Containers support matrix in Defender for Cloud

This article summarizes support information for Container capabilities in Microsoft Defender for Cloud.

Note

Specific features are in preview. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Azure (AKS)

Domain Feature Supported Resources Linux release state Windows release state Agentless/Agent-based Plans Azure clouds availability
Security posture management Agentless discovery for Kubernetes AKS GA GA Agentless Defender for Containers OR Defender CSPM Azure commercial clouds
Security posture management Comprehensive inventory capabilities ACR, AKS GA GA Agentless Defender for Containers OR Defender CSPM Azure commercial clouds
Security posture management Attack path analysis ACR, AKS GA - Agentless Defender CSPM Azure commercial clouds
Security posture management Enhanced risk-hunting ACR, AKS GA - Agentless Defender for Containers OR Defender CSPM Azure commercial clouds
Security posture management Control plane hardening ACR, AKS GA Preview Agentless Free Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Security posture management Kubernetes data plane hardening AKS GA - Azure Policy Free Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Security posture management Docker CIS VM, Virtual Machine Scale Set GA - Log Analytics agent Defender for Servers Plan 2 Commercial clouds

National clouds: Azure Government, Microsoft Azure operated by 21Vianet
Vulnerability assessment Agentless registry scan (powered by Qualys)
Supported OS packages
ACR, Private ACR GA Preview Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Vulnerability assessment Agentless registry scan (powered by Qualys)
Supported language packages
ACR, Private ACR Preview - Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Vulnerability assessment Agentless/agent-based runtime scan(powered by Qualys)] OS packages AKS GA Preview Defender agent Defender for Containers Commercial clouds
Vulnerability assessment Agentless registry scan (powered by MDVM) supported packages ACR, Private ACR GA - Agentless Defender for Containers or Defender CSPM Commercial clouds
Vulnerability assessment Agentless/agent-based runtime (powered by MDVM) supported packages AKS GA - Defender agent Defender for Containers or Defender CSPM Commercial clouds
Runtime threat protection Control plane AKS GA GA Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Runtime threat protection Workload AKS GA - Defender agent Defender for Containers Commercial clouds
Deployment & monitoring Discovery of unprotected clusters AKS GA GA Agentless Free Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Deployment & monitoring Defender agent auto provisioning AKS GA - Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet
Deployment & monitoring Azure Policy for Kubernetes auto provisioning AKS GA - Agentless Free Commercial clouds

National clouds: Azure Government, Azure operated by 21Vianet

Registries and images support for Azure - vulnerability assessment powered by Qualys

Aspect Details
Registries and images Supported
ACR registries protected with Azure Private Link (Private registries requires access to Trusted Services)
• Windows images using Windows OS version 1709 and above (Preview). This is free while it's in preview, and will incur charges (based on the Defender for Containers plan) when it becomes generally available.

Unsupported
• Super-minimalist images such as Docker scratch images
• "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS
• Images with Open Container Initiative (OCI) Image Format Specification
• Providing image tag information for multi-architecture images is currently unsupported
OS Packages Supported
• Alpine Linux 3.12-3.16
• Red Hat Enterprise Linux 6, 7, 8
• CentOS 6, 7
• Oracle Linux 6, 7, 8
• Amazon Linux 1, 2
• openSUSE Leap 42, 15
• SUSE Enterprise Linux 11, 12, 15
• Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye
• Ubuntu 10.10-22.04
• FreeBSD 11.1-13.1
• Fedora 32, 33, 34, 35
Language specific packages (Preview)

(Only supported for Linux images)
Supported
• Python
• Node.js
• .NET
• JAVA
• Go

Registries and images support for Azure - Vulnerability assessment powered by MDVM

