Connect your GCP project to Microsoft Defender for Cloud

Workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Google Cloud Platform (GCP), but you need to set up the connection between them and Defender for Cloud.

If you're connecting a GCP project that you previously connected by using the classic connector, you must remove it first. Using a GCP project that's connected by both the classic and native connectors can produce duplicate recommendations.

This screenshot shows GCP accounts displayed in the Defender for Cloud overview dashboard.

Screenshot that shows GCP projects listed on the overview dashboard in Defender for Cloud.

Prerequisites

To complete the procedures in this article, you need:

  • A Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free one.

  • Microsoft Defender for Cloud set up on your Azure subscription.

  • Access to a GCP project.

  • Contributor permission on the relevant Azure subscription, and Owner permission on the GCP organization or project.

You can learn more about Defender for Cloud pricing on the pricing page.

When you're connecting GCP projects to specific Azure subscriptions, consider the Google Cloud resource hierarchy and these guidelines:

  • You can connect your GCP projects to Microsoft Defender for Cloud at the project level.
  • You can connect multiple projects to one Azure subscription.
  • You can connect multiple projects to multiple Azure subscriptions.

Connect your GCP project

To connect your GCP project to Defender for Cloud by using a native connector:

  1. Sign in to the Azure portal.

  2. Go to Defender for Cloud > Environment settings.

  3. Select Add environment > Google Cloud Platform.

    Screenshot that shows selections for adding Google Cloud Platform as a connector.

  4. Enter all relevant information.

    Screenshot of the pane for creating a GCP connector.

    Optionally, if you select Organization, a management project and an organization custom role are created on your GCP project for the onboarding process. Autoprovisioning is enabled for the onboarding of new projects.

Select Defender plans

In this section of the wizard, you select the Defender for Cloud plans that you want to enable.

  1. Select Next: Select plans.

  2. For the plans that you want to connect, turn the toggle to On. By default, all necessary prerequisites and components are provisioned. Learn how to configure each plan.

    Screenshot that shows the tab for selecting plans for a GCP project.

    If you choose to turn on the Microsoft Defender for Containers plan, ensure that you meet the network requirements for it.

  3. Select Configure access and make the following selections:

    1. Select the deployment type:

      • Default access: Allows Defender for Cloud to scan your resources and automatically include future capabilities.
      • Least privilege access: Grants Defender for Cloud access to only the current permissions needed for the selected plans. If you select the least privileged permissions, you'll receive notifications on any new roles and permissions that are required to get full functionality for connector health.
    2. Select the deployment method: GCP Cloud Shell or Terraform.

    Screenshot that shows deployment options and instructions for configuring access.

  4. Follow the on-screen instructions for the selected deployment method to complete the required dependencies on GCP.

  5. Select Next: Review and generate.

  6. Select Create.

    Note

    The following APIs must be enabled in order to discover your GCP resources and allow the authentication process to occur:

    • iam.googleapis.com
    • sts.googleapis.com
    • cloudresourcemanager.googleapis.com
    • iamcredentials.googleapis.com
    • compute.googleapis.com If you don't enable these APIs at this time, you can enable them during the onboarding process by running the GCloud script.

After you create the connector, a scan starts on your GCP environment. New recommendations appear in Defender for Cloud after up to 6 hours. If you enabled autoprovisioning, Azure Arc and any enabled extensions are installed automatically for each newly detected resource.

Optional: Configure selected plans

By default, all plans are On. You can turn off plans that you don't need.

Screenshot that shows toggles turned on for all plans.

Configure the Defender for Servers plan

Microsoft Defender for Servers brings threat detection and advanced defenses to your GCP virtual machine (VM) instances. To have full visibility into Microsoft Defender for Servers security content, connect your GCP VM instances to Azure Arc. If you choose the Microsoft Defender for Servers plan, you need:

  • Microsoft Defender for Servers enabled on your subscription. Learn how to enable plans in Enable enhanced security features.

  • Azure Arc for servers installed on your VM instances.

We recommend that you use the autoprovisioning process to install Azure Arc on your VM instances. Autoprovisioning is enabled by default in the onboarding process and requires Owner permissions on the subscription. The Azure Arc autoprovisioning process uses the OS Config agent on the GCP end. Learn more about the availability of the OS Config agent on GCP machines.

The Azure Arc autoprovisioning process uses the VM manager on GCP to enforce policies on your VMs through the OS Config agent. A VM that has an active OS Config agent incurs a cost according to GCP. To see how this cost might affect your account, refer to the GCP technical documentation.

Microsoft Defender for Servers doesn't install the OS Config agent to a VM that doesn't have it installed. However, Microsoft Defender for Servers enables communication between the OS Config agent and the OS Config service if the agent is already installed but not communicating with the service. This communication can change the OS Config agent from inactive to active and lead to more costs.

