Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Containers provides enterprise-grade security for Azure Kubernetes Service (AKS) clusters. It offers comprehensive protection through vulnerability scanning, runtime threat detection, software supply chain capabilities, and security posture management—all natively integrated with Azure services.
What is Defender for Containers?
Defender for Containers is a cloud-native security solution that protects containerized applications throughout their lifecycle. For Azure environments, it provides seamless integration with ACR and AKS to deliver real-time protection, continuous security assessments, and actionable recommendations without requiring complex configurations or third-party tools.
Tip
For a comprehensive overview of Defender for Containers capabilities across all environments, see Overview of Microsoft Defender for Containers.
The solution helps security and platform teams prevent vulnerabilities from reaching production, detect and respond to runtime threats, and maintain compliance with security standards—all through a unified experience in Microsoft Defender for Cloud.
How it works with Azure
Defender for Containers leverages native Azure integrations to provide security without complexity. When you enable it on your subscription, the solution:
- Automatically discovers all AKS clusters and container registries in your Azure subscriptions
- Deploys a lightweight security sensor, natively integrated in AKS Resource Provider (RP), used for runtime threat protection and AKS deployment gating
- Scans container images in Azure Container Registry (ACR) for vulnerabilities, automatically upon push to the registry and continually
- Monitors runtime behavior by using Azure-native telemetry, in addition to data collected by the sensor
- Provides security recommendations aligned with Azure security and industry best practices
- Generates alerts that integrate with Microsoft XDR and Microsoft Sentinel
This deep integration means you get comprehensive security without managing extra infrastructure, complex network configurations, or separate security tools.
Key capabilities
Defender for Containers provides security across four critical areas:
| Capability | Description | Key Features |
|---|---|---|
| Vulnerability assessment | Scans container images throughout their lifecycle - in registries, runtime environments, and CI/CD pipelines | • Registry scanning (ACR push and periodic) • Runtime agentless scanning • CLI tool for pipeline integration • Support for Linux and Windows images • CVSS scoring and detailed remediation |
| Runtime threat protection | Monitors AKS clusters in real-time for malicious activities and anomalies Investigation and response capabilities |
• Kubernetes audit log analysis • Container behavior monitoring and process analysis • Network anomaly detection • Drift protection • Custom alerts • Integration with Microsoft Sentinel and Microsoft XDR, including investigation and response features |
| Security posture management | Evaluates cluster configurations against security benchmarks | • CIS Kubernetes Benchmark • Azure Security Benchmark and industry best practices • Custom compliance policies • Automated remediation options |
| Gated deployment | Prevents vulnerable or misconfigured workloads from reaching production | • Block deployments based on vulnerability severity • Enforce security baselines for configurations • Integration with Azure Policy and admission controllers • DevOps pipeline gates |
Architecture overview
For detailed architecture information, see Container security architecture.
Defender for Containers on AKS uses lightweight, Azure-managed components:
- Defender sensor (DaemonSet): Runs on AKS nodes, collects runtime telemetry (Kubernetes events, process, network) and sends it securely to Defender for Cloud.
- Azure Policy: A web hook to Kubernetes admission control. Runs as a pod in the cluster. Provides the option to enforce configuration rules.
- ACR integration: Push-triggered and periodic image scanning for Azure Container Registry.
- Agentless discovery: Provides visibility into your Kubernetes clusters without requiring any agents, using Azure native capabilities to discover and assess cluster configurations.
- Agentless scanning for machines: Periodic disk snapshots of Kubernetes nodes for an out-of-band, deep analysis of the operating system configuration and file system stored in the snapshot. Doesn't need any installed agents or network connectivity, and doesn't affect machine performance.
- Microsoft XDR integration: Seamlessly integrates with Microsoft's extended detection and response platform for unified security operations and incident response.
These components work together seamlessly, requiring no inbound connections to your clusters and leveraging Azure's native security infrastructure. Defender for Cloud supports Continuous Export to Microsoft Sentinel, Event Hubs, or Log Analytics for extended monitoring and analysis.
Deployment options
Defender for Containers supports flexible deployment approaches to match your operational preferences:
- Azure portal deployment - Guided, visual experience ideal for initial setup and management
- Azure programmatic deployment - Script-based deployment for automation scenarios
Choose the approach that best aligns with your organization's DevOps practices and governance requirements.
Prerequisites
Before deploying Defender for Containers on AKS, ensure you meet these requirements:
- AKS clusters running Kubernetes 1.19 or later
- Network connectivity for outbound HTTPS to Azure endpoints
- By default, AKS clusters have unrestricted outbound (egress) internet access. Clusters with restricted egress must allow specific endpoints. See: Microsoft Defender for Containers - Required FQDN/application rules
Note
For detailed prerequisites and setup instructions, see:
Pricing
For current pricing and cost estimation, see Microsoft Defender for Cloud pricing.
Next steps
Ready to secure your AKS clusters? Choose your deployment path:
- Enable all components via portal - Recommended for comprehensive protection
- Deploy programmatically - For automation and DevOps scenarios
- Verify deployment - Ensure all components are functioning correctly