Enabling AAP for Serverless

AWS Lambda
Google Cloud Run
Azure App Service

See compatibility requirements for information about what AAP features are available for serverless functions.

AWS Lambda

Configuring AAP for AWS Lambda involves:

  1. Identifying functions that are vulnerable or are under attack, which would most benefit from AAP. Find them on the Security tab of your Software Catalog.
  2. Setting up AAP instrumentation by using the Datadog CLI, AWS CDK, Datadog Serverless Framework plugin, or manually by using the Datadog tracing layers.
  3. Triggering security signals in your application and seeing how Datadog displays the resulting information.

Prerequisites

  • Serverless APM Tracing is setup on the Lambda function to send traces directly to Datadog. X-Ray tracing, by itself, is not sufficient for AAP and requires APM Tracing to be enabled.

Get started

    The Datadog Serverless Framework plugin can be used to automatically configure and deploy your lambda with AAP.

    To install and configure the Datadog Serverless Framework plugin:

    1. Install the Datadog Serverless Framework plugin:

      serverless plugin install --name serverless-plugin-datadog

    2. Enable AAP by updating your serverless.yml with the enableASM configuration parameter:

      custom:
  datadog:
    enableASM: true

      Overall, your new serverless.yml file should contain at least:

      custom:
  datadog:
    apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey
    enableDDTracing: true
    enableASM: true

      See also the complete list of plugin parameters to further configure your lambda settings.

    3. Redeploy the function and invoke it. After a few minutes, it appears in AAP views.

    The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog’s serverless monitoring.

    If you are configuring initial tracing for your functions, perform the following steps:

    1. Install the Datadog CLI client:

      npm install -g @datadog/datadog-ci

    2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment.

      datadog-ci lambda instrument -i --appsec

    3. Configure the AWS credentials:

      Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to resolve the credentials. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI.

    4. Configure the Datadog site:

      export DATADOG_SITE="<DATADOG_SITE>"

      Replace <DATADOG_SITE> with (ensure the correct Datadog site is selected on the right-hand side of this page).

    5. Configure the Datadog API key:

      Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required secretsmanager:GetSecretValue IAM permission.

      export DATADOG_API_KEY_SECRET_ARN="<DATADOG_API_KEY_SECRET_ARN>"

      For testing purposes, you can also set the Datadog API key in plaintext:

      export DATADOG_API_KEY="<DATADOG_API_KEY>"

    6. Instrument your Lambda functions:

      To instrument your Lambda functions, run the following command.

      datadog-ci lambda instrument --appsec -f <functionname> -f <another_functionname> -r <aws_region> -v 108 -e 78

      To fill in the placeholders:

      • Replace <functionname> and <another_functionname> with your Lambda function names.
      • Alternatively, you can use --functions-regex to automatically instrument multiple functions whose names match the given regular expression.
      • Replace <aws_region> with the AWS region name.

      Note: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run uninstrument with the same arguments to revert the changes.

      Additional parameters can be found in the CLI documentation.

    The Datadog CDK Construct automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension.

    1. Install the Datadog CDK constructs library:

      # For AWS CDK v1
pip install datadog-cdk-constructs

# For AWS CDK v2
pip install datadog-cdk-constructs-v2

    2. Instrument your Lambda functions

      # For AWS CDK v1
from datadog_cdk_constructs import Datadog
# NOT SUPPORTED IN V1

# For AWS CDK v2
from datadog_cdk_constructs_v2 import Datadog

datadog = Datadog(self, "Datadog",
    python_layer_version=108,
    extension_layer_version=78,
    site="<DATADOG_SITE>",
    api_key_secret_arn="<DATADOG_API_KEY_SECRET_ARN>", // or api_key
    enable_asm=True,
  )
datadog.add_lambda_functions([<LAMBDA_FUNCTIONS>])

      To fill in the placeholders:

      • Replace <DATADOG_SITE> with (ensure the correct SITE is selected on the right).
      • Replace <DATADOG_API_KEY_SECRET_ARN> with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use apiKey instead and set the Datadog API key in plaintext.

      More information and additional parameters can be found on the Datadog CDK documentation.

