--- title: Enabling App and API Protection for Envoy Gateway description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > App and API Protection > Enabling App and API Protection > Set up App and API Protection on Kubernetes > Enabling App and API Protection for Envoy Gateway --- # Enabling App and API Protection for Envoy Gateway {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} {% callout %} ##### App and API Protection for Envoy Gateway is in Preview App and API Protection for Envoy Gateway is in Preview. Use the following instructions to try the preview. {% /callout %} You can enable Datadog [App and API Protection](https://docs.datadoghq.com/security/application_security.md) for traffic managed by [Envoy Gateway](https://gateway.envoyproxy.io/docs/) to inspect and protect traffic at the edge of your infrastructure. ## Prerequisites{% #prerequisites %} - A running Kubernetes cluster with [Envoy Gateway](https://gateway.envoyproxy.io/docs/) installed. - The [Datadog Agent is installed and configured](https://docs.datadoghq.com/containers/kubernetes/installation.md?tab=datadogoperator) in your Kubernetes cluster. - Enable and configure [Remote Configuration](https://docs.datadoghq.com/agent/remote_config.md?tab=helm#enabling-remote-configuration) to enable blocking attackers through the Datadog UI. - Enable [APM](https://docs.datadoghq.com/tracing/guide/setting_up_apm_with_kubernetes_service.md?tab=datadogoperator) in the Agent to allow the security processor service to send its own traces to the Agent. - Optionally, enable the [Cluster Agent Admission Controller](https://docs.datadoghq.com/tracing/guide/setting_up_apm_with_kubernetes_service.md?tab=datadogoperator#cluster-agent-admission-controller) to automatically inject the Datadog Agent host information to the App and API Protection security processor service. ## Automated configuration with App and API Protection for Kubernetes{% #automated-configuration-with-app-and-api-protection-for-kubernetes %} {% alert level="info" %} Automated configuration handles security processor deployment and `EnvoyExtensionPolicy` creation. This is the recommended approach for most users. {% /alert %} ### Setup{% #setup %} 1. **Deploy the security processor** using the deployment manifest shown in Deploy the Datadog security processor service below. 1. **Enable automatic configuration** using the Datadog Operator or Helm. {% tab title="Datadog Operator" %} Add annotations to your `DatadogAgent` resource. The service name annotation is required and must match your security processor service: ```yaml apiVersion: datadoghq.com/v2alpha1 kind: DatadogAgent metadata: name: datadog annotations: agent.datadoghq.com/appsec.injector.enabled: "true" agent.datadoghq.com/appsec.injector.processor.service.name: "datadog-aap-extproc-service" # Required agent.datadoghq.com/appsec.injector.processor.service.namespace: "datadog" spec: override: clusterAgent: env: - name: DD_CLUSTER_AGENT_APPSEC_INJECTOR_MODE value: "external" ``` Apply the configuration: ```bash kubectl apply -f datadog-agent.yaml ``` {% /tab %} {% tab title="Helm" %} Add the following to your `values.yaml`: ```yaml datadog: appsec: injector: enabled: true mode: "external" processor: service: name: datadog-aap-extproc-service # Required: must match your security processor service name namespace: datadog # Must match the namespace where the service is deployed ``` Install or upgrade the Datadog Helm chart: ```bash helm upgrade -i datadog-agent datadog/datadog -f values.yaml ``` {% /tab %} After you enable this, the Datadog Cluster Agent: - Detects your Envoy Gateway installations - Creates `EnvoyExtensionPolicy` resources for each Gateway - Configures the policies to route traffic to the security processor 1. **Verify** the configuration by checking for created policies: ```bash kubectl get envoyextensionpolicy -A ``` For configuration options and troubleshooting, see [App and API Protection for Kubernetes](https://docs.datadoghq.com/containers/kubernetes/appsec.md). ## Manual configuration (alternative){% #manual-configuration-alternative %} For fine-grained control over specific gateways, use the manual setup: 1. Deploy the Datadog Security Processor service in your cluster. 