Deploy Azure Arc

Implementation Effort: Medium
Customer IT and Security Operations teams must onboard on-premises or multicloud SQL Servers to Azure Arc and configure Defender for SQL Servers on Machines.

User Impact: Low
Deployment is handled by administrators; no user-facing changes or notifications are required.

Overview

Deploying Azure Arc in Microsoft Defender for Databases enables security teams to extend Defender for Cloud’s threat protection to SQL Server instances running outside Azure—such as on-premises or in other cloud environments. This is achieved by onboarding these servers to Azure Arc and enabling the Defender for SQL Servers on Machines plan, which is part of the broader Defender for Databases offering.

Key Steps

1. Connect SQL Server to Azure Arc

   • Ensure the SQL Server instance is running on a supported Windows OS and version (SQL Server 2012 R2 or later).
   • Follow the onboarding process to register the server as an Azure Arc-enabled SQL Server 1.

2. Enable Defender for SQL Servers on Machines

   • Navigate to Microsoft Defender for Cloud > Environment settings in the Azure portal.
   • Select the relevant subscription and enable the Databases plan.
   • Within the plan, toggle SQL Servers on Machines to On 2.

3. Ensure Prerequisites Are Met

   • SQL Server service accounts must be members of the sysadmin role.
   • Outbound HTTPS traffic on TCP port 443 must be allowed to *.region.arcdataservices.com.
   • Required extensions must not be blocked (e.g., SqlIaaSAgent, WindowsAgent.SqlServer).

This deployment supports the Zero Trust principle of "Assume Breach" by extending visibility and threat detection to hybrid and multicloud environments. Without Azure Arc, these SQL Server instances would remain outside the Defender for Cloud security perimeter, increasing the risk of undetected threats.

Reference

• Enable Microsoft Defender for SQL Servers on Machines
• Configure SQL Server enabled by Azure Arc
• Protect your databases with Defender for Databases