From b2aa7e7ca04cc8582c754cd414e35ba8df2fe31b Mon Sep 17 00:00:00 2001 From: Flavien Darche Date: Mon, 10 Nov 2025 14:03:49 +0100 Subject: [PATCH 1/8] envoy gateway page --- .../setup/envoy-gateway.md | 250 ++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 content/en/security/application_security/setup/envoy-gateway.md diff --git a/content/en/security/application_security/setup/envoy-gateway.md b/content/en/security/application_security/setup/envoy-gateway.md new file mode 100644 index 0000000000000..4c518e8352c8e --- /dev/null +++ b/content/en/security/application_security/setup/envoy-gateway.md @@ -0,0 +1,250 @@ +--- +title: Enabling App and API Protection for Envoy Gateway +code_lang: envoy-gateway +code_lang_weight: 50 +further_reading: + - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions' + tag: "Source Code" + text: "Envoy integration's source code" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +{{< callout url="#" btn_hidden="true" header="App and API Protection for Envoy Gateway is in Preview" >}} +To try the preview of App and API Protection for Envoy Gateway, use the following setup instructions. +{{< /callout >}} + +You can enable Datadog App and API Protection for traffic managed by [Envoy Gateway]. The Datadog Envoy Gateway integration allows Datadog to inspect and protect your traffic for threat detection and blocking directly at the edge of your infrastructure. + +## Prerequisites + +1. A running Kubernetes cluster with [Envoy Gateway][1] installed. +2. The [Datadog Agent is installed and configured][2] in your Kubernetes cluster. + - Ensure [Remote Configuration][3] is enabled and configured to enable blocking attackers through the Datadog UI. + - Ensure [APM is enabled][4] in the Agent. *This allows the external processor service to send its own traces to the Agent.* + - Optionally, enable the [Cluster Agent Admission Controller][5] to automatically inject the Datadog Agent host information to the App and API Protection External Processor service. + +## Enabling threat detection + +Enabling App and API Protection with Envoy Gateway involves two steps: + +1. Deploying the Datadog External Processor service in your cluster. +2. Configuring an `EnvoyExtensionPolicy` that points to the processor service to direct traffic from your Envoy Gateway to this service. + +### 1. Deploy the Datadog External Processor service + +This service is a gRPC server that Envoy communicates with to have requests and responses analyzed by App and API Protection. + +Create a Kubernetes Deployment and Service for the Datadog External Processor. It's recommended to deploy this service in a namespace accessible by your Envoy Gateway. + +The Datadog External Processor Docker image is available on the [Datadog Go tracer GitHub Registry][6]. + +Here is an example manifest (`datadog-aap-extproc-service.yaml`): + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: datadog-aap-extproc-deployment + namespace: # Change to your preferred namespace, ensure it's resolvable by the Envoy Gateway + labels: + app: datadog-aap-extproc +spec: + replicas: 1 # Adjust replica count based on your load + selector: + matchLabels: + app: datadog-aap-extproc + template: + metadata: + labels: + app: datadog-aap-extproc + spec: + containers: + - name: datadog-aap-extproc-container + image: ghcr.io/datadog/dd-trace-go/service-extensions-callout:v2.2.2 # Replace with the latest released version + ports: + - name: grpc + containerPort: 443 # Default gRPC port for the external processor + - name: health + containerPort: 80 # Default health check port + env: + # Optional: Agent Configuration + # If you enabled the Cluster Agent Admission Controller, you can skip this section as the Agent host information is automatically injected. + # Otherwise, configure the address of your Datadog Agent for the external processor + - name: DD_AGENT_HOST + value: "..svc.cluster.local" + - name: DD_TRACE_AGENT_PORT # Optional if your Agent's trace port is the default 8126 + value: "8126" + + # Disable TLS for communication