1. Configure an `EnvoyExtensionPolicy` that points to it. ### Step 1: Deploy the Datadog security processor service{% #step-1-deploy-the-datadog-security-processor-service %} This gRPC server receives requests and responses from Envoy for App and API Protection analysis. Deploy it in a namespace accessible by your Envoy Gateway. The Docker image is on the [Datadog Go tracer GitHub Registry](https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout). Example manifest (`datadog-aap-extproc-service.yaml`): ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: datadog-aap-extproc-deployment namespace: # Change to your preferred namespace, ensure it's resolvable by the Envoy Gateway labels: app: datadog-aap-extproc spec: replicas: 1 # Adjust replica count based on your load selector: matchLabels: app: datadog-aap-extproc template: metadata: labels: app: datadog-aap-extproc spec: containers: - name: datadog-aap-extproc-container image: ghcr.io/datadog/dd-trace-go/service-extensions-callout:v2.4.0 # Replace with the latest released version ports: - name: grpc containerPort: 443 # Default gRPC port for the security processor - name: health containerPort: 80 # Default health check port env: # Optional: Agent Configuration # If you enabled the Cluster Agent Admission Controller, you can skip this section as the Agent host information is automatically injected. # Otherwise, configure the address of your Datadog Agent for the security processor - name: DD_AGENT_HOST value: "..svc.cluster.local" - name: DD_TRACE_AGENT_PORT # Optional if your Agent's trace port is the default 8126 value: "8126" # Disable TLS for communication between Envoy Gateway and the security processor. Default is true. # Cannot be enabled for now - name: DD_SERVICE_EXTENSION_TLS value: "false" readinessProbe: httpGet: path: / port: health initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: / port: health initialDelaySeconds: 15 periodSeconds: 20 --- apiVersion: v1 kind: Service metadata: name: datadog-aap-extproc-service # This name will be used in the EnvoyExtensionPolicy configuration namespace: # Change to your preferred namespace, ensure it's resolvable by the Envoy Gateway labels: app: datadog-aap-extproc spec: ports: - name: grpc port: 443 targetPort: grpc protocol: TCP selector: app: datadog-aap-extproc type: ClusterIP ``` #### Configuration options for the security processor{% #configuration-options-for-the-security-processor %} The Datadog Security Processor exposes some settings: | Environment variable | Default value | Description | | --------------------------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `DD_SERVICE_EXTENSION_HOST` | `0.0.0.0` | gRPC server listening address. | | `DD_SERVICE_EXTENSION_PORT` | `443` | gRPC server port. | | `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT` | `80` | HTTP server port for health checks. | | `DD_SERVICE_EXTENSION_TLS` | `true` | Enable the gRPC TLS layer. | | `DD_SERVICE_EXTENSION_TLS_KEY_FILE` | `localhost.key` | Change the default gRPC TLS layer key. | | `DD_SERVICE_EXTENSION_TLS_CERT_FILE` | `localhost.crt` | Change the default gRPC TLS layer certificate. | | `DD_APPSEC_BODY_PARSING_SIZE_LIMIT` | `10485760` | Maximum size of the bodies to be processed in bytes. If set to `0`, the bodies are not processed. The recommended value is `10485760` (10MB). (To fully enable body processing, the `allowModeOverride` option should also be set in the External Processing filter configuration.) | | `DD_SERVICE` | `serviceextensions` | Service name shown in the Datadog UI. | Configure the connection from the security processor to the Datadog Agent using these environment variables: | Environment variable | Default value | Description | | --------------------- | ------------- | ----------------------------------------------- | | `DD_AGENT_HOST` | `localhost` | Hostname or IP of your Datadog Agent. | | `DD_TRACE_AGENT_PORT` | `8126` | Port of the Datadog Agent for trace collection. | The security processor is built on top of the [Datadog Go Tracer](https://github.com/DataDog/dd-trace-go) and inherits all of its environment variables. See [Configuring the Go Tracing Library](https://docs.datadoghq.com/tracing/trace_collection/library_config/go.md) and [App and API Protection Library Configuration](https://docs.datadoghq.com/security/application_security/policies/library_configuration.md). {% alert level="info" %} Because the Datadog security processor is built on top of the Datadog Go tracer, it generally follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version (for example, `v2.2.2`). In some cases, early release versions might be published between official tracer releases, and these images are tagged with a suffix such as `-docker.1`. {% /alert %} ### Step 2: Configure an EnvoyExtensionPolicy{% #step-2-configure-an-envoyextensionpolicy %} Use an `EnvoyExtensionPolicy` to instruct Envoy Gateway to call the Datadog security processor. You can attach the policy to a Gateway or to specific HTTPRoute/GRPCRoute resources. This sends all traffic on the selected