Connect your GCP project to Microsoft Defender for Cloud
Workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Google Cloud Platform (GCP), but you need to set up the connection between them and Defender for Cloud.
If you're connecting a GCP project that you previously connected by using the classic connector, you must remove it first. Using a GCP project that's connected by both the classic and native connectors can produce duplicate recommendations.
This screenshot shows GCP accounts displayed in the Defender for Cloud overview dashboard.
Prerequisites
To complete the procedures in this article, you need:
A Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free one.
Microsoft Defender for Cloud set up on your Azure subscription.
Access to a GCP project.
Contributor permission on the relevant Azure subscription, and Owner permission on the GCP organization or project.
You can learn more about Defender for Cloud pricing on the pricing page.
When you're connecting GCP projects to specific Azure subscriptions, consider the Google Cloud resource hierarchy and these guidelines:
- You can connect your GCP projects to Microsoft Defender for Cloud at the project level.
- You can connect multiple projects to one Azure subscription.
- You can connect multiple projects to multiple Azure subscriptions.
Connect your GCP project
To connect your GCP project to Defender for Cloud by using a native connector:
Sign in to the Azure portal.
Go to Defender for Cloud > Environment settings.
Select Add environment > Google Cloud Platform.
Enter all relevant information.
Optionally, if you select Organization, a management project and an organization custom role are created on your GCP project for the onboarding process. Autoprovisioning is enabled for the onboarding of new projects.
Select Defender plans
In this section of the wizard, you select the Defender for Cloud plans that you want to enable.
Select Next: Select plans.
For the plans that you want to connect, turn the toggle to On. By default, all necessary prerequisites and components are provisioned. Learn how to configure each plan.
If you choose to turn on the Microsoft Defender for Containers plan, ensure that you meet the network requirements for it.
Select Configure access and make the following selections:
Select the deployment type:
- Default access: Allows Defender for Cloud to scan your resources and automatically include future capabilities.
- Least privilege access: Grants Defender for Cloud access to only the current permissions needed for the selected plans. If you select the least privileged permissions, you'll receive notifications on any new roles and permissions that are required to get full functionality for connector health.
Select the deployment method: GCP Cloud Shell or Terraform.
Follow the on-screen instructions for the selected deployment method to complete the required dependencies on GCP.
Select Next: Review and generate.
Select Create.
Note
The following APIs must be enabled in order to discover your GCP resources and allow the authentication process to occur:
iam.googleapis.com
sts.googleapis.com
cloudresourcemanager.googleapis.com
iamcredentials.googleapis.com
compute.googleapis.com
If you don't enable these APIs at this time, you can enable them during the onboarding process by running the GCloud script.
After you create the connector, a scan starts on your GCP environment. New recommendations appear in Defender for Cloud after up to 6 hours. If you enabled autoprovisioning, Azure Arc and any enabled extensions are installed automatically for each newly detected resource.
Optional: Configure selected plans
By default, all plans are On. You can turn off plans that you don't need.
Configure the Defender for Servers plan
Microsoft Defender for Servers brings threat detection and advanced defenses to your GCP virtual machine (VM) instances. To have full visibility into Microsoft Defender for Servers security content, connect your GCP VM instances to Azure Arc. If you choose the Microsoft Defender for Servers plan, you need:
Microsoft Defender for Servers enabled on your subscription. Learn how to enable plans in Enable enhanced security features.
Azure Arc for servers installed on your VM instances.
We recommend that you use the autoprovisioning process to install Azure Arc on your VM instances. Autoprovisioning is enabled by default in the onboarding process and requires Owner permissions on the subscription. The Azure Arc autoprovisioning process uses the OS Config agent on the GCP end. Learn more about the availability of the OS Config agent on GCP machines.
The Azure Arc autoprovisioning process uses the VM manager on GCP to enforce policies on your VMs through the OS Config agent. A VM that has an active OS Config agent incurs a cost according to GCP. To see how this cost might affect your account, refer to the GCP technical documentation.
Microsoft Defender for Servers doesn't install the OS Config agent to a VM that doesn't have it installed. However, Microsoft Defender for Servers enables communication between the OS Config agent and the OS Config service if the agent is already installed but not communicating with the service. This communication can change the OS Config agent from inactive
to active
and lead to more costs.
Alternatively, you can manually connect your VM instances to Azure Arc for servers. Instances in projects with the Defender for Servers plan enabled that aren't connected to Azure Arc are surfaced by the recommendation GCP VM instances should be connected to Azure Arc. Select the Fix option in the recommendation to install Azure Arc on the selected machines.
