Defender for Containers feature availability

The tabs below show the features that are available, by environment, for Microsoft Defender for Containers.

Supported features by environment

Domain Feature Supported Resources Linux release state 1 Windows release state 1 Agentless/Agent-based Pricing Tier Azure clouds availability
Compliance Docker CIS VM, Virtual Machine Scale Set GA - Log Analytics agent Defender for Servers Plan 2 Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Vulnerability Assessment 2 Registry scan - OS packages ACR, Private ACR GA Preview Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Vulnerability Assessment 3 Registry scan - language specific packages ACR, Private ACR Preview - Agentless Defender for Containers Commercial clouds
Vulnerability Assessment View vulnerabilities for running images AKS Preview Preview Defender profile Defender for Containers Commercial clouds
Hardening Control plane recommendations ACR, AKS GA GA Agentless Free Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Hardening Kubernetes data plane recommendations AKS GA - Azure Policy Free Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Runtime protection Threat detection (control plane) AKS GA GA Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Runtime protection Threat detection (workload) AKS GA - Defender profile Defender for Containers Commercial clouds
Discovery and provisioning Discovery of unprotected clusters AKS GA GA Agentless Free Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Discovery and provisioning Collection of control plane threat data AKS GA GA Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Discovery and provisioning Auto provisioning of Defender profile AKS GA - Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Discovery and provisioning Auto provisioning of Azure policy add-on AKS GA - Agentless Free Commercial clouds

National clouds: Azure Government, Azure China 21Vianet

1 Specific features are in preview. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

2 VA can detect vulnerabilities for these OS packages.

3 VA can detect vulnerabilities for these language specific packages.

Additional environment information

Registries and images

Aspect Details
Registries and images Supported
ACR registries protected with Azure Private Link (Private registries requires access to Trusted Services)
• Windows images using Windows OS version 1709 and above (Preview). This is free while it's in preview, and will incur charges (based on the Defender for Containers plan) when it becomes generally available.

Unsupported
• Super-minimalist images such as Docker scratch images
• "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS
• Images with Open Container Initiative (OCI) Image Format Specification
• Providing image tag information for multi-architecture images is currently unsupported
OS Packages Supported
• Alpine Linux 3.12-3.16
• Red Hat Enterprise Linux 6, 7, 8
• CentOS 6, 7
• Oracle Linux 6, 7, 8
• Amazon Linux 1, 2
• openSUSE Leap 42, 15
• SUSE Enterprise Linux 11, 12, 15
• Debian GNU/Linux wheezy, jessie, stretch, buster, bullseye
• Ubuntu 10.10-22.04
• FreeBSD 11.1-13.1
• Fedora 32, 33, 34, 35
Language specific packages (Preview)

(Only supported for Linux images)
Supported
• Python
• Node.js
• .NET
• JAVA
• Go

Kubernetes distributions and configurations

Aspect Details
Kubernetes distributions and configurations Supported
• Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters
Azure Kubernetes Service (AKS) with Kubernetes RBAC
Amazon Elastic Kubernetes Service (EKS)
Google Kubernetes Engine (GKE) Standard

Supported via Arc enabled Kubernetes 1 2
Azure Kubernetes Service on Azure Stack HCI
Kubernetes
AKS Engine
Azure Red Hat OpenShift
Red Hat OpenShift (version 4.6 or newer)
VMware Tanzu Kubernetes Grid
Rancher Kubernetes Engine

1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.

2 To get Microsoft Defender for Containers protection for your environments, you'll need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.

Note

For additional requirements for Kuberenetes workload protection, see existing limitations.

Network restrictions

Defender for Containers relies on the Defender profile/extension for several features. The Defender profile/extension doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to your workspace > Network Isolation and setting the Virtual networks access configurations to No.

Screenshot that shows where to go to turn off data ingestion.

Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

Learn how to use Azure Private Link to connect networks to Azure Monitor.

Next steps