Microsoft Defender for Containers provides threat protection, vulnerability assessment, and security posture management for Kubernetes clusters across cloud environments through Microsoft Defender for Cloud.
Defender for Containers is enabled and deployed differently depending on the Kubernetes environment. Azure Kubernetes Service (AKS) uses Azure-native integrations, while Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) rely on multicloud connectors, Azure Arc-enabled Kubernetes, and environment-specific components.
Microsoft Defender for Containers extends security monitoring and protection to Azure Kubernetes Service (AKS) clusters through Microsoft Defender for Cloud. It helps security and DevOps teams gain visibility into container image vulnerabilities, runtime activity, and Kubernetes configuration risks in Azure environments.
Integration with Azure
Defender for Containers integrates natively with Azure services to protect AKS clusters. When enabled on an Azure subscription, the solution:
- Discovers AKS clusters in the subscription
- Deploys Defender for Containers components by using Azure-managed integrations
- Assesses container images stored in Azure Container Registry (ACR) for vulnerabilities
- Collects runtime security signals from AKS clusters
- Generates security recommendations based on observed configuration and posture
- Surfaces alerts that integrate with Microsoft security tooling
The integration is designed to operate using Azure-native capabilities and doesn't require inbound connectivity to AKS clusters.
Note
AKS control plane audit logs are collected through Azure-managed control plane integration. Defender for Containers doesn’t rely on Kubernetes-native audit log pipelines or require you to enable audit logging in the cluster.
Key capabilities
Defender for Containers provides the following capabilities for AKS environments:
- Container image vulnerability assessment for images stored in Azure Container Registry (ACR)
- Threat detection and alerting based on runtime signals collected from AKS nodes, workloads, and Kubernetes audit logs
- Security posture insights for Kubernetes clusters and workloads, aligned with Kubernetes and Azure security best practices
Note
Available signals and detections depend on cluster configuration and enabled components.
Microsoft Defender for Containers extends security monitoring and protection to Amazon Elastic Kubernetes Service (EKS) clusters to provide visibility into container image vulnerabilities, runtime activity, and cluster configuration risks through Microsoft Defender for Cloud.
Integration with AWS
Defender for Containers integrates with AWS through a secure connector that connects your AWS account to Microsoft Defender for Cloud. Once connected, the solution:
- Discovers EKS clusters in your AWS account
- Deploys lightweight security sensors to collect runtime signals
- Integrates with Amazon ECR to assess container images for vulnerabilities
- Generates security recommendations based on observed configuration and posture
- Surfaces alerts for suspicious activity related to EKS workloads
The integration is designed to work alongside existing AWS security services, such as AWS GuardDuty and AWS Security Hub.
Key capabilities
Defender for Containers provides the following capabilities for Amazon EKS environments:
- Container image vulnerability assessment for images stored in Amazon ECR
- Threat detection, alerting, and response based on runtime signals
- Security posture insights aligned with security best practices
Note
Available signals and detections depend on cluster configuration and enabled data sources.
Microsoft Defender for Containers extends security monitoring and protection to Google Kubernetes Engine (GKE) clusters by integrating with Microsoft Defender for Cloud.
Integration with GCP
Defender for Containers integrates with Google Cloud through a secure GCP connector that connects your GCP projects to Microsoft Defender for Cloud. Once connected, the solution:
- Discovers GKE clusters in connected GCP projects
- Connects selected clusters to Azure Arc
- Deploys a Defender sensor
- Integrates with Google Container Registry and Artifact Registry
- Generates security recommendations
- Surfaces alerts for suspicious activity
The integration is designed to work alongside native GCP security features and doesn't require inbound connectivity.
Key capabilities
Defender for Containers provides the following capabilities for GKE environments:
- Container image vulnerability assessment for GCR and Artifact Registry
- Threat detection and alerting based on runtime signals
- Security posture insights aligned with Kubernetes and GKE best practices
Note
Available signals and detections depend on cluster configuration and enabled data sources.
Microsoft Defender for Containers provides security monitoring and protection for Kubernetes clusters that are connected to Azure through Azure Arc. This includes Kubernetes clusters running on-premises, at the edge, or in other non-Azure environments.
Defender for Containers on Arc-enabled Kubernetes is managed through Microsoft Defender for Cloud and relies on Azure Arc-enabled Kubernetes for cluster connectivity and component deployment.
Integration with Azure Arc
Defender for Containers integrates with Arc-enabled Kubernetes clusters by using Azure Arc as the control plane. After a cluster is connected to Azure Arc and the Containers plan is enabled, Defender for Containers:
- Discovers Arc-enabled Kubernetes clusters in the subscription
- Deploys Defender components by using Azure Arc extensions
- Collects runtime security signals from Kubernetes nodes and workloads
- Evaluates cluster and workload configurations
- Generates security recommendations and alerts in Defender for Cloud
The integration doesn't require inbound connectivity to the Kubernetes cluster. Communication is initiated from the cluster to Azure through the Azure Arc agents.
Note
Arc-enabled Kubernetes is required to deploy Defender for Containers components to Kubernetes clusters that aren’t running in Azure.
Key capabilities
Defender for Containers provides the following capabilities for Arc-enabled Kubernetes environments:
- Threat detection and alerting based on runtime signals collected from Kubernetes nodes, workloads, and audit logs
- Security posture insights for Kubernetes clusters and workloads
- Policy-based configuration assessment through Azure Policy for Kubernetes
Note
Available signals, detections, and posture assessments depend on enabled components and cluster configuration.
View your current coverage
Defender for Cloud provides access to workbooks through Azure workbooks. Workbooks are customizable reports that help you understand your security posture.
The coverage workbook shows which Defender for Cloud plans and components are enabled across your subscriptions and connected environments.
Pricing
Defender for Containers is billed as part of Microsoft Defender for Cloud. Pricing depends on the enabled components and the number of protected resources.
For pricing details, see Microsoft Defender for Cloud pricing.
Related content