Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Containers support matrix in Defender for Cloud
Important
All Microsoft Defender for Cloud features will be officially retired in the Azure in China region on October 1, 2026. Due to this upcoming retirement, Azure in China customers are no longer able to onboard new subscriptions to the service. A new subscription is any subscription that was not already onboarded to the Microsoft Defender for Cloud service prior to August 18, 2025, the date of the retirement announcement. For more information on the retirement, see Microsoft Defender for Cloud Deprecation in Microsoft Azure Operated by 21Vianet Announcement.
Customers should work with their account representatives for Microsoft Azure operated by 21Vianet to assess the impact of this retirement on their own operations.
This article summarizes support information for container capabilities in Microsoft Defender for Cloud.
Note
- Specific features are in preview. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- Defender for Cloud officially supports only the versions of AKS, EKS, and GKE that the cloud vendor supports.
The following table lists the features provided by Defender for Containers for the supported cloud environments and container registries.
Microsoft Defender for Containers plan availability
| Aspect | Details |
|---|---|
| Release state: | General availability (GA) Certain features are in preview. For a full list, see the tables below |
| Pricing: | Microsoft Defender for Containers is billed as shown on the pricing page. You can also estimate costs with the Defender for Cloud cost calculator. |
| Required roles and permissions: | To deploy the required components, see the permissions for each of the components Security admin can dismiss alerts * Security reader can view vulnerability assessment findings See also Roles for remediation and Azure Container Registry roles and permissions |
Vulnerability assessment (VA) features
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Plans | Clouds availability |
|---|---|---|---|---|---|---|---|
| Container registry VA | VA for images in container registries | ACR, ECR, GAR, GCR, Docker Hub, JFrog Artifactory | GA | GA | Requires Registry access 1 or Connector creation for Docker Hub/JFrog | Defender for Containers or Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Runtime container VA - Registry scan based | VA of containers running images from supported registries | ACR, ECR, GAR, GCR, Docker Hub, JFrog Artifactory | GA | GA | Requires Registry access 1 or Connector creation for Docker Hub/JFrog and either K8S API access or Defender sensor 1 | Defender for Containers or Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Runtime container VA | Registry agnostic VA of container running images | All | GA | - | Requires Agentless scanning for machines and either K8S API access or Defender sensor 1 | Defender for Containers or Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Runtime Node VA | Kubernetes node vulnerability assessment | AKS nodes | GA | GA | Requires Agentless scanning for machines | Defender for Containers or Defender for servers Plan 2 or Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
1National clouds are automatically enabled and can't be disabled.
Registries and images support for vulnerability assessment
| Aspect | Details |
|---|---|
| Registries and images | Supported * Container images in Docker V2 format * Images with Open Container Initiative (OCI) image format specification Unsupported * Super-minimalist images such as Docker scratch images are currently unsupported * Public repositories * Manifest lists |
| Operating systems | Supported * Alpine Linux 3.12-3.22 * Red Hat Enterprise Linux 6-9 * CentOS 6-9 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.) * Oracle Linux 6-9 * Amazon Linux 1, 2 * openSUSE Leap, openSUSE Tumbleweed * SUSE Enterprise Linux 11-15 * Debian GNU/Linux 7-12 * Google Distroless (based on Debian GNU/Linux 7-12) * Ubuntu 12.04-24.04 * Fedora 31-37 * Azure Linux 1-3 * Windows server 2016, 2019, 2022 * Chainguard OS/Wolfi OS * Alma Linux 8.4 or later * Rocky Linux 8.7 or later * Minimus * Photon OS 2.0-5.0 * Docker Hardened Images (DHI) |
| Language specific packages |
Supported * Python * Node.js * PHP * Ruby * Rust * .NET * Java * Go |
Runtime protection features
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Plans | Clouds availability |
|---|---|---|---|---|---|---|---|
| Advanced hunting in XDR | View cluster incidents and alerts in Microsoft XDR | AKS | Preview - currently supports audit logs & process events | Preview - currently supports audit logs | Requires Defender sensor | Defender for Containers | Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet |
| Antimalware | Detection of malware | AKS | GA | - | Requires Defender sensor via Helm | Defender for Containers | Commercial clouds |
| Binary drift detection | Detects binary of runtime container from container image | AKS | GA | - | Requires Defender sensor | Defender for Containers | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Binary drift blocking | Blocks binary drift in runtime containers | AKS | Preview | - | Requires Defender sensor via Helm | Defender for Containers | Commercial clouds |
| Control plane detection | Detection of suspicious activity for Kubernetes based on Kubernetes audit trail | AKS | GA | GA | Enabled with plan | Defender for Containers | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| DNS Detection | Detects suspicious DNS activity from container workloads | AKS | GA | - | Requires Defender sensor via Helm | Defender for Containers | Commercial clouds |
| Malware detection | Detection of malware | AKS nodes | GA | GA | Requires Agentless scanning for machines | Defender for Containers or Defender for Servers Plan 2 | - |
| Response actions in XDR | Provides automated and manual remediation in Microsoft XDR | AKS | Preview | - | Requires Defender sensor and K8S access API | Defender for Containers | Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet |
| Workload detection | Monitors containerized workloads for threats and gives alerts to suspicious activities | AKS | GA | - | Requires Defender sensor | Defender for Containers | Commercial clouds and National clouds: Azure Government, Azure operated by 21Vianet |
Kubernetes distributions and configurations for runtime threat protection in Azure
| Aspect | Details |
|---|---|
| Kubernetes distributions and configurations | Supported * Azure Kubernetes Service (AKS) with Kubernetes RBAC Supported via Arc enabled Kubernetes 1 2 * Azure Kubernetes Service hybrid * Kubernetes * AKS Engine |
1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters are tested on Azure.
