DataDog · michaelcretzman · Feb 21, 2025 · Dec 27, 2024 · Feb 7, 2025 · Feb 7, 2025
@@ -125,10 +125,7 @@ code_language_ids:
     notebooks_legacy: "Notebooks (Legacy)"
     notebooks_new: "Notebooks (New)"
     envoy: "Envoy"
-    httpd: "Apache HTTP Server"
-    istio: "Istio"
-    kong: "Kong"
-    nginx: "NGINX"
+    gcp-service-extensions: "GCP Service Extensions"
 branch: ""
 
 signupclass: sign-up-trigger

@@ -0,0 +1,33 @@
+---
+title: Envoy Compatibility Requirements
+code_lang: envoy
+type: multi-code-lang
+code_lang_weight: 40
+---
+
+The following table lists the support for application security capabilities in the Envoy integration according to the specified tracer version:
+
+| Application Security capability        | Minimum Envoy image version  |
+|----------------------------------------|------------------------------|
+| Threat Detection                       | 1.71.0                       |
+| Threat Protection                      | 1.71.0                       |
+| Customize response to blocked requests | 1.71.0                       |
+| Software Composition Analysis (SCA)    | not applicable               |
+| Code Security                          | not applicable               |
+| Automatic user activity event tracking | not supported                |
+| API Security                           | not supported                |
+
+Please review Envoy integration version 1.71.0 [limitations][1].
+
+## Envoy support
+
+Envoy integration is in Preview.
+
+Only the Linux version and both the arm64 and arm64 architectures are supported.
+
+<div class="alert alert-info">If you would like to see support added for any of
+the unsupported capabilities, let us know! Fill out <a
+href="https://forms.gle/gHrxGQMEnAobukfn7">this short form to send
+details</a>.</div>
+
+[1]: /security/application_security/threats/setup/threat_detection/envoy
@@ -0,0 +1,31 @@
+---
+title: ASM GCP Service Extensions Compatibility Requirements
+code_lang: gcp-service-extensions
+type: multi-code-lang
+code_lang_weight: 40
+---
+
+The following table lists the support for application security capabilities in the ASM GCP Service Extensions according to the specified version:
+
+| Application Security capability        | Minimum ASM Service Extensions image version  |
+|----------------------------------------|----------------------------------------------|
+| Threat Detection                       | 1.71.0                                       |
+| Threat Protection                      | 1.71.0                                       |
+| Customize response to blocked requests | 1.71.0                                       |
+| Software Composition Analysis (SCA)    | not applicable                               |
+| Code Security                          | not applicable                               |
+| Automatic user activity event tracking | not supported                                |
+| API Security                           | not supported                                |
+
+Please review ASM GCP Service Extensions integration version 1.71.0 [limitations][1].
+
+## ASM GCP Service Extensions support
+
+ASM GCP Service Extensions is in Preview.
+
+<div class="alert alert-info">If you would like to see support added for any of
+the unsupported capabilities, let us know! Fill out <a
+href="https://forms.gle/gHrxGQMEnAobukfn7">this short form to send
+details</a>.</div>
+
+[1]: /security/application_security/threats/setup/threat_detection/gcp-service-extensions
@@ -0,0 +1,118 @@
+---
+title: Enabling ASM for Envoy
+code_lang: envoy
+type: multi-code-lang
+code_lang_weight: 50
+further_reading:
+    - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions'
+      tag: "Source Code"
+      text: "Envoy integration's source code"
+    - link: "/security/default_rules/?category=cat-application-security"
+      tag: "Documentation"
+      text: "OOTB Application Security Management Rules"
+    - link: "/security/application_security/troubleshooting"
+      tag: "Documentation"
+      text: "Troubleshooting Application Security Management"
+---
+
+{{< callout url="#" btn_hidden="true" header="ASM for Envoy is in Preview" >}}
+To try the preview of ASM for Envoy, follow the setup instructions below.
+{{< /callout >}}
+
+You can enable application security for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking.
+
+## Prerequisites
+
+- The [Datadog Agent][1] is installed and configured for your application's operating system or container, cloud, or virtual environment.
+- [Configure the Agent with Remote Configuration][2] to block attackers using the Datadog UI.
+
+## Enabling threat detection
+### Get started
+
+The ASM Envoy integration uses the Envoy external processing filter.
+
+1. **Configure Envoy** to use the [external processing filter][3].
+For example:
+
+   ```yaml
+   http_filters:
+     # ... other filters
+     - name: envoy.filters.http.ext_proc
+       typed_config:
+         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
+         config:
+           grpc_service:
+             envoy_grpc:
+               cluster_name: datadog_ext_proc_cluster
+               timeout: 1s
+
+   clusters:
+       # ... other clusters
+       - name: datadog_ext_proc_cluster
+         type: STRICT_DNS
+         lb_policy: ROUND_ROBIN
+         http2_protocol_options: {}
+         transport_socket:
+           name: envoy.transport_sockets.tls
+           typed_config:
+             "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+         load_assignment:
