Skip to content

Add more info about safety in GCP Service Extensions #29942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
+41 −5
Open

Add more info about safety in GCP Service Extensions #29942

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9a3866b
Add more info about safety
e-n-0 Jun 13, 2025
40a678f
sync both pages
e-n-0 Jun 16, 2025
0901e36
fix formatting
e-n-0 Jun 16, 2025
3140b11
Merge branch 'master' into flavien/gcp-se-moreinfo
michaelcretzman Jun 17, 2025
1efa283
Apply suggestions from code review
michaelcretzman Jun 17, 2025
adde87e
Apply suggestions from code review
michaelcretzman Jun 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions content/en/security/application_security/setup/gcp/service-extensions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ You can enable App and API Protection (AAP) with GCP Service Extensions within G
- In your GCP project, you have either the project `owner` or `editor` role, or the relevant Compute Engine IAM roles: `compute.instanceAdmin.v1` (to create instances) and `compute.networkAdmin` (to set up load balancing).
- A GCP project with a Cloud Load Balancer is configured for your services. The Cloud Load Balancer must be one of the [Application Load Balancers that supports Traffic Callouts][3].
- Compute Engine API and Network Services API are enabled:

```bash
gcloud services enable compute.googleapis.com networkservices.googleapis.com
```
Expand All @@ -58,7 +58,7 @@ To set up the App and API Protection Service Extension in your GCP environment,
</div>

2. Add the VM to an unmanaged instance group.

Specify `http:80` and `grpc:443` (or your configured values) for the port mappings of the instance group.

3. Create a backend service with the following settings:
Expand All @@ -81,8 +81,21 @@ To set up the App and API Protection Service Extension in your GCP environment,
1. To send all traffic to the extension, insert `true` in the **Match condition**.
2. For **Programability type**, select `Callouts`.
3. Select the backend service you created in the previous step.
4. Select all **Events** from the list where you want App and API Protection to run detection (Request Headers and Response Headers are **required**).
4. Select only **Events** from the list where you want App and API Protection to run detection (Request Headers and Response Headers are **required**).
5. Optionally, enable the `fail_open` to still allow the traffic to pass through if the service extension fails or times out.

<br>
<div class="alert alert-warning">
<strong>Note:</strong> By default, if the service extension fails or times out, the proxy will return a 500 error. To prevent this, enable the <code>fail_open</code> setting. When enabled, request or response processing continues without error even if the extension fails, ensuring your application remains available.
</div>

<div class="alert alert-info">
<p><strong>Notes:</strong></p>
<ul>
<li>Currently, the service extension doesn't process request bodies. If you select request and response body events in the extension chain events, the service extension does not inspect the request body. For more information, see <a href="#limitations">Limitations</a>.</li>
<li>If you select the <code>Request Body</code> and <code>Response Body</code> events, processing time will increase as the service extension needs to transfer and analyze these bodies. <strong>Adjust your timeout</strong> settings to accommodate the additional processing time.</li>
</ul>
</div>
</br>

{{% appsec-getstarted-2-plusrisk %}}
Expand Down Expand Up @@ -481,7 +494,7 @@ The GCP Service Extensions have the following limitations:

## Using AAP without APM tracing

If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled:
If you want to use App and API Protection without APM tracing functionality, you can deploy with tracing disabled:

1. Configure your tracing library with the `DD_APM_TRACING_ENABLED=false` environment variable in addition to the `DD_APPSEC_ENABLED=true` environment variable.
2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.
Expand Down
25 changes: 24 additions & 1 deletion ...ent/en/security/application_security/setup/standalone/gcp-service-extensions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,21 @@ To set up the App and API Protection Service Extension in your GCP environment,
1. To send all traffic to the extension, insert `true` in the **Match condition**.
2. For **Programability type**, select `Callouts`.
3. Select the backend service you created in the previous step.
4. Select all **Events** from the list where you want App and API Protection to run detection (Request Headers and Response Headers are **required**).
4. Select only **Events** from the list where you want App and API Protection to run detection (Request Headers and Response Headers are **required**).
5. Optionally, enable the `fail_open` to still allow the traffic to pass through if the service extension fails or times out.

<br>
<div class="alert alert-warning">
<strong>Note:</strong> By default, if the service extension fails or times out, the proxy will return a 500 error. To prevent this, enable the <code>fail_open</code> setting. When enabled, request or response processing continues without error even if the extension fails, ensuring your application remains available.
</div>

<div class="alert alert-info">
<p><strong>Notes:</strong></p>
<ul>
<li>Currently, the service extension doesn't process request bodies. If you select request and response body events in the extension chain events, the service extension does not inspect the request body. For more information, see <a href="#limitations">Limitations</a>.</li>
<li>If you select the <code>Request Body</code> and <code>Response Body</code> events, processing time will increase as the service extension needs to transfer and analyze these bodies. <strong>Adjust your timeout</strong> settings to accommodate the additional processing time.</li>
</ul>
</div>
</br>

{{% appsec-getstarted-2-plusrisk %}}
Expand Down Expand Up @@ -477,6 +490,16 @@ The GCP Service Extensions have the following limitations:

* The request body is not inspected, regardless of its content type.

## Using AAP without APM tracing

If you want to use App and API Protection without APM tracing functionality, you can deploy with tracing disabled:

1. Configure your tracing library with the `DD_APM_TRACING_ENABLED=false` environment variable in addition to the `DD_APPSEC_ENABLED=true` environment variable.
2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

For more details, see [Standalone App and API Protection][standalone_billing_guide].
[standalone_billing_guide]: /security/application_security/guide/standalone_application_security/

## Further Reading

{{< partial name="whats-next/whats-next.html" >}}
Expand Down
Loading