このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ASM for Envoy is in Preview
To try the preview of ASM for Envoy, follow the setup instructions below.
You can enable application security for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking.
Prerequisites
Enabling threat detection
Get started
The ASM Envoy integration uses the Envoy external processing filter.
Configure Envoy to use the external processing filter.
For example:
http_filters:
# ... other filters
- name: envoy.filters.http.ext_proc
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
config:
grpc_service:
envoy_grpc:
cluster_name: datadog_ext_proc_cluster
timeout: 1s
clusters:
# ... other clusters
- name: datadog_ext_proc_cluster
type: STRICT_DNS
lb_policy: ROUND_ROBIN
http2_protocol_options: {}
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
load_assignment:
cluster_name: datadog_ext_proc_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: Your Datadog image host from step 2
port_value: 443
Note: you need to replace Your Datadog image host from step 2 in the above example with the host where the Datadog Envoy docker image is running. You will configure this host next.
You can find more configuration options available in the Envoy external processor documentation.
Run a new container with the Datadog Envoy Docker image. The image is available on the Datadog GitHub Registry.
The Docker image exposes some settings specifically for the Envoy integration:
| Environment variable | Default value | Description |
|---|
DD_SERVICE_EXTENSION_HOST | 0.0.0.0 | gRPC server listening address. |
DD_SERVICE_EXTENSION_PORT | 443 | gRPC server port. |
DD_SERVICE_EXTENSION_HEALTHCHECK_PORT | 80 | HTTP server port for health checks. |
Configure the Datadog Agent to receive traces from the integration using the following environment variables:
| Environment variable | Default value | Description |
|---|
DD_AGENT_HOST | localhost | Hostname where your Datadog Agent is running. |
DD_TRACE_AGENT_PORT | 8126 | Port of the Datadog Agent for trace collection. |
この構成が完了すると、ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。
Application Security Management の脅威検出の動作を見るには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。
for ((i=1;i<=250;i++));
do
# Target existing service’s routes
curl https://your-application-url/existing-route -A dd-test-scanner-log;
# Target non existing service’s routes
curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
done
注: dd-test-scanner-log の値は、最新のリリースでサポートされています。
アプリケーションを有効にして実行すると、数分後に Application Signals Explorer に脅威情報が表示され、Vulnerability Explorer に脆弱性情報が表示されます**。
Datadog Go Tracer and Envoy integration
Note: The ASM Envoy integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version.
The Envoy integration uses the Datadog Go Tracer and inherits all environment variables from the tracer. You can find more information in Configuring the Go Tracing Library and ASM Library Configuration.
Limitations
The available functionality for Envoy version 1.71.0 has the following important limitations:
- The request body is not inspected, regardless of its content type.
Further Reading
