--- title: Enabling App and API Protection for Google Cloud Run functions in Ruby description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > App and API Protection > Enabling App and API Protection > Setup App and API Protection on Google Cloud Run functions > Enabling App and API Protection for Google Cloud Run functions in Ruby --- # Enabling App and API Protection for Google Cloud Run functions in Ruby {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} {% alert level="info" %} AAP support for Google Cloud Run is in Preview. {% /alert %} ## How it works{% #how-it-works %} The `serverless-init` application wraps your process and executes it as a subprocess. It starts a DogStatsD listener for metrics and a Trace Agent listener for traces. It collects logs by wrapping the stdout/stderr streams of your application. After bootstrapping, `serverless-init` then launches your command as a subprocess. To get full instrumentation, ensure you are calling `datadog-init` as the first command that runs inside your Docker container. You can do this by setting it as the entrypoint, or by setting it as the first argument in CMD. ## Compatibility{% #compatibility %} {% alert level="info" %} Google Cloud Run support for App and API Protection serverless is in Preview. {% /alert %} **Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows](https://docs.datadoghq.com/actions/workflows.md) to block IPs in your [WAF](https://docs.datadoghq.com/security/application_security/waf-integration.md). ## Get started{% #get-started %} [Manually install](https://docs.datadoghq.com/tracing/trace_collection/dd_libraries/ruby.md?tab=containers#instrument-your-application) the Ruby tracer before you deploy your application. See the [example application](https://github.com/DataDog/crpb/tree/main/ruby-on-rails). Add the following instructions and arguments to your Dockerfile. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ENV DD_SERVICE=datadog-demo-run-ruby ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ENV DD_TRACE_PROPAGATION_STYLE=datadog ENTRYPOINT ["/app/datadog-init"] CMD ["rails", "server", "-b", "0.0.0.0"] ``` ### Explanation{% #explanation %} 1. Copy the Datadog `serverless-init` into your Docker image. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ``` 1. (Optional) add Datadog tags ```dockerfile ENV DD_SERVICE=datadog-demo-run-ruby ENV DD_ENV=datadog-demo ENV DD_APPSEC_ENABLED=1 ENV DD_VERSION=1 ``` 1. This environment variable is needed for trace propagation to work properly in Cloud Run. Ensure that you set this variable for all Datadog-instrumented downstream services. ```dockerfile ENV DD_TRACE_PROPAGATION_STYLE=datadog ``` 1. Change the entrypoint to wrap your application in the Datadog `serverless-init` process. **Note**: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration. ```dockerfile ENTRYPOINT ["/app/datadog-init"] ``` 1. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs. ```dockerfile CMD ["rails", "server", "-b", "0.0.0.0"] ``` ### Alternative configuration{% #alt-ruby %} If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ENV DD_SERVICE=datadog-demo-run-ruby ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ENV DD_TRACE_PROPAGATION_STYLE=datadog CMD ["/app/datadog-init", "rails", "server", "-b", "0.0.0.0"] ``` If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How `serverless-init` works. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ENV DD_SERVICE=datadog-demo-run-ruby ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ENV DD_TRACE_PROPAGATION_STYLE=datadog ENTRYPOINT ["/app/datadog-init"] CMD ["your_entrypoint.sh", "rails", "server", "-b", "0.0.0.0"] ``` As long as your command to run is passed as an argument to `datadog-init`, you will receive full instrumentation. ## Further reading{% #further-reading %} - [How App and API Protection Works](https://docs.datadoghq.com/security/application_security/how-it-works.md) - [OOTB App and API Protection Rules](https://docs.datadoghq.com/security/default_rules.md?category=cat-application-security) - [Troubleshooting App and API Protection](https://docs.datadoghq.com/security/application_security/troubleshooting.md) - [App and API Protection](https://docs.datadoghq.com/security/application_security/threats.md) - [Datadog Security extends compliance and threat protection capabilities for Google Cloud](https://www.datadoghq.com/blog/datadog-security-google-cloud/)