Gateway to the security processor. Example manifest (`datadog-aap-extproc-eep.yaml`): ```yaml apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy metadata: name: datadog-aap-extproc-eep namespace: # same namespace as the Gateway spec: targetRefs: # Target the entire Gateway - group: gateway.networking.k8s.io kind: Gateway name: # update to your specific gateway name # Target specific HTTPRoutes/GRPCRoutes #- group: gateway.networking.k8s.io # kind: HTTPRoute # name: extProc: - backendRefs: - group: "" kind: Service name: datadog-aap-extproc-service namespace: # namespace of the security processor Service port: 443 # Optional: Enable fail open mode. Default is false. # Normally, if the security processor fails or times out, the filter fails and Envoy # returns a 5xx error to the downstream client. Setting this to true allows requests # to continue without error if a failure occurs. failOpen: true # Optional: Set a timeout by processing message. Default is 200ms. # There is a maxium of 2 messages per requests with headers only and 4 messages maximum # with body processing enabled. # Note: This timeout also includes the data communication between Envoy and the security processor. # The timeout should be adjusted to accommodate the additional possible processing time. # Larger payloads will require a longer timeout. messageTimeout: 200ms processingMode: # The security processor can dynamically override the processing mode as needed, instructing # Envoy to forward request and response bodies to the security processor. allowModeOverride: true # Only enable the request and response header modes by default. request: {} response: {} ``` #### Cross‑namespace reference{% #crossnamespace-reference %} If your security processor `Service` is in a **different namespace** than the policy, add a [ReferenceGrant](https://gateway-api.sigs.k8s.io/api-types/referencegrant/) in the processor's namespace. For example, you can do this with a manifest such as `datadog-aap-eep-rg.yaml`. ```yaml apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: datadog-aap-eep-rg namespace: # namespace of the security processor Service spec: from: - group: gateway.envoyproxy.io kind: EnvoyExtensionPolicy namespace: # namespace of the EnvoyExtensionPolicy (and the Gateway) to: - group: "" kind: Service name: datadog-aap-extproc-service ``` ### Step 3: Validate{% #step-3-validate %} After applying the policy, traffic through the targeted Gateway/Routes is inspected by App and API Protection. After this configuration is complete, the library collects security data from your application and sends it to the Agent. The Agent sends the data to Datadog, where [out-of-the-box detection rules](https://docs.datadoghq.com/security/default_rules.md#cat-application-security) flag attacker techniques and potential misconfigurations so you can take steps to remediate. 1. To see App and API Protection threat detection in action, send known attack patterns to your application. For example, trigger the [Security Scanner Detected](https://docs.datadoghq.com/security/default_rules/security-scan-detected.md) rule by running a file that contains the following curl script: ``` for ((i=1;i<=250;i++)); do# Target existing service's routescurl https://your-application-url/existing-route -A dd-test-scanner-log;# Target non existing service's routescurl https://your-application-url/non-existing-route -A dd-test-scanner-log;done ``` **Note**: The `dd-test-scanner-log` value is supported in the most recent releases. A few minutes after you enable your application and send known attack patterns to it, threat information appears in the [Application Signals Explorer](https://app.datadoghq.com/security/appsec) and vulnerability information appears in the [Vulnerabilities explorer](https://app.datadoghq.com/security/appsec/vm/). {% video url="https://docs.dd-static.net/images//security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" /%} ## Limitations{% #limitations %} Observability mode (asynchronous analysis) is not available for Envoy Gateway. For additional details on the Envoy Gateway integration compatibilities, see the [Envoy Gateway integration compatibility page](https://docs.datadoghq.com/security/application_security/setup/compatibility/envoy-gateway.md). ## Further Reading{% #further-reading %} - [Envoy integration source code](https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions) - [OOTB App and API Protection Rules](https://docs.datadoghq.com/security/default_rules.md?category=cat-application-security) - [Troubleshooting App and API Protection](https://docs.datadoghq.com/security/application_security/troubleshooting.md)