Skip to content

Commit 17f5509

Browse files
committed
Add AAP to the Envoy integration
1 parent df33680 commit 17f5509

File tree

2 files changed

+46
-0
lines changed

2 files changed

+46
-0
lines changed

envoy/README.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,48 @@ Collecting logs is disabled by default in the Datadog Agent. To enable it, see [
170170

171171
[Run the Agent's status subcommand][13] and look for `envoy` under the Checks section.
172172

173+
## Security
174+
175+
### Overview
176+
177+
[Datadog App & API Protection][30] extends visibility and inline threat mitigation to your Envoy proxy instance.
178+
179+
With this integration, you can detect and block attacks such as API abuse, business logic exploitation, and code layer threats directly at the edge of your cloud infrastructure.
180+
181+
Key Benefits:
182+
- **Inline threat detection and blocking** at the load balancer using Datadog Security Signals
183+
- **Real-time insights** into application-layer attacks with traces and logs in one unified view
184+
- **Edge enforcement** against OWASP API threats, credential stuffing, injection attacks, and more
185+
186+
### Installation
187+
188+
The installation process requires a different approach than enabling this integration.
189+
190+
#### Envoy
191+
192+
The installation instructions are available in the [Enabling App & API Protection for Envoy][31] documentation.
193+
194+
#### Istio
195+
196+
The installation instructions are available in the [Enabling App and API Protection for Istio][32] documentation.
197+
198+
### Validation
199+
200+
To validate App & API Protection threat detection, send known attack patterns to your Envoy instance. For example, you can trigger the Security Scanner Detected rule by running the following curl script:
201+
202+
```sh
203+
for ((i=1;i<=250;i++));
204+
do
205+
# Target existing service's routes
206+
curl https://your-envoy-url/existing-route -A dd-test-scanner-log;
207+
208+
# Target non existing service's routes
209+
curl https://your-envoy-url/non-existing-route -A dd-test-scanner-log;
210+
done
211+
```
212+
213+
A few minutes after enabling the App & API Protection for Envoy and sending known attack patterns, threat information will appear in the Application Signals Explorer.
214+
173215
## Data Collected
174216

175217
### Metrics
@@ -215,3 +257,6 @@ Need help? Contact [Datadog support][16].
215257
[16]: https://docs.datadoghq.com/help/
216258
[17]: https://docs.datadoghq.com/integrations/openmetrics/
217259
[18]: https://github.com/DataDog/integrations-core/blob/7.33.x/envoy/datadog_checks/envoy/data/conf.yaml.example
260+
[30]: https://docs.datadoghq.com/security/application_security/
261+
[31]: https://docs.datadoghq.com/security/application_security/setup/standalone/envoy/
262+
[32]: https://docs.datadoghq.com/security/application_security/setup/standalone/istio/

envoy/manifest.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
"Supported OS::Windows",
1919
"Supported OS::macOS",
2020
"Category::Network",
21+
"Category::Security",
2122
"Submitted Data Type::Metrics",
2223
"Submitted Data Type::Logs",
2324
"Offering::Integration"

0 commit comments

Comments
 (0)