2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.
Note
For additional requirements for Kubernetes workload protection, see existing limitations.
Security posture management features
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Plans | Clouds availability |
|---|---|---|---|---|---|---|---|
| Agentless discovery for Kubernetes 1 | Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations, and deployments. | AKS | GA | GA | Requires K8S API access | Defender for Containers OR Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Comprehensive inventory capabilities | Enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets. | ACR, AKS | GA | GA | Requires K8S API access | Defender for Containers OR Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Attack path analysis | A graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that bad actors might use to breach your environment. | ACR, AKS | GA | GA | Requires K8S API access | Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Enhanced risk-hunting | Enables security admins to actively hunt for posture issues in their containerized assets through queries (built-in and custom) and security insights in the security explorer. | ACR, AKS | GA | GA | Requires K8S API access | Defender for Containers OR Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Control plane hardening 1 | Continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues. | ACR, AKS | GA | GA | Enabled with plan | Free | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Workload hardening 1 | Protect workloads of your Kubernetes containers with best practice recommendations. | AKS | GA | - | Requires Azure Policy | Free | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| CIS Azure Kubernetes Service | CIS Azure Kubernetes Service Benchmark | AKS | GA | - | Requires K8S API access and the security standard assigned | Defender for Containers OR Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
1 This feature can be enabled for an individual cluster when enabling Defender for Containers at the cluster resource level.
Containers software supply chain protection features
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Cloud availability |
|---|---|---|---|---|---|---|
| Gated deployment | Gated deployment of container images to your Kubernetes environment | AKS 1.31 or higher (including AKS Automatic)1 | GA | - | Requires Defender sensor, Security gating, Security findings, and Registry access. | Commercial clouds |
1 On AKS Automatic clusters, the Defender sensor must be installed by using Helm in the kube-system namespace. Installation in the mdc namespace and add-on deployment aren’t supported for gated deployment.
Network restrictions
| Aspect | Details |
|---|---|
| Outbound proxy support | Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates isn't currently supported. |
| Clusters with IP restrictions | If your Kubernetes cluster in AWS has control plane IP restrictions enabled (see Amazon EKS cluster endpoint access control - Amazon EKS ), the control plane's IP restriction configuration is updated to include the CIDR block of Microsoft Defender for Cloud. |
Supported host operating systems
Defender for Containers relies on the Defender sensor for several features. The Defender sensor is supported only with Linux Kernel 5.4 and above, on the following host operating systems:
- Amazon Linux 2
- AWS Bottlerocket (provisioning via Helm only)
- CentOS 8 (CentOS reached end of service on June 30, 2024. For more information, see the CentOS End Of Life guidance.)
- Debian 10
- Debian 11
- Google Container-Optimized OS
- Azure Linux 1.0
- Azure Linux 2.0
- Red Hat Enterprise Linux 8
- Ubuntu 16.04
- Ubuntu 18.04
- Ubuntu 20.04
- Ubuntu 22.04
Ensure your Kubernetes node runs on one of these verified operating systems. Clusters with unsupported host operating systems don't get the benefits of features that rely on the Defender sensor.
Defender sensor limitations
The Defender sensor in AKS version 1.28 and earlier versions doesn't support Arm64 nodes.
Next steps
- Learn how Defender for Cloud manages and safeguards data.
- Review the platforms that support Defender for Cloud.