+           cluster_name: datadog_ext_proc_cluster
+           endpoints:
+             - lb_endpoints:
+                 - endpoint:
+                     address:
+                       socket_address:
+                         address: Your Datadog image host from step 2
+                         port_value: 443
+   ```
+
+    **Note**: you need to replace `Your Datadog image host from step 2` in the above example with the host where the Datadog Envoy docker image is running. You will configure this host next.
+
+    You can find more configuration options available in the [Envoy external processor documentation][4].
+
+2. **Run a new container with the Datadog Envoy Docker image.** The image is available on the [Datadog GitHub Registry][5].
+
+   The Docker image exposes some settings specifically for the Envoy integration:
+   | Environment variable                   | Default value   | Description                                                       |
+   |----------------------------------------|-----------------|-------------------------------------------------------------------|
+   | `DD_SERVICE_EXTENSION_HOST`            | `0.0.0.0`       | gRPC server listening address.                                    |
+   | `DD_SERVICE_EXTENSION_PORT`            | `443`           | gRPC server port.                                                 |
+   | `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT`| `80`            | HTTP server port for health checks.                               |
+
+   Configure the Datadog Agent to receive traces from the integration using the following environment variables:
+   | Environment variable                   | Default value | Description                                                           |
+   |----------------------------------------|---------------|-----------------------------------------------------------------------|
+   | `DD_AGENT_HOST`                        | `localhost`   | Hostname where your Datadog Agent is running.                         |
+   | `DD_TRACE_AGENT_PORT`                  | `8126`        | Port of the Datadog Agent for trace collection.                       |
+
+{{% appsec-getstarted-2-plusrisk %}}
+
+{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}}
+
+## Datadog Go Tracer and Envoy integration
+
+  <div class="alert alert-warning">
+    <strong>Note:</strong> The ASM Envoy integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version.
+  </div>
+
+  The Envoy integration uses the [Datadog Go Tracer][6] and inherits all environment variables from the tracer. You can find more information in [Configuring the Go Tracing Library][7] and [ASM Library Configuration][8].
+
+## Limitations
+
+The available functionality for Envoy version `1.71.0` has the following important limitations:
+
+* The request body is not inspected, regardless of its content type.
+
+## Further Reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: https://app.datadoghq.com/account/settings#agent
+[2]: https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration
+[3]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter
+[4]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto#extensions-filters-http-ext-proc-v3-externalprocessor
+[5]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout
+[6]: https://github.com/DataDog/dd-trace-go
+[7]: https://docs.datadoghq.com/tracing/trace_collection/library_config/go/
+[8]: https://docs.datadoghq.com/security/application_security/threats/library_configuration/
@@ -0,0 +1,119 @@
+---
+title: Enabling ASM for GCP Service Extensions
+code_lang: gcp-service-extensions
+type: multi-code-lang
+code_lang_weight: 50
+further_reading:
+    - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions'
+      tag: "Source Code"
+      text: "ASM Service Extension's source code"
+    - link: 'https://cloud.google.com/service-extensions/docs/overview'
+      tag: "Documentation"
+      text: "Google Cloud Service Extensions overview"
+    - link: "/security/default_rules/?category=cat-application-security"
+      tag: "Documentation"
+      text: "OOTB Application Security Management Rules"
+    - link: "/security/application_security/troubleshooting"
+      tag: "Documentation"
+      text: "Troubleshooting Application Security Management"
+---
+
+{{< callout url="#" btn_hidden="true" header="ASM Service Extensions is in Preview" >}}
+To try the preview of ASM Service Extensions for GCP, follow the setup instructions below.
+{{< /callout >}}
+
+You can enable application security with GCP Service Extensions within GCP Cloud Load Balancing. The Datadog Application Security Management (ASM) Service Extensions integration has support for threat detection and blocking.
+
+## Prerequisites
+
+- The [Datadog Agent][1] is installed and configured for your application's operating system or container, cloud, or virtual environment.
+- [Configure the Agent with Remote Configuration][2] to block attackers using the Datadog UI.
+- In your GCP project, verify that you have either the project `owner` or `editor` role, or the relevant Compute Engine IAM roles: `compute.instanceAdmin.v1` (to spin up instances) and `compute.networkAdmin` (to set up load balancing).
+- A GCP project with a Cloud Load Balancer configured with your services. Your Cloud Load Balancer must be one of the [Application Load Balancers that supports Traffic Callouts][3].
+- Ensure that the Compute Engine API and Network Services API are enabled:
+
+  ```bash