    1. Install the Datadog tracer:

      • Python

        # Use this format for x86-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:108

   # Use this format for arm64-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>-ARM:108

   # Use this format for x86-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:108

   # Use this format for arm64-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>-ARM:72
   ```
   Replace `<AWS_REGION>` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are `Python37`, `Python38` and `Python39`.

      • Node

        # Use this format for AWS commercial regions
  arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:121

  # Use this format for AWS GovCloud regions
  arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:121
  ```
  Replace `<AWS_REGION>` with a valid AWS region such as `us-east-1`. The available RUNTIME options are `Node18-x`, `Node20-x`, `Node22-x`.

      • Java: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

        # In AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-java:21
# In AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-java:21

      • Go: The Go tracer doesn’t rely on a layer and is a regular Go module. You can upgrade to its latest version with:

        go get -u github.com/DataDog/datadog-lambda-go

      • .NET: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

        # x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-dotnet:20
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:dd-trace-dotnet-ARM:20
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet:20
# arm64-based Lambda  in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet-ARM:20
    2. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace <AWS_REGION> with a valid AWS region such as us-east-1:
      # x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension:78
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM:78
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:78
# arm64-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:78

    1. Install the Datadog tracer:
      • Python
        # Use this format for x86-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:108

   # Use this format for arm64-based Lambda deployed in AWS commercial regions
   arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>-ARM:108

   # Use this format for x86-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:108

   # Use this format for arm64-based Lambda deployed in AWS GovCloud regions
   arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>-ARM:108
   ```
   Replace `<AWS_REGION>` with a valid AWS region, such as `us-east-1`. The available `RUNTIME` options are `Python38`, `Python39`, `Python310`, `Python311`, `Python312`, `Python313`

    .

    • Node

      # Use this format for AWS commercial regions
  arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:121

  # Use this format for AWS GovCloud regions
  arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:121
  ```
  Replace `<AWS_REGION>` with a valid AWS region such as `us-east-1`. The available RUNTIME options are `Node18-x`, `Node20-x`, `Node22-x`.

    • Java: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

      # In AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:dd-trace-java:21
# In AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-java:21

    • Go: The Go tracer doesn’t rely on a layer and is a regular Go module. You can upgrade to its latest version with:

      go get -u github.com/DataDog/datadog-lambda-go

    • .NET: Configure the layers for your Lambda function using the ARN in one of the following formats, depending on where your Lambda is deployed. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

      # x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:dd-trace-dotnet:20
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:dd-trace-dotnet-ARM:20
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet:20
# arm64-based Lambda  in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:dd-trace-dotnet-ARM:20

    1. Install the Datadog Lambda Extension by configuring the layers for your Lambda function using the ARN in one of the following formats. Replace <AWS_REGION> with a valid AWS region such as us-east-1:

      # x86-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:Datadog-Extension:78
# arm64-based Lambda in AWS commercial regions
arn:aws:lambda:<AWS_REGION>:417141415827:layer:Datadog-Extension-ARM:78
# x86-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:78
# arm64-based Lambda in AWS GovCloud regions
arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:78

    1. Enable AAP by adding the following environment variables on your function deployment:

      environment:
  AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper
  DD_SERVERLESS_APPSEC_ENABLED: true

    2. For Node and Python functions only, double-check that the function’s handler is set correctly:

      • Node: Set your function’s handler to /opt/nodejs/node_modules/datadog-lambda-js/handler.handler.
        • Also, set the environment variable DD_LAMBDA_HANDLER to your original handler, for example, myfunc.handler.
      • Python: Set your function’s handler to datadog_lambda.handler.handler.
        • Also, set the environment variable DD_LAMBDA_HANDLER to your original handler, for example, myfunc.handler.

    3. Redeploy the function and invoke it. After a few minutes, it appears in AAP views.

    Google Cloud Run

    AAP support for Google Cloud Run is in Preview.

    How serverless-init works

    The serverless-init application wraps your process and executes it as a subprocess. It starts a DogStatsD listener for metrics and a Trace Agent listener for traces. It collects logs by wrapping the stdout/stderr streams of your application. After bootstrapping, serverless-init then launches your command as a subprocess.

