Flavien Darche
Modern applications are constantly exposed to various malicious activities, including credential stuffing, API abuse, and advanced injection attacks. Many of these threats can be stopped at the network edge, before they ever reach your application.
That’s why Datadog App and API Protection offers real-time threat detection and blocking for popular edge proxies and load balancers, which include integrations for Envoy, Istio, NGINX, and Google Cloud Load Balancers (using Google Service Extensions). HAProxy support is also now available in Preview. These new integrations let you deploy Datadog’s threat detection engine directly at the proxy level so you can detect and block malicious requests at the edge of your infrastructure.
In this post, we’ll cover how to use the new edge integrations to discover endpoints, detect and block threats, and work in tandem with in-app instrumentation to provide layered defense.
Detect and block threats at the edge
With Datadog App and API Protection running on your proxies or load balancers (with Envoy, Istio, NGINX, or Google Cloud Application Load Balancers via Service Extensions), you can turn protection on where your traffic lands. All traffic at the edge is inspected, and malicious requests can be stopped before they reach your services, with each edge integration supporting real-time threat detection and inline blocking.
In addition to inline blocking, edge integrations for popular tools such as Envoy and Istio can also be configured to inspect traffic asynchronously. In this mode, the proxy forwards requests to your services without waiting for a security verdict, enabling passive monitoring of API activity and threat detection without introducing any latency. While this approach sacrifices the ability to block malicious requests in real time, it provides valuable visibility into traffic patterns and potential threats.
When your APIs are under attack, full visibility into each request enables you to create attacker fingerprints using edge-level data such as IP, headers, or other identifying characteristics. You can then block these attackers instantly, stopping threats before they reach your applications. You can block abusive IPs, fingerprinted requests, or other attributes once they cross a threshold and have those blocks propagate to your edge proxies through Remote Configuration. Actions like these can be executed manually based on a signal or automatically via WAF rules. Datadog offers a default set of rules, but teams can also create their own.
By blocking malicious requests at the edge, you prevent them from consuming resources in your infrastructure, saving your upstream services from unnecessary CPU usage and reducing load.
Discover endpoints for up-to-date visibility
App and API Protection automatically maintains an up-to-date inventory of all endpoints observed in production traffic. It records details such as HTTP method, path, request bodies, and important security context, including public exposure, runtime schema, and the presence of sensitive data. Each endpoint is evaluated frequently to ensure the inventory remains current.
In addition, routes from production traffic are inferred to ensure that endpoints are surfaced even when detailed request information from the application is incomplete or unavailable. These inferred routes are displayed in the API inventory, enhancing visibility for edge integrations by filling in gaps where request-level data may be missing. For example, /v2/user/12345676543/info is converted to /v2/user/{param:int}/info.
Endpoint-level posture becomes actionable, covering public exposure, authentication methods (e.g., JWT), sensitive data handling, recent attack activity, and dependencies. Organizations can maintain ownership by grouping endpoints by team, attaching documentation and monitors, and standardizing the introduction of new endpoints.
By configuring WAF rules and creating business events on specific endpoints, App and API Protection can detect issues such as account takeover (ATO) attempts. For example, when Datadog detects an ATO attack via the application, such as multiple failed logins or unusual access patterns, that attack is flagged in a security signal. Each endpoint view offers insights into its attack exposure, including the volume of hostile traffic encountered and relevant security findings. This enables fast identification of high-risk areas for further investigation and provides a complete inventory.
Pair edge and in‑app protection for defense in depth
Deploying App and API Protection at the edge is strengthened through Datadog’s in-app instrumentation. In-app protection uses language-specific tracers inside your services to detect attacks within application code execution, such as an ATO attempt. By pairing this with edge protection, you can achieve defense in depth: the edge blocks the bulk of malicious traffic, while your applications still analyze activity for any threats that make it through, providing deep visibility.
With the new edge integrations, both edge and in-app protections are unified within Datadog Security, providing protection across both layers. Security events detected at the proxy level or within your applications are all surfaced together via security signals.
With Datadog, you can take real-time action based on security insights from both your edge proxies and in-app instrumentation. When a threat is detected, you can instantly block an attacker’s IP organization-wide right from the Datadog UI, and this block is automatically pushed out to your edge proxies within seconds. Datadog helps you quickly identify and neutralize persistent attackers, ensuring comprehensive protection across every layer of your infrastructure.
Easier deployment for total traffic protection
By placing App and API Protection at the edge, you cover all ingress traffic in a single control point rather than rolling out instrumentation service by service. Policies, detections, and blocks apply uniformly as requests first land on your proxies or load balancers, giving you immediate, consistent protection across VMs, containers, and microservices without per-application changes.
You can deploy edge protection in a variety of environments, including host-based proxies, load balancers, and Kubernetes clusters. Whether you’re running NGINX on Linux, integrating with a Kubernetes ingress stack, or using Envoy or Istio gateways, App and API Protection adapts to your platform for holistic security coverage.
For Envoy, Istio, HAProxy, and Google Cloud Load Balancers using Service Extensions, the integrations use an external security processor. The proxy forwards requests to this dedicated processor, which performs threat analysis out of band. Offloading the inspection work keeps the data path in your proxy lean while still enabling real-time blocking or asynchronous monitoring modes, depending on your configuration and performance needs.
Start protecting your infrastructure with App and API Protection
You can enable edge enforcement today using App and API Protection on your existing proxies or load balancers within your infrastructure for Envoy, Istio, NGINX, and Google Cloud Load Balancers (using Google Service Extensions). For detailed instructions, check out our documentation on how to enable App and API Protection. If you’re not yet a Datadog customer, sign up for a 14-day free trial to get started.