between Envoy Gateway and the external processor. Default is true. + # By default, the external processor configuration used by Envoy Gateway is configured to not use TLS. + # You can enable TLS and configure it with DD_SERVICE_EXTENSION_TLS_KEY_FILE and DD_SERVICE_EXTENSION_TLS_CERT_FILE + # and apply a BackendTLSPolicy on the Datadog External Processor Service. + - name: DD_SERVICE_EXTENSION_TLS + value: "false" + + readinessProbe: + httpGet: + path: / + port: health + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: / + port: health + initialDelaySeconds: 15 + periodSeconds: 20 +--- +apiVersion: v1 +kind: Service +metadata: + name: datadog-aap-extproc-service # This name will be used in the EnvoyExtensionPolicy configuration + namespace: # Change to your preferred namespace, ensure it's resolvable by the Envoy Gateway + labels: + app: datadog-aap-extproc +spec: + ports: + - name: grpc + port: 443 + targetPort: grpc + protocol: TCP + selector: + app: datadog-aap-extproc + type: ClusterIP +``` + +#### Configuration options for the External Processor + +The Datadog External Processor exposes some settings: + +| Environment variable | Default value | Description | +|-------------------------------------------|---------------------|------------------------------------------------------------------------------------------------------------------------------------------| +| `DD_SERVICE_EXTENSION_HOST` | `0.0.0.0` | gRPC server listening address. | +| `DD_SERVICE_EXTENSION_PORT` | `443` | gRPC server port. | +| `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT` | `80` | HTTP server port for health checks. | +| `DD_SERVICE_EXTENSION_TLS` | `true` | Enable the gRPC TLS layer. | +| `DD_SERVICE_EXTENSION_TLS_KEY_FILE` | `localhost.key` | Change the default gRPC TLS layer key. | +| `DD_SERVICE_EXTENSION_TLS_CERT_FILE` | `localhost.crt` | Change the default gRPC TLS layer cert. | +| `DD_APPSEC_BODY_PARSING_SIZE_LIMIT` | `10485760` | Maximum size of the bodies to be processed in bytes. If set to `0`, the bodies are not processed. The recommended value is `10485760` (10MB). (To fully enable body processing, the `allowModeOverride` option should also be set in the External Processing filter configuration) | +| `DD_SERVICE` | `serviceextensions` | Service name shown in the Datadog UI. | + + +Configure the connection from the external processor to the Datadog Agent using these environment variables: + +| Environment variable | Default value | Description | +|----------------------------------------|---------------|----------------------------------------------------------------------------------| +| `DD_AGENT_HOST` | `localhost` | Hostname or IP of your Datadog Agent. | +| `DD_TRACE_AGENT_PORT` | `8126` | Port of the Datadog Agent for trace collection. | + +The External Processor is built on top of the [Datadog Go Tracer][7] and inherits all of its environment variables. See [Configuring the Go Tracing Library][8] and [App and API Protection Library Configuration][9]. + +
+ Note: As the Datadog External Processor is built on top of the Datadog Go Tracer, it generally follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version (for example, v2.2.2). In some cases, early release versions might be published between official tracer releases, and these images are tagged with a suffix such as -docker.1. +
+ +### 2. Configure an EnvoyExtensionPolicy + +Use an `EnvoyExtensionPolicy` to instruct Envoy Gateway to call the Datadog external processor. You can attach the policy to a **Gateway** (global) or to specific **HTTPRoute/GRPCRoute** resources (granular). + +This sends **all traffic** on the selected Gateway to the external processor. + +```yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyExtensionPolicy +metadata: + name: datadog-aap-extproc-eg + namespace: # same namespace as the Gateway +spec: + targetRefs: + # Target the entire Gateway + - group: gateway.networking.k8s.io + kind: Gateway + name: # update to your specific gateway name + # Target specific HTTPRoutes/GRPCRoutes + #- group: gateway.networking.k8s.io + # kind: HTTPRoute + # name: + extProc: + - backendRefs: + - group: "" + kind: Service + name: datadog-aap-extproc-service + namespace: # namespace of the external processor Service + port: 443 + + # Optional: Enable fail open mode. Default is false. + # Normally, if the external processor fails or times out, the filter fails and Envoy + # returns a 5xx error to the downstream client. Setting this to true allows requests + # to continue without error if a failure occurs. + failOpen: true + + # Optional: Set a timeout by processing message. Default is 200ms. + # There is a maxium of 2 messages per requests with headers only and 4 messages maximum + # with body processing enabled. + # Note: This timeout also includes the data communication between Envoy and the external processor. + # The timeout should be adjusted to accommodate the additional possible processing time. + # Larger payloads will require a longer timeout. + messageTimeout: 200ms + + processingMode: + # The external processor can dynamically override the processing mode as needed, instructing + # Envoy to forward request and response bodies to the external processor. + allowModeOverride: true + # Only enable the request and response header modes by default. + request: {} + response: {} +``` + +#### Cross‑namespace reference + +If your external processor `Service` is in a **different namespace** than the policy, add a `ReferenceGrant` in the processor’s namespace. For example, you can do this with a manifest such as `datadog-allow-eep-extproc.yaml`. + +```yaml +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: datadog-allow-eep-extproc + namespace: # namespace of the external processor Service +spec: + from: + - group: gateway.envoyproxy.io + kind: EnvoyExtensionPolicy + namespace: # namespace of the EnvoyExtensionPolicy (and the Gateway) + to: + - group: "" + kind: Service + name: datadog-aap-extproc-service +``` + +### Validation + +After applying the policy, traffic through the targeted Gateway/Routes is inspected by App and API Protection. + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Limitations + +The Envoy Gateway integration has the following limitations: + +* Inspection of request and response bodies is supported when using the Datadog External Processor image version `v2.2.2` or later. +* Configuring TLS (custom certificate and key) on the Datadog External Processor Docker image is supported starting from version `v2.4.0`. + +For additional details on the Envoy Gateway integration compatibilities, refer to the [Envoy Gateway integration compatibility page][9]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/account/settings#agent +[2]: /agent/remote_config/?tab=helm#enabling-remote-configuration +[7]: /tracing/trace_collection/library_config/go/ +[8]: /security/application_security/policies/library_configuration/ +[Envoy Gateway]: https://gateway.envoyproxy.io/ +[9]: /security/application_security/setup/compatibility/envoy-gateway \ No newline at end of file From 0e605143cfdbd484360869fe4b22f78041041436 Mon Sep 17 00:00:00 2001 From: Flavien Darche Date: Mon, 10 Nov 2025 14:23:02 +0100 Subject: [PATCH 2/8] fix links --- .../setup/envoy-gateway.md | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/content/en/security/application_security/setup/envoy-gateway.md b/content/en/security/application_security/setup/envoy-gateway.md index 4c518e8352c8e..7f58f53157447 100644 --- a/content/en/security/application_security/setup/envoy-gateway.md +++ b/content/en/security/application_security/setup/envoy-gateway.md @@ -18,7 +18,7 @@ further_reading: To try the preview of App and API Protection for Envoy Gateway, use the following setup instructions. {{< /callout >}} -You can enable Datadog App and API Protection for traffic managed by [Envoy Gateway]. The Datadog Envoy Gateway integration allows Datadog to inspect and protect your traffic for threat detection and blocking directly at the edge of your infrastructure. +You can enable Datadog App and API Protection for