Merge pull request #269845 from dcurwin/wi-209061-multicloud-march21-2024

Threat detection Multi-Cloud GA Containers

Author: PMEds28

articles/defender-for-cloud/defender-for-containers-architecture.md

@@ -1,10 +1,11 @@
 ---
 title: Container security architecture
-description: Learn about the architecture of Microsoft Defender for Containers for each container platform
+description: Learn about the architecture of Microsoft Defender for Containers for the Azure, AWS, GCP, and on-premises container platform
 author: dcurwin
 ms.author: dacurwin
-ms.topic: overview
+ms.topic: conceptual
 ms.date: 01/10/2024
+# customer intent: As a developer, I want to understand the container security architecture of Microsoft Defender for Containers so that I can implement it effectively.
 ---
 
 # Defender for Containers architecture
@@ -78,6 +79,9 @@ When you enable the agentless discovery for Kubernetes extension, the following
 - **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
 - **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation by creating a `ClusterRoleBinding` between the created identity and the Kubernetes `ClusterRole` *aks:trustedaccessrole:defender-containers:microsoft-defender-operator*. The `ClusterRole` is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
 
+> [!NOTE]
+> The copied snapshot remains in the same region as the cluster.
+
 ## [**On-premises / IaaS (Arc)**](#tab/defender-for-container-arch-arc)
 
 ### Architecture diagram of Defender for Cloud and Arc-enabled Kubernetes clusters
@@ -88,7 +92,7 @@ These components are required in order to receive the full protection offered by
 
 - **Defender sensor**: The DaemonSet that is deployed on each node, collects host signals using [eBPF technology](https://ebpf.io/) and Kubernetes audit logs, to provide runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an Arc-enabled Kubernetes extension.
 
-- **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md).
+- **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md).
 
 > [!NOTE]
 > Defender for Containers support for Arc-enabled Kubernetes clusters is a preview feature.
@@ -106,9 +110,6 @@ When Defender for Cloud protects a cluster hosted in Elastic Kubernetes Service,
 - **Defender sensor**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an Arc-enabled Kubernetes extension.
 - **Azure Policy for Kubernetes**:  A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md).
 
-> [!NOTE]
-> Defender for Containers support for AWS EKS clusters is a preview feature.
-
 :::image type="content" source="./media/defender-for-containers/architecture-eks-cluster.png" alt-text="Diagram of high-level architecture of the interaction between Microsoft Defender for Containers, Amazon Web Services' EKS clusters, Azure Arc-enabled Kubernetes, and Azure Policy." lightbox="./media/defender-for-containers/architecture-eks-cluster.png":::
 
 ### How does agentless discovery for Kubernetes in AWS work?
@@ -127,6 +128,9 @@ When you enable the agentless discovery for Kubernetes extension, the following
 
 - **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the EKS clusters in your environment using API calls to the API server of EKS.
 
+> [!NOTE]
+> The copied snapshot remains in the same region as the cluster.
+
 ## [**GCP (GKE)**](#tab/defender-for-container-gke)
 
 ### Architecture diagram of Defender for Cloud and GKE clusters
@@ -135,13 +139,10 @@ When Defender for Cloud protects a cluster hosted in Google Kubernetes Engine, t
 
 - **[Kubernetes audit logs](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/)** – [GCP Cloud Logging](https://cloud.google.com/logging/) enables, and collects audit log data through an agentless collector, and sends the collected information to the Microsoft Defender for Cloud backend for further analysis.
 
-- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - A sensor based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](../azure-arc/kubernetes/extensions.md):
-- **Defender sensor**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. The Defender sensor is deployed as an Arc-enabled Kubernetes extension.
+- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - A sensor based solution, installed on one node in the cluster, that enables your clusters to connect to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](../azure-arc/kubernetes/extensions.md):
+- **Defender sensor**: The DaemonSet that is deployed on each node, collects signals from hosts using [eBPF technology](https://ebpf.io/), and provides runtime protection. The sensor is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace.
 - **Azure Policy for Kubernetes**:  A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It only needs to be installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](../governance/policy/concepts/policy-for-kubernetes.md).
 
-> [!NOTE]
-> Defender for Containers support for GCP GKE clusters is a preview feature.
-
 :::image type="content" source="./media/defender-for-containers/architecture-gke.png" alt-text="Diagram of high-level architecture of the interaction between Microsoft Defender for Containers, Google GKE clusters, Azure Arc-enabled Kubernetes, and Azure Policy." lightbox="./media/defender-for-containers/architecture-gke.png":::
 
 ### How does agentless discovery for Kubernetes in GCP work?
@@ -160,6 +161,9 @@ When you enable the agentless discovery for Kubernetes extension, the following
 
 - **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the GKE clusters in your environment using API calls to the API server of GKE.
 