Aspect Details
Registries and images Supported
• ACR registries
ACR registries protected with Azure Private Link (Private registries requires access to Trusted Services)
• Container images in Docker V2 format
Unsupported
• Super-minimalist images such as Docker scratch images
• "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS
is currently unsupported
• Images with Open Container Initiative (OCI) image format specification
• Windows images
OS Packages Supported
• Alpine Linux 3.12-3.16
• Red Hat Enterprise Linux 6-9
• CentOS 6-9
• Oracle Linux 6-9
• Amazon Linux 1, 2
• openSUSE Leap, openSUSE Tumbleweed
• SUSE Enterprise Linux 11-15
• Debian GNU/Linux 7-12
• Ubuntu 12.04-22.04
• Fedora 31-37
• Mariner 1-2
Language specific packages

Supported
• Python
• Node.js
• .NET
• JAVA
• Go

Kubernetes distributions and configurations for Azure - Runtime threat protection

Aspect Details
Kubernetes distributions and configurations Supported
Azure Kubernetes Service (AKS) with Kubernetes RBAC

Supported via Arc enabled Kubernetes 1 2
Azure Kubernetes Service hybrid
Kubernetes
AKS Engine
Azure Red Hat OpenShift

1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested on Azure.

2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.

Note

For additional requirements for Kubernetes workload protection, see existing limitations.

Defender for Containers relies on the Defender agent for several features. The Defender agent doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to your workspace > Network Isolation and setting the Virtual networks access configurations to No.

Screenshot that shows where to go to turn off data ingestion.

Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

Learn how to use Azure Private Link to connect networks to Azure Monitor.

AWS (EKS)

Domain Feature Supported Resources Linux release state Windows release state Agentless/Agent-based Pricing tier
Security posture management Docker CIS EC2 Preview - Log Analytics agent Defender for Servers Plan 2
Security posture management Control plane hardening - - - - -
Security posture management Kubernetes data plane hardening EKS GA - Azure Policy for Kubernetes Defender for Containers
Vulnerability Assessment Registry scan ECR Preview - Agentless Defender for Containers
Vulnerability Assessment View vulnerabilities for running images - - - - -
Runtime protection Control plane EKS Preview Preview Agentless Defender for Containers
Runtime protection Workload EKS Preview - Defender agent Defender for Containers
Deployment & monitoring Discovery of unprotected clusters EKS Preview - Agentless Free
Deployment & monitoring Auto provisioning of Defender agent - - - - -
Deployment & monitoring Auto provisioning of Azure Policy for Kubernetes - - - - -

Images support - AWS

Aspect Details
Registries and images Unsupported
• Images that have at least one layer over 2 GB
• Public repositories and manifest lists
• Images in the AWS management account aren't scanned so that we don't create resources in the management account.

Kubernetes distributions/configurations support - AWS

Aspect Details
Kubernetes distributions and configurations Supported
Amazon Elastic Kubernetes Service (EKS)

Supported via Arc enabled Kubernetes 1 2
Kubernetes

1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.

Note

For additional requirements for Kubernetes workload protection, see existing limitations.

Outbound proxy support

Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

GCP (GKE)

Domain Feature Supported Resources Linux release state Windows release state Agentless/Agent-based Pricing tier
Security posture management Docker CIS GCP VMs Preview - Log Analytics agent Defender for Servers Plan 2
Security posture management Control plane hardening GKE GA GA Agentless Free
Security posture management Kubernetes data plane hardening GKE GA - Azure Policy for Kubernetes Defender for Containers
Vulnerability Assessment Registry scan - - - - -
Vulnerability Assessment View vulnerabilities for running images - - - - -
Runtime protection Control plane GKE Preview Preview Agentless Defender for Containers
Runtime protection Workload GKE Preview - Defender agent Defender for Containers
Deployment & monitoring Discovery of unprotected clusters GKE Preview - Agentless Free
Deployment & monitoring Auto provisioning of Defender agent GKE Preview - Agentless Defender for Containers
Deployment & monitoring Auto provisioning of Azure Policy for Kubernetes GKE Preview - Agentless Defender for Containers

Kubernetes distributions/configurations support - GCP

Aspect Details
Kubernetes distributions and configurations Supported
Google Kubernetes Engine (GKE) Standard

Supported via Arc enabled Kubernetes 1 2
Kubernetes

Unsupported
• Private network clusters
• GKE autopilot
• GKE AuthorizedNetworksConfig

1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.