+  gcloud services enable compute.googleapis.com networkservices.googleapis.com
+  ```
+
+## Enabling threat detection
+### Get started
+
+On your GCP project, multiple steps are needed to fully create a Service Extension. Google Cloud provides guides to create [a callout backend service][4] and [create a Service Extension as a traffic extension][5].
+
+To integrate a Service Extension with ASM, do the following:
+
+1. **Create a new VM Compute instance** using the Datadog Service Extensions Docker image. The image is available on the [Datadog Go tracer GitHub Registry][6].
+
+   The Docker image exposes some settings:
+   | Environment variable                   | Default value   | Description                                                       |
+   |----------------------------------------|-----------------|-------------------------------------------------------------------|
+   | `DD_SERVICE_EXTENSION_HOST`            | `0.0.0.0`       | gRPC server listening address.                                    |
+   | `DD_SERVICE_EXTENSION_PORT`            | `443`           | gRPC server port.                                                 |
+   | `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT`| `80`            | HTTP server port for health checks.                               |
+
+   Configure the Datadog Agent to receive traces from the integration using the following environment variables:
+   | Environment variable                   | Default value | Description                                                           |
+   |----------------------------------------|---------------|-----------------------------------------------------------------------|
+   | `DD_AGENT_HOST`                        | `localhost`   | Hostname where your Datadog Agent is running.                         |
+   | `DD_TRACE_AGENT_PORT`                  | `8126`        | Port of the Datadog Agent for trace collection.                       |
+
+2. **Add the VM to an unmanaged instance group.**
+
+   Specify `http:80` and `grpc:443` (or any other previously configured values) for the port mappings of the instance group.
+
+3. **Update the load balancer by creating a backend service and adding a backend.**
+
+   Create a callout backend service that uses the HTTP/2 protocol and has an HTTP health check:
+   - Protocol: `HTTP2`
+   - Port name: `grpc`
+   - Region: `us-west1`
+   - Health check port number: `80` (or any other previously configured value)
+
+   1. Add the instance group with the extension server as a backend to the backend service.
+
+   2. Create a Traffic Service Extension callout.
+
+      1. In the Google Cloud console, go to **Service Extensions** and create a new Service Extension.
+      2. Select your load balancer type.
+      3. Select `Traffic extensions` as the type.
+      4. Select your forwarding rules.  
+    </br>
+   3. When creating a new Extension Chain, do the following:
+
+      1. To send all traffic to the extension, insert `true` in the **Match condition**.
+      2. For **Programability type**, select `Callouts`.
+      3. Select the backend service you created in the previous step.
+      4. Select all **Events** from the list where you want ASM to run detection.</br>
+</br>
+{{% appsec-getstarted-2-plusrisk %}}
+
+{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}}
+
+## Datadog Go tracer and GCP Service Extensions
+
+  <div class="alert alert-warning">
+    <strong>Note:</strong> The GCP Service Extensions integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version.
+  </div>
+
+  The GCP Service Extensions integration uses the [Datadog Go Tracer][7] and inherits all environment variables from the tracer. You can find more information in [Configuring the Go Tracing Library][8] and [ASM Library Configuration][9].
+
+## Limitations
+
+The available functionality for GCP Service Extensions version `1.71.0` has the following important limitations:
+
+* The request body is not inspected, regardless of its content type.
+
+## Further Reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: https://app.datadoghq.com/account/settings#agent
+[2]: https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration
+[3]: https://cloud.google.com/service-extensions/docs/lb-extensions-overview#supported-lbs
+[4]: https://cloud.google.com/service-extensions/docs/configure-callout-backend-service
+[5]: https://cloud.google.com/service-extensions/docs/configure-traffic-extensions
+[6]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout
+[7]: https://github.com/DataDog/dd-trace-go
+[8]: https://docs.datadoghq.com/tracing/trace_collection/library_config/go/
+[9]: https://docs.datadoghq.com/security/application_security/threats/library_configuration/
@@ -58,6 +58,20 @@
           </div>
         </a>
       </div>
+      <div class="col">
+        <a class="card h-100" href="envoy">
+          <div class="card-body text-center py-2 px-1">
+            {{ partial "img.html" (dict "root" . "src" "integrations_logos/envoy.png" "class" "img-fluid" "alt" "envoy" "width" "400") }}
+          </div>
+        </a>
+      </div>
+      <div class="col">
+        <a class="card h-100" href="gcp-service-extensions">
+          <div class="card-body text-center py-2 px-1">
+            {{ partial "img.html" (dict "root" . "src" "integrations_logos/google_cloud_platform.png" "class" "img-fluid" "alt" "GCP Service Extensions" "width" "400") }}
+          </div>
+        </a>
+      </div>
       </div>
     </div>
   </div>