    To get full instrumentation, ensure you are calling datadog-init as the first command that runs inside your Docker container. You can do this by setting it as the entrypoint, or by setting it as the first argument in CMD.

    Get started

      Add the following instructions and arguments to your Dockerfile.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["/nodejs/bin/node", "/path/to/your/app.js"]

      Explanation

      1. Copy the Datadog serverless-init into your Docker image.

        COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

      2. Copy the Datadog Node.JS tracer into your Docker image.

        RUN npm install --prefix /dd_tracer/node dd-trace --save

        If you install the Datadog tracer library directly in your application, as outlined in the manual tracer instrumentation instructions, omit this step.

      3. (Optional) Add Datadog tags.

        ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1

      4. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

        ENTRYPOINT ["/app/datadog-init"]

      5. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs.

        CMD ["/nodejs/bin/node", "/path/to/your/app.js"]

      Alternative configuration

      If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
CMD ["/app/datadog-init", "/nodejs/bin/node", "/path/to/your/app.js"]

      If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["/your_entrypoint.sh", "/nodejs/bin/node", "/path/to/your/app.js"]

      As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

      Add the following instructions and arguments to your Dockerfile.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN pip install --target /dd_tracer/python/ ddtrace
ENV DD_SERVICE=datadog-demo-run-python
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["/dd_tracer/python/bin/ddtrace-run", "python", "app.py"]

      Explanation

      1. Copy the Datadog serverless-init into your Docker image.

        COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

      2. Install the Datadog Python tracer.

        RUN pip install --target /dd_tracer/python/ ddtrace

        If you install the Datadog tracer library directly in your application, as outlined in the manual tracer instrumentation instructions, omit this step.

      3. (Optional) Add Datadog tags.

        ENV DD_SERVICE=datadog-demo-run-python
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1

      4. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

        ENTRYPOINT ["/app/datadog-init"]

      5. Execute your binary application wrapped in the entrypoint, launched by the Datadog trace library. Adapt this line to your needs.

        CMD ["/dd_tracer/python/bin/ddtrace-run", "python", "app.py"]

      Alternative configuration

      If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN pip install --target /dd_tracer/python/ ddtrace
ENV DD_SERVICE=datadog-demo-run-python
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
CMD ["/app/datadog-init", "/dd_tracer/python/bin/ddtrace-run", "python", "app.py"]

      If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN pip install --target /dd_tracer/python/ ddtrace
ENV DD_SERVICE=datadog-demo-run-python
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["your_entrypoint.sh", "/dd_tracer/python/bin/ddtrace-run", "python", "app.py"]

      As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

      Add the following instructions and arguments to your Dockerfile.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ADD 'https://dtdg.co/latest-java-tracer' /dd_tracer/java/dd-java-agent.jar
ENV DD_SERVICE=datadog-demo-run-java
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["./mvnw", "spring-boot:run"]

      Explanation

      1. Copy the Datadog serverless-init into your Docker image.

        COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

      2. Add the Datadog Java tracer to your Docker image.

        ADD 'https://dtdg.co/latest-java-tracer' /dd_tracer/java/dd-java-agent.jar

        If you install the Datadog tracer library directly in your application, as outlined in the manual tracer instrumentation instructions, omit this step.

      3. (Optional) Add Datadog tags.

        ENV DD_SERVICE=datadog-demo-run-java
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1

      4. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

        ENTRYPOINT ["/app/datadog-init"]

      5. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs.

        CMD ["./mvnw", "spring-boot:run"]

      Alternative configuration

      If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ADD 'https://dtdg.co/latest-java-tracer' /dd_tracer/java/dd-java-agent.jar
ENV DD_SERVICE=datadog-demo-run-java
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
CMD ["/app/datadog-init", "./mvnw", "spring-boot:run"]

      If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ADD 'https://dtdg.co/latest-java-tracer' /dd_tracer/java/dd-java-agent.jar
ENV DD_SERVICE=datadog-demo-run-java
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["your_entrypoint.sh", "./mvnw", "spring-boot:run"]

      As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

      Manually install the Go tracer before you deploy your application. Compile your go binary with the “appsec” tag enabled (go build --tags "appsec" ...). Add the following instructions and arguments to your Dockerfile:

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENTRYPOINT ["/app/datadog-init"]
ENV DD_SERVICE=datadog-demo-run-go
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1

      Explanation

      1. Copy the Datadog serverless-init into your Docker image.

        COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

      2. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

        ENTRYPOINT ["/app/datadog-init"]

      3. (Optional) Add Datadog tags.

