Deploy Defender sensor and Azure Policy to clusters using Azure CLI

This article explains how to deploy the Microsoft Defender for Containers sensor and Azure Policy for Kubernetes to clusters by using Azure CLI after enabling the Defender for Containers plan in Microsoft Defender for Cloud.

For clusters that aren’t running in Azure Kubernetes Service (AKS), Defender for Cloud uses Azure Arc-enabled Kubernetes to deploy the required extensions.

Prerequisites

Network requirements

The Defender sensor must connect to Microsoft Defender for Cloud to send security data and events. Make sure that the required endpoints are configured for outbound access.

Connection requirements

The Defender sensor needs connectivity to:

  • Microsoft Defender for Cloud (for sending security data and events)

By default, AKS clusters have unrestricted outbound (egress) internet access.

For clusters with restricted egress, you must allow specific FQDNs for Microsoft Defender for Containers to function properly. See Microsoft Defender for Containers - Required FQDN/application rules in the AKS outbound network documentation for the required endpoints.

Deploy the Defender sensor

If automatic provisioning was enabled when you turned on the Defender for Containers plan, the Defender sensor might already be installed. Verify the deployment before running this command.

To deploy the Defender sensor to a specific AKS cluster:

az aks update \
  --resource-group <resource-group> \
  --name <aks-cluster-name> \
  --enable-defender

Deploy the Azure Policy add-on

Enable Azure Policy for Kubernetes to assess and enforce configuration best practices:

az aks enable-addons \
  --addons azure-policy \
  --name <aks-cluster-name> \
  --resource-group <resource-group>

Next steps

  • Last updated on