Merge pull request #185922 from ElazarK/outbound-access

v-ccolin · web-flow · commit e2cc42a4f52c · 2022-01-26T11:58:44.000Z
Outbound access
diff --git a/articles/defender-for-cloud/defender-for-containers-enable.md b/articles/defender-for-cloud/defender-for-containers-enable.md
@@ -3,7 +3,7 @@ title: How to enable Microsoft Defender for Containers in Microsoft Defender for
 description: Enable the container protections of Microsoft Defender for Containers
 ms.topic: overview
 zone_pivot_groups: k8s-host
-ms.date: 01/02/2022
+ms.date: 01/25/2022
 ---
 # Enable Microsoft Defender for Containers
 
@@ -26,6 +26,14 @@ Learn about this plan in [Overview of Microsoft Defender for Containers](defende
 > [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]
 ::: zone-end
 
+::: zone pivot="defender-for-container-aks"
+[!INCLUDE [Prerequisites](./includes/defender-for-container-prerequisites-aks.md)]
+::: zone-end
+
+::: zone pivot="defender-for-container-arc,defender-for-container-eks"
+[!INCLUDE [Prerequisites](./includes/defender-for-container-prerequisites-arc-eks.md)]
+::: zone-end
+
 ::: zone pivot="defender-for-container-aks"
 [!INCLUDE [Enable plan for AKS](./includes/defender-for-containers-enable-plan-aks.md)]
 ::: zone-end
diff --git a/articles/defender-for-cloud/includes/defender-for-container-prerequisites-aks.md b/articles/defender-for-cloud/includes/defender-for-container-prerequisites-aks.md
@@ -0,0 +1,13 @@
+---
+ms.service: defender-for-cloud
+ms.topic: include
+ms.date: 01/26/2022
+---
+
+## Prerequisites
+
+Validate the following endpoints are configured for outbound access so that the Defender profile can connect to Microsoft Defender for Cloud to send security data and events:
+
+See the [required FQDN/application rules for Microsoft Defender for Containers](../../aks/limit-egress-traffic.md#microsoft-defender-for-containers).
+
+By default, AKS clusters have unrestricted outbound (egress) internet access. 
diff --git a/articles/defender-for-cloud/includes/defender-for-container-prerequisites-arc-eks.md b/articles/defender-for-cloud/includes/defender-for-container-prerequisites-arc-eks.md
@@ -0,0 +1,17 @@
+---
+ms.service: defender-for-cloud
+ms.topic: include
+ms.date: 01/25/2022
+---
+
+## Prerequisites
+
+Validate the following endpoints are configured for outbound access so that the Defender extension can connect to Microsoft Defender for Cloud to send security data and events:
+
+For Azure public cloud deployments:
+
+| Domain                     | Port |
+| -------------------------- | ---- |
+| *.ods.opinsights.azure.com | 443  |
+| *.oms.opinsights.azure.com | 443  |
+| login.microsoftonline.com  | 443  |
diff --git a/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md b/articles/defender-for-cloud/includes/defender-for-containers-enable-plan-arc.md
@@ -2,8 +2,8 @@
 author: memildin
 ms.service: defender-for-cloud
 ms.topic: include
-ms.date: 01/10/2022
-ms.author: memildin
+ms.date: 01/24/2022
+
 ---
 ## Enable the plan
 
@@ -33,20 +33,11 @@ ms.author: memildin
     - Azure Kubernetes Service profile - [Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/56a83a6e-c417-42ec-b567-1e6fcb3d09a9)
     - Azure Arc-enabled Kubernetes extension - [Azure Arc-enabled Kubernetes clusters should have the Defender extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/3ef9848c-c2c8-4ff3-8b9c-4c8eb8ddfce6)
 
-## Prerequisites
+## Additional Prerequisites
 
 Before deploying the extension, ensure you:
 - [Connect the Kubernetes cluster to Azure Arc](../../azure-arc/kubernetes/quickstart-connect-cluster.md)
 - Complete the [pre-requisites listed under the generic cluster extensions documentation](../../azure-arc/kubernetes/extensions.md#prerequisites).
-- Configure **port 443** on the following endpoints for outbound access:
-    - For clusters on Azure Government cloud:
-        - *.ods.opinsights.azure.us
-        - *.oms.opinsights.azure.us
-        - :::no-loc text="login.microsoftonline.us":::
-    - For clusters on other Azure cloud deployments:
-        - *.ods.opinsights.azure.com
-        - *.oms.opinsights.azure.com
-        - :::no-loc text="login.microsoftonline.com":::
 
 ## Deploy the Defender extension
 
diff --git a/articles/defender-for-cloud/kubernetes-workload-protections.md b/articles/defender-for-cloud/kubernetes-workload-protections.md
@@ -2,7 +2,7 @@
 title: Workload protections for your Kubernetes workloads
 description: Learn how to use Microsoft Defender for Cloud's set of Kubernetes workload protection security recommendations
 ms.topic: how-to
-ms.date: 12/12/2021
+ms.date: 01/26/2022
 ---
 
 # Protect your Kubernetes workloads
@@ -35,6 +35,12 @@ Defender for Cloud offers more container security features if you enable Microso
 
 Microsoft Defender for Cloud includes a bundle of recommendations that are available when you've installed the **Azure Policy add-on for Kubernetes**.
 
+## Prerequisites
+
+Validate the following endpoints are configured for outbound access so that the Azure Policy add-on for Kubernetes can connect to Azure Policy to synchronize Kubernetes policies:
+
+See [Required FQDN/application rules for Azure policy](../aks/limit-egress-traffic.md#azure-policy) for the required FQDN/application rules.
+
 ### Step 1: Deploy the add-on
 
 To configure the recommendations, install the  **Azure Policy add-on for Kubernetes**. 