        ENV DD_SERVICE=datadog-demo-run-go
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1

      4. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs.

        CMD ["/path/to/your-go-binary"]

      Alternative configuration

      If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENV DD_SERVICE=datadog-demo-run-go
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
CMD ["/app/datadog-init", "/path/to/your-go-binary"]

      If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENV DD_SERVICE=datadog-demo-run-go
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["your_entrypoint.sh", "/path/to/your-go-binary"]

      As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

      Add the following instructions and arguments to your Dockerfile.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
# For arm64 use datadog-dotnet-apm-2.57.0.arm64.tar.gz
# For alpine use datadog-dotnet-apm-2.57.0-musl.tar.gz
ARG TRACER_VERSION
ADD https://github.com/DataDog/dd-trace-dotnet/releases/download/v${TRACER_VERSION}/datadog-dotnet-apm-${TRACER_VERSION}.tar.gz /tmp/datadog-dotnet-apm.tar.gz
RUN mkdir -p /dd_tracer/dotnet/ && tar -xzvf /tmp/datadog-dotnet-apm.tar.gz -C /dd_tracer/dotnet/ && rm /tmp/datadog-dotnet-apm.tar.gz
ENV DD_SERVICE=datadog-demo-run-dotnet
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["dotnet", "helloworld.dll"]

      Explanation

      1. Copy the Datadog serverless-init into your Docker image.

        COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

      2. Copy the Datadog .NET tracer into your Docker image.

        # For arm64 use datadog-dotnet-apm-2.57.0.arm64.tar.gz
# For alpine use datadog-dotnet-apm-2.57.0-musl.tar.gz
ARG TRACER_VERSION
ADD https://github.com/DataDog/dd-trace-dotnet/releases/download/v${TRACER_VERSION}/datadog-dotnet-apm-${TRACER_VERSION}.tar.gz /tmp/datadog-dotnet-apm.tar.gz

RUN mkdir -p /dd_tracer/dotnet/ && tar -xzvf /tmp/datadog-dotnet-apm.tar.gz -C /dd_tracer/dotnet/ && rm /tmp/datadog-dotnet-apm.tar.gz

        If you install the Datadog tracer library directly in your application, as outlined in the manual tracer instrumentation instructions, omit this step.

      3. (Optional) Add Datadog tags.

        ENV DD_SERVICE=datadog-demo-run-dotnet
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1

      4. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

        ENTRYPOINT ["/app/datadog-init"]

      5. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs.

        CMD ["dotnet", "helloworld.dll"]

      Alternative configuration

      If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
# For arm64 use datadog-dotnet-apm-2.57.0.arm64.tar.gz
# For alpine use datadog-dotnet-apm-2.57.0-musl.tar.gz
ARG TRACER_VERSION
ADD https://github.com/DataDog/dd-trace-dotnet/releases/download/v${TRACER_VERSION}/datadog-dotnet-apm-${TRACER_VERSION}.tar.gz /tmp/datadog-dotnet-apm.tar.gz
RUN mkdir -p /dd_tracer/dotnet/ && tar -xzvf /tmp/datadog-dotnet-apm.tar.gz -C /dd_tracer/dotnet/ && rm /tmp/datadog-dotnet-apm.tar.gz
ENV DD_SERVICE=datadog-demo-run-dotnet
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
CMD ["/app/datadog-init", "dotnet", "helloworld.dll"]