Note

For additional requirements for Kubernetes workload protection, see existing limitations.

Outbound proxy support

Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

On-premises, Arc-enabled Kubernetes clusters

Domain Feature Supported Resources Linux release state Windows release state Agentless/Agent-based Pricing tier
Security posture management Docker CIS Arc enabled VMs Preview - Log Analytics agent Defender for Servers Plan 2
Security posture management Control plane hardening - - - - -
Security posture management Kubernetes data plane hardening Arc enabled K8s clusters GA - Azure Policy for Kubernetes Defender for Containers
Vulnerability Assessment Registry scan - OS packages ACR, Private ACR GA Preview Agentless Defender for Containers
Vulnerability Assessment Registry scan - language specific packages ACR, Private ACR Preview - Agentless Defender for Containers
Vulnerability Assessment View vulnerabilities for running images - - - - -
Runtime protection Threat protection (control plane) Arc enabled K8s clusters Preview Preview Defender agent Defender for Containers
Runtime protection Threat protection (workload) Arc enabled K8s clusters Preview - Defender agent Defender for Containers
Deployment & monitoring Discovery of unprotected clusters Arc enabled K8s clusters Preview - Agentless Free
Deployment & monitoring Auto provisioning of Defender agent Arc enabled K8s clusters Preview Preview Agentless Defender for Containers
Deployment & monitoring Auto provisioning of Azure Policy for Kubernetes Arc enabled K8s clusters Preview - Agentless Defender for Containers

Registries and images support - on-premises

Aspect Details
Registries and images Supported
ACR registries protected with Azure Private Link (Private registries requires access to Trusted Services)
• Windows images using Windows OS version 1709 and above (Preview). This is free while it's in preview, and will incur charges (based on the Defender for Containers plan) when it becomes generally available.

Unsupported
• Super-minimalist images such as Docker scratch images
• "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS
• Images with Open Container Initiative (OCI) Image Format Specification
• Providing image tag information for multi-architecture images is currently unsupported
OS Packages Supported
• Alpine Linux 3.12-3.15
• Red Hat Enterprise Linux 6, 7, 8
• CentOS 6, 7
• Oracle Linux 6, 7, 8
• Amazon Linux 1, 2
• openSUSE Leap 42, 15
• SUSE Enterprise Linux 11, 12, 15
• Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye
• Ubuntu 10.10-22.04
• FreeBSD 11.1-13.1
• Fedora 32, 33, 34, 35
Language specific packages (Preview)

(Only supported for Linux images)
Supported
• Python
• Node.js
• .NET
• JAVA
• Go

Kubernetes distributions and configurations

Aspect Details
Kubernetes distributions and configurations Supported via Arc enabled Kubernetes 1 2
Azure Kubernetes Service hybrid
Kubernetes
AKS Engine
Azure Red Hat OpenShift
Red Hat OpenShift (version 4.6 or newer)
VMware Tanzu Kubernetes Grid
Rancher Kubernetes Engine

1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.

Note

For additional requirements for Kubernetes workload protection, see existing limitations.

Supported host operating systems

Defender for Containers relies on the Defender agent for several features. The Defender agent is supported on the following host operating systems:

  • Amazon Linux 2
  • CentOS 8
  • Debian 10
  • Debian 11
  • Google Container-Optimized OS
  • Mariner 1.0
  • Mariner 2.0
  • Red Hat Enterprise Linux 8
  • Ubuntu 16.04
  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04

Ensure your Kubernetes node is running on one of the verified supported operating systems. Clusters with different host operating systems, only get partial coverage.

Defender agent limitations

The Defender agent is currently not supported on ARM64 nodes.

Network restrictions

Defender for Containers relies on the Defender agent for several features. The Defender agent doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to your workspace > Network Isolation and setting the Virtual networks access configurations to No.

Screenshot that shows where to go to turn off data ingestion.

Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

Learn how to use Azure Private Link to connect networks to Azure Monitor.

Outbound proxy support

Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

Next steps