traffic managed by [Envoy Gateway][1]. The Datadog Envoy Gateway integration allows Datadog to inspect and protect your traffic for threat detection and blocking directly at the edge of your infrastructure. ## Prerequisites @@ -149,7 +149,7 @@ The External Processor is built on top of the [Datadog Go Tracer][7] and inherit ### 2. Configure an EnvoyExtensionPolicy -Use an `EnvoyExtensionPolicy` to instruct Envoy Gateway to call the Datadog external processor. You can attach the policy to a **Gateway** (global) or to specific **HTTPRoute/GRPCRoute** resources (granular). +Use an `EnvoyExtensionPolicy` to instruct Envoy Gateway to call the Datadog external processor. You can attach the policy to a **Gateway** or to specific **HTTPRoute/GRPCRoute** resources. This sends **all traffic** on the selected Gateway to the external processor. @@ -202,7 +202,7 @@ spec: #### Cross‑namespace reference -If your external processor `Service` is in a **different namespace** than the policy, add a `ReferenceGrant` in the processor’s namespace. For example, you can do this with a manifest such as `datadog-allow-eep-extproc.yaml`. +If your external processor `Service` is in a **different namespace** than the policy, add a [ReferenceGrant][10] in the processor’s namespace. For example, you can do this with a manifest such as `datadog-allow-eep-extproc.yaml`. ```yaml apiVersion: gateway.networking.k8s.io/v1beta1 @@ -233,18 +233,22 @@ After applying the policy, traffic through the targeted Gateway/Routes is inspec The Envoy Gateway integration has the following limitations: -* Inspection of request and response bodies is supported when using the Datadog External Processor image version `v2.2.2` or later. -* Configuring TLS (custom certificate and key) on the Datadog External Processor Docker image is supported starting from version `v2.4.0`. +* Observability mode (asynchronous analysis) is not available for Envoy Gateway. -For additional details on the Envoy Gateway integration compatibilities, refer to the [Envoy Gateway integration compatibility page][9]. +For additional details on the Envoy Gateway integration compatibilities, refer to the [Envoy Gateway integration compatibility page][11]. ## Further Reading {{< partial name="whats-next/whats-next.html" >}} -[1]: https://app.datadoghq.com/account/settings#agent -[2]: /agent/remote_config/?tab=helm#enabling-remote-configuration -[7]: /tracing/trace_collection/library_config/go/ -[8]: /security/application_security/policies/library_configuration/ -[Envoy Gateway]: https://gateway.envoyproxy.io/ -[9]: /security/application_security/setup/compatibility/envoy-gateway \ No newline at end of file +[1]: https://gateway.envoyproxy.io/docs/ +[2]: /containers/kubernetes/installation/?tab=datadogoperator +[3]: /agent/remote_config/?tab=helm#enabling-remote-configuration +[4]: /tracing/guide/setting_up_apm_with_kubernetes_service/?tab=datadogoperator +[5]: /tracing/guide/setting_up_apm_with_kubernetes_service/?tab=datadogoperator#cluster-agent-admission-controller +[6]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout +[7]: https://github.com/DataDog/dd-trace-go +[8]: /tracing/trace_collection/library_config/go/ +[9]: /security/application_security/policies/library_configuration/ +[10]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/ +[11]: /security/application_security/setup/compatibility/envoy-gateway \ No newline at end of file From be44df3e0c0b2b5bc80bbd4f41ac4073e3405332 Mon Sep 17 00:00:00 2001 From: Flavien Darche Date: Mon, 10 Nov 2025 14:42:37 +0100 Subject: [PATCH 3/8] add compat --- .../setup/compatibility/envoy-gateway.md | 55 +++++++++++++++++++ .../setup/compatibility/istio.md | 2 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 content/en/security/application_security/setup/compatibility/envoy-gateway.md diff --git a/content/en/security/application_security/setup/compatibility/envoy-gateway.md b/content/en/security/application_security/setup/compatibility/envoy-gateway.md new file mode 100644 index 0000000000000..47ba83c063cdd --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/envoy-gateway.md @@ -0,0 +1,55 @@ +--- +title: Envoy Gateway Compatibility Requirements +code_lang: envoy-gateway +type: multi-code-lang +code_lang_weight: 40 +--- + +The following table lists App and API Protection capabilities for the Envoy Gateway integration according to the specified Datadog External Processor image version: + +| App and API Protection capability | Minimum Datadog External Processor image version | +|------------------------------------------------|---------------------------------------------------| +| Threat Detection | v2.4.0 | +| Threat Protection | v2.4.0 | +| Customize response to blocked requests | v2.4.0 | +| Non blocking asynchronous mode (observability) | not supported | +| API Security | v2.4.0 | +| App and API Protection Standalone | v2.4.0 | +| Automatic user activity event tracking | not supported | + +### Body processing support + +The Datadog External Processor service supports the processing of request and response bodies for the following payload types: + +| Payload type | Minimum Datadog External Processor image version | +|--------------|---------------------------------------------------| +| JSON | v2.4.0 | + +## Envoy Gateway version support + +### Supported Envoy Gateway versions + +Envoy Gateway relies on Envoy Proxy and the Gateway API, and runs within a Kubernetes cluster. Datadog supports only non‑EOL Envoy Gateway versions; see the official [Envoy Gateway Compatibility Matrix][1] for the current list of supported versions and upstream dependencies (Envoy Proxy, Gateway API, Kubernetes). + + +### Envoy version support + +The Datadog Envoy integration for App and API Protection relies on features that might not be present in every Envoy version. The following table shows which Envoy versions support each feature. + +| Feature | Minimum Envoy version | +|---------|-----------------------| +| External Processing Filter | v1.27.0 | +| Observability mode | v1.30.0 | + +## Datadog Envoy Gateway integration support + +
The Datadog Envoy Gateway integration for App and API Protection is in Preview.
+ +Only the Linux version and both the amd64 and arm64 architectures are supported. + +
If you would like to see support added for any of +the unsupported capabilities, let us know! Fill out this short form to send +details.
+ +[1]: https://gateway.envoyproxy.io/news/releases/matrix/ diff --git a/content/en/security/application_security/setup/compatibility/istio.md b/content/en/security/application_security/setup/compatibility/istio.md index 01d15997a81eb..ccd8dade41993 100644 --- a/content/en/security/application_security/setup/compatibility/istio.md +++ b/content/en/security/application_security/setup/compatibility/istio.md @@ -29,7 +29,7 @@ The Datadog External Processor service supports the processing of request and re ### Supported Envoy Versions -Istio’s data plane is based on Envoy. The following table shows the relationship between Istio versions and their corresponding Envoy release branches: +Istio's data plane is based on Envoy. The following table shows the relationship between Istio versions and their corresponding Envoy release branches: | Istio version | Envoy release branch | |---------------|----------------------| From 50c953ab81eb39908ddce78a5d3161a7b8d648e5 Mon Sep 17 00:00:00 2001 From: Flavien Darche Date: Mon, 10 Nov 2025 14:46:37 +0100 Subject: [PATCH 4/8] update setup integrations --- content/en/security/application_security/setup/_index.md | 2 ++ .../en/security/application_security/setup/kubernetes/_index.md | 1 + 2 files changed, 3 insertions(+) diff --git a/content/en/security/application_security/setup/_index.md b/content/en/security/application_security/setup/_index.md index 2c8c4238d383a..15c5e527b07c5 100644 --- a/content/en/security/application_security/setup/_index.md +++ b/content/en/security/application_security/setup/_index.md @@ -36,6 +36,7 @@ Learn how to enable App and API Protection on all the following supported platfo {{< appsec-integration