The respective Azure Arc servers for EC2 instances or GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of Disconnected or Expired) are removed after seven days. This process removes irrelevant Azure Arc entities to ensure that only Azure Arc servers related to existing instances are displayed.
Ensure that you fulfill the network requirements for Azure Arc.
Enable these other extensions on the Azure Arc-connected machines:
- Microsoft Defender for Endpoint
- A vulnerability assessment solution (Microsoft Defender Vulnerability Management or Qualys)
- The Log Analytics agent on Azure Arc-connected machines or the Azure Monitor agent
Make sure the selected Log Analytics workspace has a security solution installed. The Log Analytics agent and the Azure Monitor agent are currently configured at the subscription level. All the multicloud accounts and projects (from both AWS and GCP) under the same subscription inherit the subscription settings for the Log Analytics agent and the Azure Monitor agent. Learn more about monitoring components for Defender for Servers.
Defender for Servers assigns tags to your GCP resources to manage the autoprovisioning process. You must have these tags properly assigned to your resources so that Defender for Servers can manage your resources: Cloud
, InstanceName
, MDFCSecurityConnector
, MachineId
, ProjectId
, and ProjectNumber
.
To configure the Defender for Servers plan:
Follow the steps to connect your GCP project.
On the Select plans tab, select Configure.
On the Auto-provisioning configuration pane, turn the toggles to On or Off, depending on your need.
If Azure Arc agent is Off, you need to follow the manual installation process mentioned earlier.
Select Save.
Continue from step 8 of the Connect your GCP project instructions.
Configure the Defender for Databases plan
To have full visibility into Microsoft Defender for Databases security content, connect your GCP VM instances to Azure Arc.
To configure the Defender for Databases plan:
Follow the steps to connect your GCP project.
On the Select plans tab, select Configure.
On the Auto-provisioning configuration pane, turn the toggles to On or Off, depending on your need.
If the toggle for Azure Arc is Off, you need to follow the manual installation process mentioned earlier.
Select Save.
Continue from step 8 of the Connect your GCP project instructions.
Configure the Defender for Containers plan
Microsoft Defender for Containers brings threat detection and advanced defenses to your GCP Google Kubernetes Engine (GKE) Standard clusters. To get the full security value out of Defender for Containers and to fully protect GCP clusters, ensure that you meet the following requirements.
Note
- If you choose to disable the available configuration options, no agents or components will be deployed to your clusters. Learn more about feature availability.
- Defender for Containers when deployed on GCP, might incur external costs such as logging costs, pub/sub costs and egress costs.
- Kubernetes audit logs to Defender for Cloud: Enabled by default. This configuration is available at the GCP project level only. It provides agentless collection of the audit log data through GCP Cloud Logging to the Microsoft Defender for Cloud back end for further analysis.
- Azure Arc-enabled Kubernetes, the Defender agent, and Azure Policy for Kubernetes: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways:
- Enable Defender for Containers autoprovisioning at the project level, as explained in the instructions in this section. We recommend this method.
- Use Defender for Cloud recommendations for per-cluster installation. They appear on the Microsoft Defender for Cloud recommendations page. Learn how to deploy the solution to specific clusters.
- Manually install Arc-enabled Kubernetes and extensions.
To configure the Defender for Containers plan:
Follow the steps to connect your GCP project.
On the Select plans tab, select Configure.
On the Defender for Containers configuration pane, turn the toggles to On.
Select Save.
Continue from step 8 of the Connect your GCP project instructions.
Monitor your GCP resources
The security recommendations page in Defender for Cloud displays your GCP resources together with your Azure and AWS resources for a true multicloud view.
To view all the active recommendations for your resources by resource type, use the asset inventory page in Defender for Cloud and filter to the GCP resource type that you're interested in.
Integrate with Microsoft 365 Defender (Preview)
When you enable Defender for Cloud, Defender for Cloud's alerts are automatically integrated into the Microsoft 365 Defender portal. No further steps are needed.
The integration between Microsoft Defender for Cloud and Microsoft 365 Defender brings your cloud environments into Microsoft 365 Defender. With Defender for Cloud's alerts and cloud correlations integrated into Microsoft 365 Defender, SOC teams can now access all security information from a single interface.
Learn more about Defender for Cloud's alerts in Microsoft 365 Defender.
Next steps
Connecting your GCP project is part of the multicloud experience available in Microsoft Defender for Cloud:
- Protect all of your resources with Defender for Cloud.
- Set up your on-premises machines and AWS account.
- Troubleshoot your multicloud connectors.
- Get answers to common questions about connecting your GCP project.
Feedback
Submit and view feedback for