Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes methods to programmatically deploy Microsoft Defender for Containers on your Azure Kubernetes Service (AKS) clusters.
Tip
For a guided portal experience, see Enable Defender for Containers via portal.
Prerequisites
Network requirements
The Defender sensor must connect to Microsoft Defender for Cloud to send security data and events. Make sure that the required endpoints are configured for outbound access.
Connection requirements
The Defender sensor needs connectivity to:
- Microsoft Defender for Cloud (for sending security data and events)
By default, AKS clusters have unrestricted outbound (egress) internet access.
For clusters with restricted egress, you must allow specific FQDNs for Microsoft Defender for Containers to function properly. See Microsoft Defender for Containers - Required FQDN/application rules in the AKS outbound network documentation for the required endpoints.
Private link configuration
If event egress from the cluster requires the use of an Azure Monitor Private Link Scope (AMPLS), you must:
Define the cluster with Container insights and a Log Analytics workspace
Define the cluster's Log Analytics workspace as a resource in the AMPLS
Create a virtual network private endpoint in the AMPLS between:
- The virtual network of the cluster
- The Log Analytics resource
The virtual network private endpoint integrates with a private DNS zone.
For instructions, see Create an Azure Monitor Private Link Scope.
Additionally, ensure you have:
- Azure CLI version 2.40.0 or later
- Appropriate RBAC permissions (Contributor or Security Admin)
Enable Defender for Containers plan
To enable the Defender for Containers plan on your subscription, see Enable Microsoft Defender for Cloud. You can enable the plan through the Azure portal, REST API, or Azure Policy.
Deploy the Defender sensor
When you enable the Defender for Containers plan, the Defender sensor automatically deploys on your AKS clusters by default.
If automatic provisioning is disabled, or if you need to manually deploy the sensor, use one of the following methods.
To deploy the Defender sensor to a specific AKS cluster:
az aks update \
--resource-group myResourceGroup \
--name myAKSCluster \
--enable-defender
To deploy with a custom Log Analytics workspace:
az aks update \
--resource-group myResourceGroup \
--name myAKSCluster \
--enable-defender \
--defender-config logAnalyticsWorkspaceResourceId=/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}
Deploy Azure Policy add-on
The Azure Policy add-on for AKS enables you to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
To enable the Azure Policy add-on:
az aks enable-addons \
--addons azure-policy \
--name myAKSCluster \
--resource-group myResourceGroup
Deploy components by using recommendations
You can also deploy capabilities manually by using Defender for Cloud recommendations:
| Sensor | Recommendation |
|---|---|
| Defender sensor for Kubernetes | Azure Kubernetes Service clusters should have Defender profile enabled |
| Defender sensor for Azure Arc-enabled Kubernetes | Azure Arc-enabled Kubernetes clusters should have the Defender extension installed |
| Azure Policy agent for Kubernetes | Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed |
| Azure Policy agent for Azure Arc-enabled Kubernetes | Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed |