Protect your Azure containers with Defender for Containers
Microsoft Defender for Containers is a cloud-native solution to improve, monitor, and maintain the security of your containerized assets (Kubernetes clusters, Kubernetes nodes, Kubernetes workloads, container registries, container images and more), and their applications, and on-premises environments.
Learn more about Overview of Microsoft Defender for Containers.
You can learn more about Defender for Container's pricing on the pricing page.
Prerequisites
You need a Azure subscription. If you don't have an Azure subscription, you can sign up for a trial subscription.
You must enable Microsoft Defender for Cloud on your Azure subscription.
Ensure the required Fully Qualified Domain Names (FQDN)/application endpoints are configured for outbound access so the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events.
Note
By default, AKS clusters have unrestricted outbound (egress) internet access.
Enable the Defender for Containers plan
By default, when enabling the plan through the Azure portal, Microsoft Defender for Containers is configured to automatically enable all capabilities and install required components to provide the protections offered by plan, including the assignment of a default workspace.
If you would prefer to assign a custom workspace, one can be assigned through the Azure Policy.
To enable Defender for Containers plan on your subscription:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
In the Defender for Cloud menu, select Environment settings.
Select the relevant Azure subscription.
On the Defender plans page, toggle the Containers plan to On.
Select Save.
Deploy the Defender sensor in Azure
Note
To enable or disable individual Defender for Containers capabilities, either globally or for specific resources, see How to enable Microsoft Defender for Containers components.
You can enable the Defender for Containers plan and deploy all of the relevant components in different ways. We walk you through the steps to accomplish this using the Azure portal. Learn how to deploy the Defender sensor with REST API, Azure CLI or with a Resource Manager template.
To deploy the Defender sensor in Azure:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
Navigate to the Recommendations page.
Search for and select the
Azure Kubernetes Service clusters should have Defender profile enabled
recommendation.Select all of the relevant affected resources.
Select Fix.
Next steps
For advanced enablement features for Defender for Containers, see the Enable Microsoft Defender for Containers page.