      If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
# For arm64 use datadog-dotnet-apm-2.57.0.arm64.tar.gz
# For alpine use datadog-dotnet-apm-2.57.0-musl.tar.gz
ARG TRACER_VERSION
ADD https://github.com/DataDog/dd-trace-dotnet/releases/download/v${TRACER_VERSION}/datadog-dotnet-apm-${TRACER_VERSION}.tar.gz /tmp/datadog-dotnet-apm.tar.gz
RUN mkdir -p /dd_tracer/dotnet/ && tar -xzvf /tmp/datadog-dotnet-apm.tar.gz -C /dd_tracer/dotnet/ && rm /tmp/datadog-dotnet-apm.tar.gz
ENV DD_SERVICE=datadog-demo-run-dotnet
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["your_entrypoint.sh", "dotnet", "helloworld.dll"]

      As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

      Manually install the Ruby tracer before you deploy your application. See the example application.

      Add the following instructions and arguments to your Dockerfile.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENV DD_SERVICE=datadog-demo-run-ruby
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENV DD_TRACE_PROPAGATION_STYLE=datadog
ENTRYPOINT ["/app/datadog-init"]
CMD ["rails", "server", "-b", "0.0.0.0"]

      Explanation

      1. Copy the Datadog serverless-init into your Docker image.

        COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

      2. (Optional) add Datadog tags

        ENV DD_SERVICE=datadog-demo-run-ruby
ENV DD_ENV=datadog-demo
ENV DD_APPSEC_ENABLED=1
ENV DD_VERSION=1

      3. This environment variable is needed for trace propagation to work properly in Cloud Run. Ensure that you set this variable for all Datadog-instrumented downstream services.

        ENV DD_TRACE_PROPAGATION_STYLE=datadog

      4. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

        ENTRYPOINT ["/app/datadog-init"]

      5. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs.

        CMD ["rails", "server", "-b", "0.0.0.0"]

      Alternative configuration

      If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENV DD_SERVICE=datadog-demo-run-ruby
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENV DD_TRACE_PROPAGATION_STYLE=datadog
CMD ["/app/datadog-init", "rails", "server", "-b", "0.0.0.0"]

      If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENV DD_SERVICE=datadog-demo-run-ruby
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENV DD_TRACE_PROPAGATION_STYLE=datadog
ENTRYPOINT ["/app/datadog-init"]
CMD ["your_entrypoint.sh", "rails", "server", "-b", "0.0.0.0"]

      As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

      Add the following instructions and arguments to your Dockerfile.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ADD https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php /datadog-setup.php
RUN php /datadog-setup.php --php-bin=all
ENV DD_SERVICE=datadog-demo-run-php
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENTRYPOINT ["/app/datadog-init"]

# use the following for an Apache and mod_php based image
RUN sed -i "s/Listen 80/Listen 8080/" /etc/apache2/ports.conf
EXPOSE 8080
CMD ["apache2-foreground"]

# use the following for an Nginx and php-fpm based image
RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 8080
CMD php-fpm; nginx -g daemon off;

      Note: The datadog-init entrypoint wraps your process and collects logs from it. To get logs working properly, ensure that your Apache, Nginx, or PHP processes are writing output to stdout.

      Explanation

      1. Copy the Datadog serverless-init into your Docker image.

        COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

      2. Copy and install the Datadog PHP tracer.

        ADD https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php /datadog-setup.php
RUN php /datadog-setup.php --php-bin=all

        If you install the Datadog tracer library directly in your application, as outlined in the manual tracer instrumentation instructions, omit this step.

      3. (Optional) Add Datadog tags.

        ENV DD_SERVICE=datadog-demo-run-php
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1

      4. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

        ENTRYPOINT ["/app/datadog-init"]

      5. Execute your application.

        Use the following for an Apache and mod_php based image:

        RUN sed -i "s/Listen 80/Listen 8080/" /etc/apache2/ports.conf
EXPOSE 8080
CMD ["apache2-foreground"]

        Use the following for an Nginx and php-fpm based image:

        RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 8080
CMD php-fpm; nginx -g daemon off;

