Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Defender for Containers in Microsoft Defender for Cloud is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications.
Learn more about Overview of Microsoft Defender for Containers.
You can learn more about Defender for Container's pricing on the pricing page. You can also estimate costs with the Defender for Cloud cost calculator.
Prerequisites
- You need a Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free subscription. 
- You must enable Microsoft Defender for Cloud on your Azure subscription. 
- Verify your Kubernetes nodes can access source repositories of your package manager. For information about the requirements, see Network requirements. 
- Ensure the following Azure Arc-enabled Kubernetes network requirements are validated. 
Enable the Defender for Containers plan on your AWS account
To protect your EKS clusters, you need to enable the Containers plan on the relevant AWS account connector.
To enable the Defender for Containers plan on your AWS account:
- Sign in to the Azure portal. 
- Search for and select Microsoft Defender for Cloud. 
- In the Defender for Cloud menu, select Environment settings. 
- Select the relevant AWS account. 
- Set the toggle for the Containers plan to On. 
- To change optional configurations for the plan, select Settings. - The Agentless threat protection feature provides runtime protection to your cluster containers. The feature sends Kubernetes audit logs to Microsoft Defender. Set the Agentless threat protection toggle to On and set the retention period of your audit logs. - Note - If you disable this configuration, then the - Threat detection (control plane)feature will be disabled. Learn more about features availability.
- K8S API access sets permissions to allow API-based discovery of your Kubernetes clusters. To enable, set the K8S API access toggle to On. - Note - In case your EKS cluster public endpoint is restricted, the cluster's settings will be automatically updated to include Microsoft Defender for Cloud's CIDR block. Defender for Cloud requires allowing access to the Kubernetes API server from the following IP ranges: 172.212.245.192/28, 48.209.1.192/28. 
- Registry access sets permissions to allow vulnerability assessment of images stored in ECR. To enable, set the Registry access toggle to On. 
 
- Select Next: Review and generate. 
- Select Update. 
Note
To enable or disable individual Defender for Containers capabilities, either globally or for specific resources, see How to enable Microsoft Defender for Containers components.
Deploy the Defender sensor in EKS clusters
Important
Deploying the Defender sensor using Helm: Unlike other options that are autoprovisioned and updated automatically, Helm lets you flexibly deploy the Defender sensor. This approach is especially useful in DevOps and infrastructure-as-code scenarios. With Helm, you can integrate deployment into CI/CD pipelines and control all sensor updates. You can also choose to receive preview and GA versions. For instructions on installing the Defender sensor using Helm, see Install Defender for Containers sensor using Helm.
Azure Arc-enabled Kubernetes, the Defender sensor, and Azure Policy for Kubernetes should be installed and running on your EKS clusters. There's a dedicated Defender for Cloud recommendation that can be used to install these extensions (and Azure Arc if necessary):
- EKS clusters should have Microsoft Defender's extension for Azure Arc installed
To deploy the required extensions:
- From Defender for Cloud's Recommendations page, search for one of the recommendations by name. 
- Select an unhealthy cluster. 
Important
You must select the clusters one at a time.
Don't select the clusters by their hyperlinked names: select anywhere else in the relevant row.
- Select Fix. 
- Defender for Cloud generates a script in the language of your choice: - For Linux, select Bash.
- For Windows, select PowerShell.
 
- Select Download remediation logic. 
- Run the generated script on your cluster. 
Next steps
- For advanced enablement features for Defender for Containers, see the Enable Microsoft Defender for Containers page. 
 
 