name="NGINX" avatar="nginx" link="./nginx" >}} {{< appsec-integration name="Envoy" avatar="envoy" link="./envoy" >}} {{< appsec-integration name="Istio" avatar="istio" link="./istio" >}} + {{< appsec-integration name="Envoy Gateway" avatar="envoy" link="./envoy-gateway" >}} {{< /appsec-integrations >}} ## Hosts @@ -52,6 +53,7 @@ Learn how to enable App and API Protection on all the following supported platfo {{< appsec-integrations >}} {{< appsec-integration name="Kubernetes" avatar="kubernetes" link="./kubernetes" >}} {{< appsec-integration name="Istio" avatar="istio" link="./istio" >}} + {{< appsec-integration name="Envoy Gateway" avatar="envoy" link="./envoy-gateway" >}} {{< appsec-integration name="Gateway API" src="integrations_logos/gateway-api_avatar.svg" link="./gateway-api" >}} {{< /appsec-integrations >}} diff --git a/content/en/security/application_security/setup/kubernetes/_index.md b/content/en/security/application_security/setup/kubernetes/_index.md index b9e0919e316b1..38e509becf5c7 100644 --- a/content/en/security/application_security/setup/kubernetes/_index.md +++ b/content/en/security/application_security/setup/kubernetes/_index.md @@ -42,6 +42,7 @@ Learn how to set up App and API Protection (AAP) on your Kubernetes services by {{< appsec-integration name="NGINX" avatar="nginx" link="/security/application_security/setup/nginx/kubernetes" >}} {{< appsec-integration name="Envoy" avatar="envoy" link="/security/application_security/setup/envoy" >}} {{< appsec-integration name="Istio" avatar="istio" link="/security/application_security/setup/istio" >}} + {{< appsec-integration name="Envoy Gateway" avatar="envoy" link="/security/application_security/setup/envoy-gateway" >}} {{< /appsec-integrations >}} From b39e3bb5cb0decaffd4473d0f0d32ac53e9c37a6 Mon Sep 17 00:00:00 2001 From: Flavien Darche Date: Mon, 10 Nov 2025 16:21:24 +0100 Subject: [PATCH 5/8] update doc version --- content/en/security/application_security/setup/envoy-gateway.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/application_security/setup/envoy-gateway.md b/content/en/security/application_security/setup/envoy-gateway.md index 7f58f53157447..562404dcfd44a 100644 --- a/content/en/security/application_security/setup/envoy-gateway.md +++ b/content/en/security/application_security/setup/envoy-gateway.md @@ -65,7 +65,7 @@ spec: spec: containers: - name: datadog-aap-extproc-container - image: ghcr.io/datadog/dd-trace-go/service-extensions-callout:v2.2.2 # Replace with the latest released version + image: ghcr.io/datadog/dd-trace-go/service-extensions-callout:v2.4.0 # Replace with the latest released version ports: - name: grpc containerPort: 443 # Default gRPC port for the external processor From 6700ea8138614e8b64e2792f854881638ce5286e Mon Sep 17 00:00:00 2001 From: Flavien Darche Date: Mon, 10 Nov 2025 16:29:07 +0100 Subject: [PATCH 6/8] update aap sections --- .../en/security/application_security/setup/_index.md | 2 -- .../application_security/setup/kubernetes/_index.md | 10 ++++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/content/en/security/application_security/setup/_index.md b/content/en/security/application_security/setup/_index.md index 15c5e527b07c5..898167d19f307 100644 --- a/content/en/security/application_security/setup/_index.md +++ b/content/en/security/application_security/setup/_index.md @@ -35,8 +35,6 @@ Learn how to enable App and API Protection on all the following supported platfo {{< appsec-integrations >}} {{< appsec-integration name="NGINX" avatar="nginx" link="./nginx" >}} {{< appsec-integration name="Envoy" avatar="envoy" link="./envoy" >}} - {{< appsec-integration name="Istio" avatar="istio" link="./istio" >}} - {{< appsec-integration name="Envoy Gateway" avatar="envoy" link="./envoy-gateway" >}} {{< /appsec-integrations >}} ## Hosts diff --git a/content/en/security/application_security/setup/kubernetes/_index.md b/content/en/security/application_security/setup/kubernetes/_index.md index 38e509becf5c7..df1249f9f0c4a 100644 --- a/content/en/security/application_security/setup/kubernetes/_index.md +++ b/content/en/security/application_security/setup/kubernetes/_index.md @@ -26,6 +26,14 @@ Learn how to set up App and API Protection (AAP) on your Kubernetes services by Send us a request for your missing environment here. +{{< appsec-integrations >}} + {{< appsec-integration name="Istio" avatar="istio" link="/security/application_security/setup/istio" >}} + {{< appsec-integration name="Envoy Gateway" avatar="envoy" link="/security/application_security/setup/envoy-gateway" >}} + {{< appsec-integration name="Gateway API" src="integrations_logos/gateway-api_avatar.svg" link="/security/application_security/setup/gateway-api" >}} +{{< /appsec-integrations >}} + +## Languages + {{< appsec-integrations >}} {{< appsec-integration name="Python" avatar="python" link="/security/application_security/setup/python/kubernetes" >}} {{< appsec-integration name="Node.js" avatar="node" link="/security/application_security/setup/nodejs/kubernetes" >}} @@ -41,8 +49,6 @@ Learn how to set up App and API Protection (AAP) on your Kubernetes services by {{< appsec-integrations >}} {{< appsec-integration name="NGINX" avatar="nginx" link="/security/application_security/setup/nginx/kubernetes" >}} {{< appsec-integration name="Envoy" avatar="envoy" link="/security/application_security/setup/envoy" >}} - {{< appsec-integration name="Istio" avatar="istio" link="/security/application_security/setup/istio" >}} - {{< appsec-integration name="Envoy Gateway" avatar="envoy" link="/security/application_security/setup/envoy-gateway" >}} {{< /appsec-integrations >}} From 71b64037440ccff674840e107e8b314b0384ed79 Mon Sep 17 00:00:00 2001 From: Flavien Darche Date: Mon, 10 Nov 2025 17:05:31 +0100 Subject: [PATCH 7/8] fix some file naming --- .../application_security/setup/envoy-gateway.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/en/security/application_security/setup/envoy-gateway.md b/content/en/security/application_security/setup/envoy-gateway.md index 562404dcfd44a..0c2a7ca477c7f 100644 --- a/content/en/security/application_security/setup/envoy-gateway.md +++ b/content/en/security/application_security/setup/envoy-gateway.md @@ -149,15 +149,15 @@ The External Processor is built on top of the [Datadog Go Tracer][7] and inherit ### 2. Configure an EnvoyExtensionPolicy -Use an `EnvoyExtensionPolicy` to instruct Envoy Gateway to call the Datadog external processor. You can attach the policy to a **Gateway** or to specific **HTTPRoute/GRPCRoute** resources. +Use an `EnvoyExtensionPolicy` to instruct Envoy Gateway to call the Datadog external processor. You can attach the policy to a Gateway or to specific HTTPRoute/GRPCRoute resources. -This sends **all traffic** on the selected Gateway to the external processor. +This sends all traffic on the selected Gateway to the external processor. Here is an example manifest (`datadog-aap-extproc-eep.yaml`): ```yaml apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyExtensionPolicy metadata: - name: datadog-aap-extproc-eg + name: datadog-aap-extproc-eep namespace: # same namespace as the Gateway spec: targetRefs: @@ -202,13 +202,13 @@ spec: #### Cross‑namespace reference -If your external processor `Service` is in a **different namespace** than the policy, add a [ReferenceGrant][10] in the processor’s namespace. For example, you can do this with a manifest such as `datadog-allow-eep-extproc.yaml`. +If your external processor `Service` is in a **different namespace** than the policy, add a [ReferenceGrant][10] in the processor’s namespace. For example, you can do this with a manifest such as `datadog-aap-eep-rg.yaml`. ```yaml apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: - name: datadog-allow-eep-extproc + name: datadog-aap-eep-rg namespace: # namespace of the external processor Service spec: from: From bc36f388812fdb83bd0fc9ca5a8108d2f827cf54 Mon Sep 17 00:00:00 2001 From: Michael Cretzman <58786311+michaelcretzman@users.noreply.github.com> Date: Mon, 10 Nov 2025 14:26:58 -0800 Subject: [PATCH 8/8] Apply suggestions from code review incorp minor edits --- .../application_security/setup/envoy-gateway.