This check collects distributed system observability metrics from Envoy.
Datadog App and API Protection extends visibility and inline threat mitigation to your Envoy proxy instance.
With this integration, you can detect and block attacks such as API abuse, business logic exploitation, and code layer threats directly at the edge of your cloud infrastructure.
Key Benefits:
- Inline threat detection and blocking at the load balancer using Datadog Security Signals
- Real-time insights into application-layer attacks with traces and logs in one unified view
- Edge enforcement against OWASP API threats, credential stuffing, injection attacks, and more
To learn more about securing your APIs via Envoy, see the Datadog blog post.
Minimum Agent version: 6.1.0
The Envoy check is included in the Datadog Agent package, so you don't need to install anything else on your server.
If you are using Envoy as part of Istio, configure the Envoy integration to collect metrics from the Istio proxy metrics endpoint.
instances:
- openmetrics_endpoint: localhost:15090/stats/prometheusThere are 2 ways to setup the /stats endpoint:
Here's an example Envoy admin configuration:
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 8001Create a listener/vhost that routes to the admin endpoint (Envoy connecting to itself), but only has a route for /stats; all other routes get a static/error response. Additionally, this allows nice integration with L3 filters for auth, for example.
Here's an example config from envoy_secured_stats_config.json:
admin:
access_log_path: /dev/null
address:
socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 8081
static_resources:
listeners:
- address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: AUTO
stat_prefix: ingress_http
route_config:
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: /stats
route:
cluster: service_stats
http_filters:
- name: envoy.router
config:
clusters:
- name: service_stats
connect_timeout: 0.250s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 8001To configure this check for an Agent running on a host:
-
Edit the
envoy.d/conf.yamlfile, in theconf.d/folder at the root of your Agent's configuration directory to start collecting your Envoy performance data. See the sample envoy.d/conf.yaml for all available configuration options.init_config: instances: ## @param openmetrics_endpoint - string - required ## The URL exposing metrics in the OpenMetrics format. # - openmetrics_endpoint: http://localhost:8001/stats/prometheus
-
Check if the Datadog Agent can access Envoy's admin endpoint.
Available for Agent versions >6.0
-
Collecting logs is disabled by default in the Datadog Agent, enable it in your
datadog.yamlfile:logs_enabled: true
-
Next, edit
envoy.d/conf.yamlby uncommenting thelogslines at the bottom. Update the logspathwith the correct path to your Envoy log files.logs: - type: file path: /var/log/envoy.log source: envoy service: envoy
For containerized environments, see the Autodiscovery Integration Templates for guidance on applying the parameters below.
| Parameter | Value |
|---|---|
<INTEGRATION_NAME> |
envoy |
<INIT_CONFIG> |
blank or {} |
<INSTANCE_CONFIG> |
{"openmetrics_endpoint": "http://%%host%%:80/stats/prometheus"} |
| Note: The current version of the check (1.26.0+) uses OpenMetrics for metric collection, which requires Python 3. For hosts that are unable to use Python 3, or if you would like to use a legacy version of this check, refer to the following config. |
Available for Agent versions >6.0
Collecting logs is disabled by default in the Datadog Agent. To enable it, see Kubernetes Log Collection.
| Parameter | Value |
|---|---|
<LOG_CONFIG> |
{"source": "envoy", "service": "<SERVICE_NAME>"} |
Run the Agent's status subcommand and look for envoy under the Checks section.
The installation process requires a different approach than enabling this integration.
The installation instructions are available in the Enabling App and API Protection for Envoy documentation.
The installation instructions are available in the Enabling App and API Protection for Istio documentation.
To validate App and API Protection threat detection, send known attack patterns to your Envoy instance. For example, you can trigger the Security Scanner Detected rule by running the following curl script:
for ((i=1;i<=250;i++));
do
# Target existing service's routes
curl https://your-envoy-url/existing-route -A dd-test-scanner-log;
# Target non existing service's routes
curl https://your-envoy-url/non-existing-route -A dd-test-scanner-log;
doneA few minutes after enabling the App and API Protection for Envoy and sending known attack patterns, threat information will appear in the Application Signals Explorer.
See metadata.csv for a list of metrics provided by this integration.
See metrics.py for a list of tags sent by each metric.
The Envoy check does not include any events.
See service_checks.json for a list of service checks provided by this integration.
- Disable the
collect_server_infooption in your Envoy configuration, if the endpoint is not available in your Envoy environment, to minimize error logs.
Note: Envoy version data is not collected.
Need help? Contact Datadog support.