Deploy Defender sensor and Azure Policy to clusters using Azure CLI

This article explains how to deploy the Microsoft Defender for Containers sensor and Azure Policy for Kubernetes to clusters by using Azure CLI after enabling the Defender for Containers plan in Microsoft Defender for Cloud.

For clusters that aren’t running in Azure Kubernetes Service (AKS), Defender for Cloud uses Azure Arc-enabled Kubernetes to deploy the required extensions.

Prerequisites

Defender for Containers enabled on your Azure subscription.
Azure CLI version 2.40.0 or later.
Appropriate RBAC permissions (Contributor or Security Admin).
AKS cluster supported by Defender for Containers. See the support matrix.
An OpenId Connect (OIDC) issuer enabled on your cluster.

Network requirements

The Defender sensor must connect to Microsoft Defender for Cloud to send security data and events. Make sure that the required endpoints are configured for outbound access.

Connection requirements

The Defender sensor needs connectivity to:

Microsoft Defender for Cloud (for sending security data and events)

By default, AKS clusters have unrestricted outbound (egress) internet access.

For clusters with restricted egress, you must allow specific FQDNs for Microsoft Defender for Containers to function properly. See Microsoft Defender for Containers - Required FQDN/application rules in the AKS outbound network documentation for the required endpoints.

Private link configuration

For instructions, see Microsoft Security Private Link for Microsoft Defender for Cloud.

Deploy the Defender sensor

If automatic provisioning was enabled when you turned on the Defender for Containers plan, the Defender sensor might already be installed. Verify the deployment before running this command.

To deploy the Defender sensor to a specific AKS cluster:

az aks update \
  --resource-group <resource-group> \
  --name <aks-cluster-name> \
  --enable-defender

Deploy the Azure Policy add-on

Enable Azure Policy for Kubernetes to assess and enforce configuration best practices:

az aks enable-addons \
  --addons azure-policy \
  --name <aks-cluster-name> \
  --resource-group <resource-group>

Prerequisites

Defender for Containers enabled on your AWS connector.
Azure CLI version 2.40.0 or later.
kubectl configured to access your EKS cluster.
The EKS cluster is connected to Azure Arc.

Network requirements

Validate that the following endpoints for public cloud deployments are configured for outbound access. Configuring them for outbound access helps ensure that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events.

Note

The Azure domains *.ods.opinsights.azure.com and *.oms.opinsights.azure.com are no longer required for outbound access. For more information, see the deprecation announcement.

Azure domain	Azure Government domain	Azure operated by 21Vianet domain	Port
*.cloud.defender.microsoft.com	N/A	N/A	443

You also need to validate the Azure Arc-enabled Kubernetes network requirements.

Deploy the Defender sensor

For EKS clusters, Defender components are deployed as Azure Arc Kubernetes extensions when you deploy them manually using Azure CLI.

If automatic provisioning was enabled when you turned on the Defender for Containers plan, the Defender sensor might already be installed. Verify the deployment before running this command.

az k8s-extension create \
  --name microsoft.azuredefender.kubernetes \
  --extension-type microsoft.azuredefender.kubernetes \
  --cluster-type connectedClusters \
  --cluster-name <cluster-name> \
  --resource-group <resource-group> \

Deploy the Azure Policy extension

az k8s-extension create \
  --name azurepolicy \
  --extension-type Microsoft.PolicyInsights \
  --cluster-type connectedClusters \
  --cluster-name <cluster-name> \
  --resource-group <resource-group>

Prerequisites

Defender for Containers enabled on your GCP connector.
Azure CLI version 2.40.0 or later.
kubectl configured to access your GKE cluster.
The GKE cluster is connected to Azure Arc.

Network requirements

Note

The Azure domains *.ods.opinsights.azure.com and *.oms.opinsights.azure.com are no longer required for outbound access. For more information, see the deprecation announcement.

Azure domain	Azure Government domain	Azure operated by 21Vianet domain	Port
*.cloud.defender.microsoft.com	N/A	N/A	443

You also need to validate the Azure Arc-enabled Kubernetes network requirements.

Private GKE clusters

Private GKE clusters must allow outbound HTTPS (TCP 443) access to Microsoft Defender for Cloud endpoints.

If required, configure firewall rules to allow egress from cluster nodes:

gcloud compute firewall-rules create allow-azure-defender \
    --allow tcp:443 \
    --source-ranges <cluster-cidr> \
    --target-tags <node-tags>

Cluster-specific considerations

Standard GKE clusters

No special configuration is required. Follow the default deployment steps.

GKE Autopilot clusters

For Autopilot clusters:

The Defender sensor automatically adjusts resource requests.
No manual configuration is needed for resource limits.

Important

In GKE Autopilot clusters, resource requests and limits for the Defender sensor can't be manually configured. Resource management is controlled by GKE Autopilot and can't be overridden.

Deploy the Defender sensor

For GKE clusters, Defender components are deployed as Azure Arc Kubernetes extensions when you deploy them manually using Azure CLI.

If automatic provisioning was enabled when you turned on the Defender for Containers plan, the Defender sensor might already be installed. Verify the deployment before running this command.

az k8s-extension create \
  --name microsoft.azuredefender.kubernetes \
  --extension-type microsoft.azuredefender.kubernetes \
  --cluster-type connectedClusters \
  --cluster-name <cluster-name> \
  --resource-group <resource-group> \

Deploy the Azure Policy extension

az k8s-extension create \
  --name azurepolicy \
  --extension-type Microsoft.PolicyInsights \
  --cluster-type connectedClusters \
  --cluster-name <cluster-name> \
  --resource-group <resource-group>

Prerequisites

Defender for Containers enabled on your Azure subscription.
Azure CLI version 2.40.0 or later.
kubectl configured to access your Arc-enabled Kubernetes cluster.
The cluster is connected to Azure Arc.

Network requirements

Note

The Azure domains *.ods.opinsights.azure.com and *.oms.opinsights.azure.com are no longer required for outbound access. For more information, see the deprecation announcement.

Azure domain	Azure Government domain	Azure operated by 21Vianet domain	Port
*.cloud.defender.microsoft.com	N/A	N/A	443

You also need to validate the Azure Arc-enabled Kubernetes network requirements.

Deploy the Defender sensor

For Arc-enabled Kubernetes clusters, Defender components are deployed as Azure Arc Kubernetes extensions.

If automatic provisioning was enabled when you turned on the Defender for Containers plan, the Defender sensor might already be installed. Verify the deployment before running this command.

az k8s-extension create \
  --name microsoft.azuredefender.kubernetes \
  --extension-type microsoft.azuredefender.kubernetes \
  --cluster-type connectedClusters \
  --cluster-name <cluster-name> \
  --resource-group <resource-group> \

Deploy the Azure Policy extension

az k8s-extension create \
  --name azurepolicy \
  --extension-type Microsoft.PolicyInsights \
  --cluster-type connectedClusters \
  --cluster-name <cluster-name> \
  --resource-group <resource-group>

Next steps

Feedback

Was this page helpful?

Last updated on 2026-05-06

Deploy Defender sensor and Azure Policy to clusters using Azure CLI

Prerequisites

Network requirements

Connection requirements

Private link configuration

Deploy the Defender sensor

Deploy the Azure Policy add-on

Next steps

Feedback

Additional resources