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/content/en/security/application_security/setup/envoy-gateway.md b/content/en/security/application_security/setup/envoy-gateway.md index 0c2a7ca477c7f..b79d9e180e0ca 100644 --- a/content/en/security/application_security/setup/envoy-gateway.md +++ b/content/en/security/application_security/setup/envoy-gateway.md @@ -5,7 +5,7 @@ code_lang_weight: 50 further_reading: - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions' tag: "Source Code" - text: "Envoy integration's source code" + text: "Envoy integration source code" - link: "/security/default_rules/?category=cat-application-security" tag: "Documentation" text: "OOTB App and API Protection Rules" @@ -15,7 +15,7 @@ further_reading: --- {{< callout url="#" btn_hidden="true" header="App and API Protection for Envoy Gateway is in Preview" >}} -To try the preview of App and API Protection for Envoy Gateway, use the following setup instructions. +App and API Protection for Envoy Gateway is in Preview. Use the following instructions to try the preview. {{< /callout >}} You can enable Datadog App and API Protection for traffic managed by [Envoy Gateway][1]. The Datadog Envoy Gateway integration allows Datadog to inspect and protect your traffic for threat detection and blocking directly at the edge of your infrastructure. @@ -25,15 +25,15 @@ You can enable Datadog App and API Protection for traffic managed by [Envoy Gate 1. A running Kubernetes cluster with [Envoy Gateway][1] installed. 2. The [Datadog Agent is installed and configured][2] in your Kubernetes cluster. - Ensure [Remote Configuration][3] is enabled and configured to enable blocking attackers through the Datadog UI. - - Ensure [APM is enabled][4] in the Agent. *This allows the external processor service to send its own traces to the Agent.* + - Ensure [APM is enabled][4] in the Agent to allow the external processor service to send its own traces to the Agent. - Optionally, enable the [Cluster Agent Admission Controller][5] to automatically inject the Datadog Agent host information to the App and API Protection External Processor service. ## Enabling threat detection -Enabling App and API Protection with Envoy Gateway involves two steps: +To enable App and API Protection with Envoy Gateway, do the following: 1. Deploying the Datadog External Processor service in your cluster. -2. Configuring an `EnvoyExtensionPolicy` that points to the processor service to direct traffic from your Envoy Gateway to this service. +2. Configure an `EnvoyExtensionPolicy` that points to the processor service. This will direct traffic from your Envoy Gateway to this service. ### 1. Deploy the Datadog External Processor service @@ -129,8 +129,8 @@ The Datadog External Processor exposes some settings: | `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT` | `80` | HTTP server port for health checks. | | `DD_SERVICE_EXTENSION_TLS` | `true` | Enable the gRPC TLS layer. | | `DD_SERVICE_EXTENSION_TLS_KEY_FILE` | `localhost.key` | Change the default gRPC TLS layer key. | -| `DD_SERVICE_EXTENSION_TLS_CERT_FILE` | `localhost.crt` | Change the default gRPC TLS layer cert. | -| `DD_APPSEC_BODY_PARSING_SIZE_LIMIT` | `10485760` | Maximum size of the bodies to be processed in bytes. If set to `0`, the bodies are not processed. The recommended value is `10485760` (10MB). (To fully enable body processing, the `allowModeOverride` option should also be set in the External Processing filter configuration) | +| `DD_SERVICE_EXTENSION_TLS_CERT_FILE` | `localhost.crt` | Change the default gRPC TLS layer certificate. | +| `DD_APPSEC_BODY_PARSING_SIZE_LIMIT` | `10485760` | Maximum size of the bodies to be processed in bytes. If set to `0`, the bodies are not processed. The recommended value is `10485760` (10MB). (To fully enable body processing, the `allowModeOverride` option should also be set in the External Processing filter configuration.) | | `DD_SERVICE` | `serviceextensions` | Service name shown in the Datadog UI. |