Defender for Containers feature availability

The tabs below show the features that are available, by environment, for Microsoft Defender for Containers.

Supported features by environment

Domain Feature Supported Resources Release state 1 Windows support Agentless/Agent-based Pricing Tier Azure clouds availability
Compliance Docker CIS VM, VMSS GA X Log Analytics agent Defender for Servers Plan 2
Vulnerability Assessment Registry scan ACR, Private ACR GA ✓ (Preview) Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Vulnerability Assessment View vulnerabilities for running images AKS Preview ✓ (Preview) Defender profile Defender for Containers Commercial clouds
Hardening Control plane recommendations ACR, AKS GA Agentless Free Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Hardening Kubernetes data plane recommendations AKS GA X Azure Policy Free Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Runtime protection Threat detection (control plane) AKS GA Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Runtime protection Threat detection (workload) AKS Preview X Defender profile Defender for Containers Commercial clouds
Discovery and provisioning Discovery of unprotected clusters AKS GA Agentless Free Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Discovery and provisioning Collection of control plane threat data AKS GA Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Discovery and provisioning Auto provisioning of Defender profile AKS Preview X Agentless Defender for Containers Commercial clouds

National clouds: Azure Government, Azure China 21Vianet
Discovery and provisioning Auto provisioning of Azure policy add-on AKS GA X Agentless Free Commercial clouds

National clouds: Azure Government, Azure China 21Vianet

1 Specific features are in preview. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Additional information

Registries and images

Aspect Details
Registries and images Supported
ACR registries protected with Azure Private Link (Private registries requires access to Trusted Services)
• Windows images using Windows OS version 1709 and above (Preview). This is free while it's in preview, and will incur charges (based on the Defender for Containers plan) when it becomes generally available.

Unsupported
• Super-minimalist images such as Docker scratch images
• "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS
• Images with Open Container Initiative (OCI) Image Format Specification

Kubernetes distributions and configurations

Aspect Details
Kubernetes distributions and configurations Supported
• Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters
Azure Kubernetes Service (AKS) with Kubernetes RBAC
Amazon Elastic Kubernetes Service (EKS)
Google Kubernetes Engine (GKE) Standard

Supported via Arc enabled Kubernetes 1 2
Azure Kubernetes Service on Azure Stack HCI
Kubernetes
AKS Engine
Azure Red Hat OpenShift
Red Hat OpenShift (version 4.6 or newer)
VMware Tanzu Kubernetes Grid
Rancher Kubernetes Engine

1Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.
2To get Microsoft Defender for Containers protection for you should onboard to Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.

Note

For additional requirements for Kuberenetes workload protection, see existing limitations.

Next steps