Edit

Share via

Enable Defender for Containers on Arc-enabled Kubernetes via portal

This article shows you how to enable Microsoft Defender for Containers on your Arc-enabled Kubernetes clusters through the Azure portal. You can choose to enable all security features at once for comprehensive protection, or selectively deploy specific components based on your requirements.

When to use this guide

Use this guide if you want to:

  • Set up Defender for Containers on Arc-enabled clusters for the first time
  • Enable all security features for comprehensive protection
  • Selectively deploy specific components
  • Fix or add missing components to an existing deployment
  • Deploy using a controlled, selective approach
  • Exclude certain clusters from protection

Prerequisites

Network requirements

Validate that the following endpoints for public cloud deployments are configured for outbound access. Configuring them for outbound access helps ensure that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events.

Note

The Azure domains *.ods.opinsights.azure.com and *.oms.opinsights.azure.com no longer required for outbound access. For more information, see the deprecation announcement.

Azure domain Azure Government domain Azure operated by 21Vianet domain Port
*.cloud.defender.microsoft.com N/A N/A 443

You also need to validate the Azure Arc-enabled Kubernetes network requirements.

Additional Arc-specific requirements:

  • CNCF-certified Kubernetes cluster (on-premises or IaaS)
  • Cluster version 1.19 or later
  • Outbound HTTPS connectivity to Azure endpoints
  • Azure CLI installed locally or Azure Cloud Shell

Connect your cluster to Azure Arc

If your Kubernetes cluster isn't already connected to Azure Arc, follow these steps:

  1. Sign in to the Azure portal.

  2. Go to Azure Arc in the Azure portal.

  3. Select Kubernetes clusters from the left menu.

  4. Select Add.

  5. Select Add a Kubernetes cluster with Azure Arc.

  6. Follow the connection instructions:

    1. Select or create a resource group
    2. Enter a cluster name
    3. Choose a region
    4. Add tags (optional)

  7. In the Cluster details tab, copy and run the registration script on your cluster:

    # The portal will generate a script similar to this
az connectedk8s connect --name <cluster-name> \
    --resource-group <resource-group> \
    --location <region>

  8. Wait for the connection to complete and verify the cluster appears as Connected.

Enable Defender for Containers plan

  1. Go to Microsoft Defender for Cloud.

  2. Select Environment settings from the left menu.

  3. Select the subscription that contains your Arc-enabled cluster.

  4. Turn on the Containers plan.

    Screenshot of the Defender plans page that shows where to toggle the containers plan switch to on is located.

Configure plan components

  1. Select Settings next to the Containers plan.

  2. Choose your deployment approach:

    • Enable all components (recommended): Enable all features for comprehensive protection
    • Enable specific components: Select only the components you need

    Screenshot that shows turning on components.

    Note

    To disable automatic installation of components during the onboarding process, select Edit configuration for the Containers plan. The advanced options appear, and you can disable automatic installation for each component.

    Available components:

    • Agentless discovery for Kubernetes - Discovers all Kubernetes clusters
    • Agentless container vulnerability assessment - Scans container images
    • Defender DaemonSet - Runtime threat detection
    • Azure Policy for Kubernetes - Security recommendations

  3. Select Continue and then Save.

Deploy all components

Follow these steps to enable comprehensive protection for all your Arc-enabled clusters.

Deploy extensions to Arc-enabled clusters

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Search for "Azure Arc-enabled Kubernetes clusters should have Defender extension installed".

    Screenshot of Microsoft Defender for Cloud's recommendation for deploying the Defender sensor for Azure Arc-enabled Kubernetes clusters.

  3. Select the recommendation.

  4. Select your Arc-enabled clusters.

    Important

    Select the check box next to the cluster name, not the hyperlinked name itself.

  5. Select Fix to automatically deploy the extensions.

    Animated screenshot that shows deploying a Defender sensor for Azure Arc by using remediation in Defender for Cloud.

Option 2: Deploy manually

  1. Go to your Arc-enabled Kubernetes cluster.

  2. Under Settings, select Extensions.

  3. Select + Add.

  4. Install the Microsoft Defender for Containers extension:

    1. Search for "Microsoft Defender"
    2. Select the extension
    3. Configure the Log Analytics workspace
    4. Complete installation

  5. Repeat to install Azure Policy for Kubernetes extension if needed.

Deploy the Defender sensor

After installing the extension, deploy the Defender sensor to your Arc-enabled clusters:

Option 1: Deploy through recommendations

  1. Go to Microsoft Defender for Cloud > Recommendations.

  2. Search for "Azure Arc-enabled Kubernetes clusters should have Defender extension installed".

  3. Select the recommendation.

  4. Select your Arc-enabled clusters where you want to deploy the sensor.

  5. Select Fix.

  6. Review the deployment configuration:

    • Log Analytics workspace assignment
    • Resource allocation settings
    • Namespace configuration

  7. Select Fix X resources to deploy.

Option 2: Deploy via Arc cluster

  1. Go to your Arc-enabled Kubernetes cluster.

  2. Under Settings, select Extensions.

  3. Verify the Microsoft Defender extension shows as Succeeded.

  4. If the sensor pods aren't running, select the extension and choose Manage.

  5. Configure deployment settings:

    • Enable runtime protection
    • Set resource limits if needed
    • Configure namespace exclusions

  6. Select Apply.

Verify sensor deployment

After deployment, verify the sensor is running:

# Check sensor pods
kubectl get pods -n kube-system -l app=microsoft-defender

# Check DaemonSet status
kubectl get ds microsoft-defender-collector-ds -n kube-system

All nodes should have a running sensor pod within 5-10 minutes.

Configure Log Analytics workspace

During extension deployment, you can:

  1. Select an existing Log Analytics workspace or create a new one.

  2. Use the default workspace: DefaultWorkspace-[subscription-id]-[region].

  3. Or select a custom workspace in a supported region.

Enable vulnerability scanning

For Arc-enabled clusters, configure registry scanning:

  1. If you're using Azure Container Registry:

    • Vulnerability scanning is automatically enabled
    • Ensure the Azure Container Registry is in the same subscription or connected

  2. For private registries:

    # Create registry credentials
kubectl create secret docker-registry regcred \
    --namespace mdc \
    --docker-server=<registry-url> \
    --docker-username=<username> \
    --docker-password=<password>

  3. Update the extension configuration to use credentials.

Next steps

  • Last updated on