalprocessor-observability-mode)
      #observability_mode: true
      ## Optional: When in asynchronous mode, the message_timeout is not used. This deferred
      ## timeout starts when the http request is finished, to let the External Processor
      ## process all processing messages. Default is 5s.
      #deferred_close_timeout: 5s

  # ... other filters

    Clusters section

    clusters:
    # ... other clusters
    - name: datadog_aap_ext_proc_cluster
      type: STRICT_DNS
      lb_policy: ROUND_ROBIN
      http2_protocol_options: {}
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          sni: "localhost"
      load_assignment:
        cluster_name: datadog_aap_ext_proc_cluster
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: 12.0.0.1 # Replace with the host address of the Datadog External Processor docker image (configured in the next step)
                      port_value: 443

    Note: Please read the provided example configuration carefully and adapt it to match your infrastructure and environment. You can find more configuration options available in the Envoy external processor documentation.

  3. Validation.

    Une fois cette configuration terminée, la bibliothèque recueille des données de sécurité à partir de votre application et les envoie à l’Agent, qui les transmet à son tour à Datadog. Les règles de détection prêtes à l’emploi signalent alors les attaques et les problèmes potentiels de configuration, afin que vous puissiez agir en conséquence.

  4. Pour tester la détection des menaces Application Security Management, envoyez des patterns d’attaque connus à votre application. Par exemple, exécutez un fichier contenant le script curl suivant afin de déclencher la règle de détection de scanner de sécurité :

    for ((i=1;i<=250;i++)); 
    do
    # Target existing service’s routes
    curl https://your-application-url/existing-route -A dd-test-scanner-log;
    # Target non existing service’s routes
    curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
    done

    Remarque : la plupart des versions récentes prennent en charge la valeur dd-test-scanner-log.

    Quelques minutes après avoir activé votre application et envoyé les patterns d’attaque, des informations sur les menaces s’affichent dans l’Application Signals Explorer. Des informations sur les vulnérabilités apparaissent également dans le Vulnerability Explorer.

Datadog Go Tracer and Envoy integration

The External Processor is built on top of the Datadog Go Tracer and inherits all of its environment variables. See Configuring the Go Tracing Library and App and API Protection Library Configuration.

Note: As the Datadog External Processor is built on top of the Datadog Go Tracer, it generally follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version (for example, v2.2.2). In some cases, early release versions might be published between official tracer releases, and these images are tagged with a suffix such as -docker.1.

Limitations

The Envoy integration has the following limitations:

  • Inspection of request and response bodies is supported when using the Datadog External Processor image version v2.2.2 or later.

For additional details on the Envoy integration compatibilities, refer to the Envoy integration compatibility page.

Further Reading

Documentation, liens et articles supplémentaires utiles:

Envoy integration's source codeSOURCE CODE more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more