Enabling App and API Protection for Google Cloud Run

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!
AAP support for Google Cloud Run is in Preview.

How it works

The serverless-init application wraps your process and executes it as a subprocess. It starts a DogStatsD listener for metrics and a Trace Agent listener for traces. It collects logs by wrapping the stdout/stderr streams of your application. After bootstrapping, serverless-init then launches your command as a subprocess.

To get full instrumentation, ensure you are calling datadog-init as the first command that runs inside your Docker container. You can do this by setting it as the entrypoint, or by setting it as the first argument in CMD.

Compatibility

Google Cloud Run support for App and API Protection serverless is in Preview.
**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6].

Get started

Manually install the Ruby tracer before you deploy your application. See the example application.

Add the following instructions and arguments to your Dockerfile.

COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENV DD_SERVICE=datadog-demo-run-ruby
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENV DD_TRACE_PROPAGATION_STYLE=datadog
ENTRYPOINT ["/app/datadog-init"]
CMD ["rails", "server", "-b", "0.0.0.0"]

Explanation

  1. Copy the Datadog serverless-init into your Docker image.

    COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

  2. (Optional) add Datadog tags

    ENV DD_SERVICE=datadog-demo-run-ruby
ENV DD_ENV=datadog-demo
ENV DD_APPSEC_ENABLED=1
ENV DD_VERSION=1

  3. This environment variable is needed for trace propagation to work properly in Cloud Run. Ensure that you set this variable for all Datadog-instrumented downstream services.

    ENV DD_TRACE_PROPAGATION_STYLE=datadog

  4. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

    ENTRYPOINT ["/app/datadog-init"]

  5. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs.

    CMD ["rails", "server", "-b", "0.0.0.0"]

Alternative configuration

If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.

COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENV DD_SERVICE=datadog-demo-run-ruby
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENV DD_TRACE_PROPAGATION_STYLE=datadog
CMD ["/app/datadog-init", "rails", "server", "-b", "0.0.0.0"]

If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
ENV DD_SERVICE=datadog-demo-run-ruby
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENV DD_TRACE_PROPAGATION_STYLE=datadog
ENTRYPOINT ["/app/datadog-init"]
CMD ["your_entrypoint.sh", "rails", "server", "-b", "0.0.0.0"]

As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

Further reading

Más enlaces, artículos y documentación útiles:

How App and API Protection WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more App and API ProtectionDOCUMENTATION more more Datadog Security extends compliance and threat protection capabilities for Google CloudBLOG more more
PREVIEWING: julio.guerra/aap-setup-page-grid