跳到主要内容

Deploy Azure Arc

Implementation Effort: Medium – Requires onboarding Kubernetes clusters to Azure Arc and enabling Defender for Containers with appropriate network and policy configurations.

User Impact: Low – Deployment is handled by platform and security teams; end users are not directly affected.

Overview

Deploying Azure Arc in Microsoft Defender for Containers enables security monitoring and protection for on-premises and multicloud Kubernetes clusters. Azure Arc acts as a bridge, allowing Defender for Containers to extend its capabilities—such as runtime threat detection, vulnerability scanning, and policy enforcement—to clusters outside of Azure.

Key Steps

  1. Prerequisites:

    • An active Azure subscription.
    • Microsoft Defender for Cloud must be enabled on the subscription.
    • Outbound network access to required Microsoft endpoints (e.g., *.ods.opinsights.azure.com, login.microsoftonline.com) must be allowed 1.
  2. Connect Kubernetes Cluster to Azure Arc:

    • Use the Azure portal or CLI to onboard your Kubernetes cluster to Azure Arc.
    • This registers the cluster as a resource in Azure and enables policy and extension management.
  3. Enable Defender for Containers Plan:

    • In Microsoft Defender for Cloud > Environment settings, select your subscription.
    • Toggle the Containers plan to On and click Save 1.
  4. Deploy Defender Sensor:

    • Navigate to Defender for Cloud > Recommendations.
    • Search for "Azure Arc-enabled Kubernetes clusters should have the Defender extension installed".
    • Select affected clusters and click Fix to deploy the Defender sensor 1.
  5. Optional: Assign a custom Log Analytics workspace using Azure Policy if you prefer not to use the default.

This capability supports the "Assume Breach" and "Verify Explicitly" principles of Zero Trust by extending consistent security monitoring and policy enforcement to Kubernetes clusters across hybrid and multicloud environments.

Reference