Set up App and API Protection for Ruby on AWS Fargate

This product is not supported for your selected Datadog site. ().

Overview

App and API Protection works by leveraging the Datadog Ruby library to monitor and secure your Ruby service. The library integrates seamlessly with your existing application without requiring code changes.

For detailed compatibility information, including supported Ruby versions, frameworks, and deployment environments, see Ruby Compatibility Requirements.

This guide explains how to set up App and API Protection (AAP) for Ruby applications. The setup involves:

  1. Installing the Datadog Agent
  2. Enabling App and API Protection monitoring
  3. Run Your Application
  4. Verifying the setup

Prerequisites

  • AWS Fargate environment
  • Ruby application containerized with Docker
  • AWS CLI configured with appropriate permissions
  • Your Datadog API key
  • Datadog Ruby tracing library (see version requirements)

1. Installing the Datadog Agent

Install the Datadog Agent in your Fargate task definition:

{
  "containerDefinitions": [
    {
      "name": "datadog-agent",
      "image": "public.ecr.aws/datadog/agent:latest",
      "environment": [
        {
          "name": "DD_API_KEY",
          "value": "<YOUR_API_KEY>"
        },
        {
          "name": "DD_APM_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_APM_NON_LOCAL_TRAFFIC",
          "value": "true"
        }
      ]
    }
  ]
}

2. Enabling App and API Protection monitoring

Install and configure the datadog gem in your Ruby application.

    Add the datadog gem to your Gemfile:

    gem 'datadog', '~> 2.0'

    Configure Datadog library by adding an initializer:

    Datadog.configure do |c|
  c.service = 'your_service_name'
  c.env = Rails.env

  c.agent.host = 'your_agent_host'

  c.tracing.enabled = true

  # Tracing instrumentation for Rails has to be explicitly enabled
  c.tracing.instrument :rails

  c.appsec.enabled = true
  c.appsec.api_security.enabled = true

  # Rails instrumentation is required for App and API Protection
  c.appsec.instrument :rails
end

    Add the datadog gem to your Gemfile and require auto-instrumentation:

    gem 'datadog', '~> 2.0', require: 'datadog/auto_instrument'

    Update your task definition to include App and API Protection configuration:

    {
  "containerDefinitions": [
    {
      "name": "your-app",
      "image": "your-app-image",
      "environment": [
        {
          "name": "DD_APPSEC_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_API_SECURITY_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_SERVICE",
          "value": "<YOUR_SERVICE_NAME>"
        },
        {
          "name": "DD_ENV",
          "value": "<YOUR_ENVIRONMENT>"
        }
      ],
      "command": [
        "bin/rails",
        "server"
      ]
    }
  ]
}

    To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing configuration to false.

      Add the datadog gem to your Gemfile:

      gem 'datadog', '~> 2.0'

      Configure Datadog library by adding an initializer:

      Datadog.configure do |c|
  c.service = 'your_service_name'
  c.env = Rails.env

  c.agent.host = 'your_agent_host'

  # Disable APM Tracing
  c.tracing.enabled = false

  # Tracing instrumentation for Rails has to be explicitly enabled
  c.tracing.instrument :rails

  c.appsec.enabled = true
  c.appsec.api_security.enabled = true

  # Rails instrumentation is required for App and API Protection
  c.appsec.instrument :rails
end

      Add the datadog gem to your Gemfile and require auto-instrumentation:

      gem 'datadog', '~> 2.0', require: 'datadog/auto_instrument'

      Update your task definition to include App and API Protection configuration with APM tracing disabled:

      {
  "containerDefinitions": [
    {
      "name": "your-app",
      "image": "your-app-image",
      "environment": [
        {
          "name": "DD_APPSEC_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_API_SECURITY_ENABLED",
          "value": "true"
        },
        {
          "name": "DD_APM_TRACING_ENABLED",
          "value": "false"
        },
        {
          "name": "DD_SERVICE",
          "value": "<YOUR_SERVICE_NAME>"
        },
        {
          "name": "DD_ENV",
          "value": "<YOUR_ENVIRONMENT>"
        }
      ],
      "command": [
        "bin/rails",
        "server"
      ]
    }
  ]
}

      3. Run your application

      Deploy your Fargate task with the updated configuration:

      aws ecs register-task-definition --cli-input-json file://task-definition.json
aws ecs run-task --cluster your-cluster --task-definition your-task-definition

      4. Verify setup

      To verify that App and API Protection is working correctly:

      1. Send some traffic to your application.
      2. Check the App and API Protection Service Inventory in Datadog.
      3. Find your service and check that App and API protection is enabled in the Coverage column.

      Troubleshooting

      If you encounter issues while setting up App and API Protection for your Ruby application, see the Ruby App and API Protection troubleshooting guide.

      Further Reading

      Additional helpful documentation, links, and articles:

      How App and API Protection WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more