      Alternative configuration

      If you already have an entrypoint defined inside your Dockerfile, and you are using an Apache and mod_php based image, you can instead modify the CMD argument.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ADD https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php /datadog-setup.php
RUN php /datadog-setup.php --php-bin=all
ENV DD_SERVICE=datadog-demo-run-php
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
RUN sed -i "s/Listen 80/Listen 8080/" /etc/apache2/ports.conf
EXPOSE 8080
CMD ["/app/datadog-init", "apache2-foreground"]

      If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

      COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ADD https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php /datadog-setup.php
RUN php /datadog-setup.php --php-bin=all
ENV DD_SERVICE=datadog-demo-run-php
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENTRYPOINT ["/app/datadog-init"]

# use the following for an Apache and mod_php based image
RUN sed -i "s/Listen 80/Listen 8080/" /etc/apache2/ports.conf
EXPOSE 8080
CMD ["your_entrypoint.sh", "apache2-foreground"]

# use the following for an Nginx and php-fpm based image
RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 8080
CMD your_entrypoint.sh php-fpm; your_entrypoint.sh nginx -g daemon off;

      As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

      Azure App Service

      Setup

      Set application settings

      To enable AAP on your application, begin by adding the following key-value pairs under Application Settings in your Azure configuration settings.

      Azure App Service Configuration: the Application Settings, under the Configuration section of Settings in the Azure UI. Three settings are listed: DD_API_KEY, DD_SERVICE, and DD_START_APP.
      • DD_API_KEY is your Datadog API key.
      • DD_CUSTOM_METRICS_ENABLED (optional) enables custom metrics.
      • DD_SITE is the Datadog site parameter. Your site is . This value defaults to datadoghq.com.
      • DD_SERVICE is the service name used for this program. Defaults to the name field value in package.json.
      • DD_START_APP is the command used to start your application. For example, node ./bin/www (unnecessary for applications running in Tomcat).
      • DD_APPSEC_ENABLED value should be 1 in order to enable Application Security

      Identifying your startup command

      Linux Azure App Service Web Apps built using the code deployment option on built-in runtimes depend on a startup command that varies by language. The default values are outlined in Azure’s documentation. Examples are included below.

      Set these values in the DD_START_APP environment variable. Examples below are for an application named datadog-demo, where relevant.

      RuntimeDD_START_APP Example ValueDescription
      Node.jsnode ./bin/wwwRuns the Node PM2 configuration file, or your script file.
      .NET Coredotnet datadog-demo.dllRuns a .dll file that uses your Web App name by default.

      Note: The .dll file name in the command should match the file name of your .dll file. In certain cases, this might not match your Web App.
      PHPcp /home/site/wwwroot/default /etc/nginx/sites-available/default && service nginx reloadCopies script to correct location and starts application.
      Pythongunicorn --bind=0.0.0.0 --timeout 600 quickstartproject.wsgiCustom startup script. This example shows a Gunicorn command for starting a Django app.
      Javajava -jar /home/site/wwwroot/datadog-demo.jarThe command to start your app. This is not required for applications running in Tomcat.

      Note: The application restarts when new settings are saved.

      Set General Settings

        Go to General settings and add the following to the Startup Command field:

        curl -s https://raw.githubusercontent.com/DataDog/datadog-aas-linux/v1.4.0/datadog_wrapper | bash
        Azure App Service Configuration: the Stack settings, under the Configuration section of Settings in the Azure UI. Underneath the stack, major version, and minor version fields is a 'Startup Command' field that is populated by the above curl command.

        Download the datadog_wrapper file from the releases and upload it to your application with the Azure CLI command:

          az webapp deploy --resource-group <group-name> --name <app-name> --src-path <path-to-datadog-wrapper> --type=startup

        Testing threat detection

        To see App and API Protection threat detection in action, send known attack patterns to your application. For example, send a request with the user agent header set to dd-test-scanner-log to trigger a security scanner attack attempt:

        curl -A 'dd-test-scanner-log' https://your-function-url/existing-route

        A few minutes after you enable your application and exercise it, threat information appears in the Application Signals Explorer.

        Further reading

        Additional helpful documentation, links, and articles:

        How Application Security WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more Application Threat ManagementDOCUMENTATION more more Datadog Security extends compliance and threat protection capabilities for Google CloudBLOG more more