+> [!NOTE]
+> The copied snapshot remains in the same region as the cluster.
+
 ---
 
 ## Next steps

articles/defender-for-cloud/defender-for-containers-enable.md

@@ -37,9 +37,9 @@ You can also learn more by watching these videos from the Defender for Cloud in
 - [Microsoft Defender for Containers in a multicloud environment](episode-nine.md)
 - [Protect Containers in GCP with Defender for Containers](episode-ten.md)
 
-::: zone pivot="defender-for-container-arc,defender-for-container-eks,defender-for-container-gke"
+::: zone pivot="defender-for-container-arc"
 > [!NOTE]
-> Defender for Containers' support for Arc-enabled Kubernetes clusters, AWS EKS, and GCP GKE is a preview feature. The preview feature is available on a self-service, opt-in basis.
+> Defender for Containers' support for Arc-enabled Kubernetes clusters is a preview feature. The preview feature is available on a self-service, opt-in basis.
 >
 > Previews are provided "as is" and "as available" and are excluded from the service level agreements and limited warranty.
 >

articles/defender-for-cloud/includes/defender-for-containers-enable-plan-eks.md

@@ -83,3 +83,28 @@ To protect your EKS clusters, enable the Containers plan on the relevant account
 To view the alerts and recommendations for your EKS clusters, use the filters on the alerts, recommendations, and inventory pages to filter by resource type **AWS EKS cluster**.
 
 :::image type="content" source="../media/defender-for-kubernetes-intro/view-alerts-for-aws-eks-clusters.png" alt-text="Screenshot of how to use filters on Microsoft Defender for Cloud's security alerts page to view alerts related to AWS EKS clusters." lightbox="../media/defender-for-kubernetes-intro/view-alerts-for-aws-eks-clusters.png":::
+
+## Deploying the Defender sensor
+
+To deploy the Defender sensor on your AWS clusters, follow these steps:
+
+1. Go to **Microsoft Defender for Cloud** -> **Environment settings** -> **Add environment** -> **Amazon Web Services**.
+
+    :::image type="content" source="../media/defender-for-kubernetes-intro/add-aws-environment.png" alt-text="Screenshot of how to add an AWS environment in Microsoft Defender for Cloud." lightbox="../media/defender-for-kubernetes-intro/add-aws-environment.png":::
+
+1. Fill in the account details.
+
+    :::image type="content" source="../media/defender-for-kubernetes-intro/add-aws-account-details.png" alt-text="Screenshot of the form to fill in the account details for an AWS environment in Microsoft Defender for Cloud." lightbox="../media/defender-for-kubernetes-intro/add-aws-account-details.png":::
+
+1. Go  to **Select plans**, open the Containers plan and make sure **Auto provision Defender's sensor for Azure Arc** is set to on.
+
+    :::image type="content" source="../media/defender-for-kubernetes-intro/enable-sensor-for-azure-arc.png" alt-text="Screenshot of how to enable the Defender sensor for Azure Arc in Microsoft Defender for Cloud." lightbox="../media/defender-for-kubernetes-intro/enable-sensor-for-azure-arc.png":::
+
+1. Go to **Configure access** and follow the steps there.
+
+    :::image type="content" source="../media/defender-for-kubernetes-intro/configure-access.png" alt-text="Screenshot of how to configure access for an AWS environment in Microsoft Defender for Cloud." lightbox="../media/defender-for-kubernetes-intro/configure-access.png":::
+
+1. Once the Cloud Formation template was deployed successfully, select **Create**.
+
+> [!NOTE]
+> You can exclude a specific AWS cluster from autoprovisioning. For sensor deployment, apply the `ms_defender_container_exclude_agents` tag on the resource with the value `true`. For agentless deployment, apply the `ms_defender_container_exclude_agentless` tag on the resource with the value `true`.

articles/defender-for-cloud/includes/defender-for-containers-enable-plan-gke.md

@@ -117,3 +117,28 @@ There are 2 dedicated Defender for Cloud recommendations you can use to install
 1. In the Value dropdown menu, select **GCP GKE Cluster**.
 
 1. Select **Ok**.
+
+## Deploying the Defender sensor
+
+To deploy the Defender sensor on your GCP clusters, follow these steps:
+
+1. Go to **Microsoft Defender for Cloud** -> **Environment settings** -> **Add environment** -> **Google Cloud Platform**.
+
+    :::image type="content" source="../media/defender-for-kubernetes-intro/add-gcp-environment.png" alt-text="Screenshot of how to add a GCP environment in Microsoft Defender for Cloud." lightbox="../media/defender-for-kubernetes-intro/add-gcp-environment.png":::
+
+1. Fill in the account details.
+
+    :::image type="content" source="../media/defender-for-kubernetes-intro/add-gcp-account-details.png" alt-text="Screenshot of the form to fill in the account details for a GCP environment in Microsoft Defender for Cloud." lightbox="../media/defender-for-kubernetes-intro/add-gcp-account-details.png":::
+
+1. Go to **Select plans**, open the Containers plan, and make sure **Auto provision Defender's sensor for Azure Arc** is set to on.
+
+    :::image type="content" source="../media/defender-for-kubernetes-intro/enable-sensor-for-azure-arc-gcp.png" alt-text="Screenshot of how to enable the Defender sensor for Azure Arc in Microsoft Defender for Cloud." lightbox="../media/defender-for-kubernetes-intro/enable-sensor-for-azure-arc-gcp.png":::
+
+1. Go to **Configure access** and follow the steps there.
+
+    :::image type="content" source="../media/defender-for-kubernetes-intro/configure-access-gcp.png" alt-text="Screenshot of how to configure access for a GCP environment in Microsoft Defender for Cloud." lightbox="../media/defender-for-kubernetes-intro/configure-access-gcp.png":::
+
+1. After the gcloud script ran successfully, select **Create**.
+
+> [!NOTE]
+> You can exclude a specific GCP cluster from autoprovisioning. For sensor deployment, apply the `ms_defender_container_exclude_agents` label on the resource with the value `true`. For agentless deployment, apply the `ms_defender_container_exclude_agentless` label on the resource with the value `true`.