@@ -1,12 +1,12 @@
-   After this configuration is complete, the library collects security data from your application and sends it to the Agent, which sends it to Datadog, where [out-of-the-box detection rules][202] flag attacker techniques and potential misconfigurations so you can take steps to remediate. 
+   After this configuration is complete, the library collects security data from your application and sends it to the Agent. The Agent sends the data to Datadog, where [out-of-the-box detection rules][202] flag attacker techniques and potential misconfigurations so you can take steps to remediate. 
 
-3.  **To see Application Security Management threat detection in action, send known attack patterns to your application**. For example, trigger the [Security Scanner Detected][203] rule by running a file that contains the following curl script:
+1.  To see Application Security Management threat detection in action, send known attack patterns to your application. For example, trigger the [Security Scanner Detected][203] rule by running a file that contains the following curl script:
     <div>
     <pre><code>for ((i=1;i<=250;i++)); <br>do<br># Target existing service’s routes<br>curl https://your-application-url/existing-route -A dd-test-scanner-log;<br># Target non existing service’s routes<br>curl https://your-application-url/non-existing-route -A dd-test-scanner-log;<br>done</code></pre></div>
 
     **Note**: The `dd-test-scanner-log` value is supported in the most recent releases.
 
-    A few minutes after you enable your application and exercise it, **threat information appears in the [Application Signals Explorer][201]** and **vulnerability information appears in the [Vulnerability Explorer][204]**.
+    A few minutes after you enable your application and send known attack patterns to it, threat information appears in the [Application Signals Explorer][201] and vulnerability information appears in the [Vulnerability Explorer][204].
 
 [201]: https://app.datadoghq.com/security/appsec
 [202]: /security/default_rules/#cat-application-security