Alternatively, you can manually connect your VM instances to Azure Arc for servers. Instances in projects with the Defender for Servers plan enabled that aren't connected to Azure Arc are surfaced by the recommendation GCP VM instances should be connected to Azure Arc. Select the Fix option in the recommendation to install Azure Arc on the selected machines.

The respective Azure Arc servers for EC2 instances or GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of Disconnected or Expired) are removed after seven days. This process removes irrelevant Azure Arc entities to ensure that only Azure Arc servers related to existing instances are displayed.

Ensure that you fulfill the network requirements for Azure Arc.

Enable these other extensions on the Azure Arc-connected machines:

  • Microsoft Defender for Endpoint
  • A vulnerability assessment solution (Microsoft Defender Vulnerability Management or Qualys)
  • The Log Analytics agent on Azure Arc-connected machines or the Azure Monitor agent

Make sure the selected Log Analytics workspace has a security solution installed. The Log Analytics agent and the Azure Monitor agent are currently configured at the subscription level. All the multicloud accounts and projects (from both AWS and GCP) under the same subscription inherit the subscription settings for the Log Analytics agent and the Azure Monitor agent. Learn more about monitoring components for Defender for Servers.

Defender for Servers assigns tags to your GCP resources to manage the autoprovisioning process. You must have these tags properly assigned to your resources so that Defender for Servers can manage your resources: Cloud, InstanceName, MDFCSecurityConnector, MachineId, ProjectId, and ProjectNumber.

To configure the Defender for Servers plan:

  1. Follow the steps to connect your GCP project.

  2. On the Select plans tab, select Configure.

    Screenshot that shows the link for configuring the Defender for Servers plan.

  3. On the Auto-provisioning configuration pane, turn the toggles to On or Off, depending on your need.

    Screenshot that shows the toggles for the Defender for Servers plan.

    If Azure Arc agent is Off, you need to follow the manual installation process mentioned earlier.

  4. Select Save.

  5. Continue from step 8 of the Connect your GCP project instructions.

Configure the Defender for Databases plan

To have full visibility into Microsoft Defender for Databases security content, connect your GCP VM instances to Azure Arc.

To configure the Defender for Databases plan:

  1. Follow the steps to connect your GCP project.

  2. On the Select plans tab, select Configure.

    Screenshot that shows the link for configuring the Defender for Databases plan.

  3. On the Auto-provisioning configuration pane, turn the toggles to On or Off, depending on your need.

    Screenshot that shows the toggles for the Defender for Databases plan.

    If the toggle for Azure Arc is Off, you need to follow the manual installation process mentioned earlier.

  4. Select Save.

  5. Continue from step 8 of the Connect your GCP project instructions.

Configure the Defender for Containers plan

Microsoft Defender for Containers brings threat detection and advanced defenses to your GCP Google Kubernetes Engine (GKE) Standard clusters. To get the full security value out of Defender for Containers and to fully protect GCP clusters, ensure that you meet the following requirements.

Note

  • Kubernetes audit logs to Defender for Cloud: Enabled by default. This configuration is available at the GCP project level only. It provides agentless collection of the audit log data through GCP Cloud Logging to the Microsoft Defender for Cloud back end for further analysis.
  • Azure Arc-enabled Kubernetes, the Defender agent, and Azure Policy for Kubernetes: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways:

To configure the Defender for Containers plan:

  1. Follow the steps to connect your GCP project.

  2. On the Select plans tab, select Configure.

    Screenshot that shows the link for configuring the Defender for Containers plan.

  3. On the Defender for Containers configuration pane, turn the toggles to On.

    Screenshot that shows toggles for the Defender for Containers plan.

  4. Select Save.

  5. Continue from step 8 of the Connect your GCP project instructions.

Monitor your GCP resources

The security recommendations page in Defender for Cloud displays your GCP resources together with your Azure and AWS resources for a true multicloud view.

To view all the active recommendations for your resources by resource type, use the asset inventory page in Defender for Cloud and filter to the GCP resource type that you're interested in.

Screenshot of GCP options in the asset inventory page's resource type filter.

Integrate with Microsoft 365 Defender (Preview)

When you enable Defender for Cloud, Defender for Cloud's alerts are automatically integrated into the Microsoft 365 Defender portal. No further steps are needed.

The integration between Microsoft Defender for Cloud and Microsoft 365 Defender brings your cloud environments into Microsoft 365 Defender. With Defender for Cloud's alerts and cloud correlations integrated into Microsoft 365 Defender, SOC teams can now access all security information from a single interface.

Learn more about Defender for Cloud's alerts in Microsoft 365 Defender.

Next steps

Connecting your GCP project is part of the multicloud experience available in Microsoft Defender for Cloud: