Blog Post

Microsoft Defender for Cloud Blog
4 MIN READ

Protect non-Azure resources using Azure Arc and Microsoft Defender for Cloud

Lior Arviv's avatar
Lior Arviv
Icon for Microsoft rankMicrosoft
Apr 18, 2021

Microsoft Defender for Cloud monitors the security posture of your Azure resourcesToday, organizations are extending their hybrid footprint and using additional public clouds. Microsoft Defender for Cloud allows you to protect non-Azure resources located on-premises or on other cloud providers, from virtual machines, Kubernetes services and SQL resources.

To do so, those resources need to be connected to Azure by leveraging Azure Arc service – meaning that you can now manage and operate all your existing IT resources consistently and at-scale, wherever they reside, from Azure. You can also run Azure services anywhere, on-premises or in other public clouds, and take advantage of cloud benefits everywhere, such as scalability, fast deployment, and always up-to-date cloud innovation. Moreover, Azure Arc allows you to manage these resources like any other first citizen resource in Azure and benefit from additional capabilities, such as: non-Azure virtual machines connected to Azure Arc can benefit from capabilities such as patch management, RBAC roles, extension platform, tags and more. 

Using Microsoft Defender for Cloud and Azure Arc, you can also secure the 3 core scenarios which are offered today. In this blog post we will focus on the first one which is Azure Arc enabled servers.

 

Onboarding non-Azure machines into Azure Arc provide you the ability to: 

  • Deploy virtual machine extension (such as Log Analytics agent, vulnerability assessment scanner, custom script extension and more) 
  • Enable guest configuration policies (Azure Policy) 
  • Use Microsoft Defender for Cloud to improve the security posture such as misconfigured settings, missing system updates and more. 
  • Use Microsoft Defender for server capabilities such security alerts, vulnerability assessmentadaptive application controls, network hardening and more.

Prepare

Onboard machines as Azure Arc connected machines by installing the Hybrid Connected Machine agent on the target machine(s); this can be done by using a script or manually. Once a machine is onboarded, you will see it as Azure resource. 

Before you onboard machines, please make sure to review these tasks: 

  1. Make sure to review the supported operating system version as found here: Overview of the Connected Machine agent - Azure Arc | Microsoft Docs. If you still want to onboard a non-Azure machine but the target machine runs an OS version which is not supported by the agent yet, you can still onboard it by installing the Log Analytics agent directly on a machine. 
  2. Ensure the target machines can communicate over the internet with the required URLs for the agent through a firewall or proxy server – proxy settings are set on the OS level. 
    All URLs used for communication are o
    utbound and secured over TCP port 443 and can be found here.

Onboard

There are multiple ways to deploy the agent on a target machine as provided here: Connect hybrid machines to Azure from the Azure portal - Azure Arc | Microsoft Docs

During the onboarding, you will be asked to onboard the resource to a subscription and a resource group you selected a subscription where Microsoft Defender for Servers plan is enabled.

To do so, navigate to Microsoft Defender for Cloud Pricing and Settings page, and in the Servers rowclick ON as shown the example below:

 

 

Once the machine is successfully onboarded, you will be able to see it listed on the Azure Arc blade.

In the Azure portal, search for Azure Arc service, then select Servers to see all the onboarded servers and their statusas shown in the example below:

 

 

Selecting one of the onboarded machines, opens the resource blade. Here you can see the connectivity status, OS details and additional metadata.

Since it’s an ARM resource, you can assign tags, manage permissions using Azure RBAC and use additional capabilities such as policies, change tracking and inventory, patch management and security.

 

 

Secure

Projecting resources using Arc is a necessary step to ensure your machines are protected by Microsoft Defender for CloudLike an Azure VM, you will need to deploy the Log Analytics agent on the target machineTo do so, you can use dedicated recommendations on Microsoft Defender for Cloud recommendation list to deploy the Log Analytics agent; one for Azure Arc machines based on Linux and for Windows.

These recommendations offer you the Quick Fix approach to remediate it with a single click to trigger an installation of the Log Analytics agent.

 

The agent is being deployed using the VM extension platform which is one of the advantages of using Arc. Once the Log analytics agent is installed and connected to a workspace used by Microsoft Defender for Cloud, your machine will be ready to use and benefit of the variety of features which are available as part of the Microsoft Defender for Servers plan. 

On Microsoft Defender for Cloud’s asset inventory, you can filter Arc resources by using the filters located on the upper section, for example: select “servers – azure arc”. Unlike Azure VMs, Arc connected machines are presented in purple as you can see below.

For each resource you can see the agent monitoring alongside with the current security recommendations:

 

 

 

You can distinguish between the different resource by the icon: 

 

 

The security alert below was triggered by Microsoft Defender for Cloud from a virtual machine onboarded to Azure Arc and located on other cloud vendor:

 

 

Deploying our integrated vulnerability assessment solution on non-Azure machine is included with the Microsoft Defender for servers plan and provide you a visibility for all vulnerabilities found on the target resource including the remediation steps:

 

 

Hope you enjoyed learning on how Microsoft Defender for Cloud and Azure Arc can protect your non-Azure resources located anywhere :smile:

 

Reviewers: 

YuriDiogenes, Principal Program Manager, ASC CxE 

Future Kortor, Program Manager, ASC CxE

Updated Nov 02, 2021
Version 2.0
  • cmateies's avatar
    cmateies
    Copper Contributor

    Thank you for all this information.

    We have recently onboarded all our on-prem servers to Azure Arc and deployed the required extensions for Security Center and for the integrated vulnerability management. These work great!

    However, I was hoping that this onboarding will also deploy the Defender for Endpoint extension and onboard the on-prem servers to the Defender Security Center and the new security.microsoft.com, but that didn't happened. 

    Would this feature come in the future? Will the Azure Arc onboarded systems need to be onboarded to Defender for Endpoint in another way then?

    The documentation suggests that the integration between Defender for Endpoint and Security Center covers Azure Arc systems as well.

    https://docs.microsoft.com/en-us/azure/security-center/security-center-wdatp

    Regards

  • Hi cmateies,

     

    Glad you liked the post and great to hear that you’re already using Azure Arc and our integrated VA solution.

    The integration between Security Center and Defender for Endpoint supports Azure Arc connected machines as well – if your machines is running Windows, ASC will onboard that machine automatically. For example, on Windows 2019 based machine you can notice a new extension named MDE.Windows. However, you won’t see that server listed on the MDE console. To enable the integration, you must turn on that feature as described here: Using the Microsoft Defender for Endpoint license included with Azure Security Center | Microsoft Docs. We’re also working to support Linux EDR.

     

    Thanks!

  • cmateies's avatar
    cmateies
    Copper Contributor

    Thank you Lior Arviv but that integration is already enabled in ASC. The Windows VMs were onboarded fine to the MDE console through the MDE.Windows extension but the Azure Arc Windows machines were not.

    Now I know that it should work so I will open a support case and go from there.

    Thanks!

  • Hi cmateies - you can also see a reference from one of my subscriptions. An Azure Arc machine based on Windows Server 2019 OS with the MDE.Windows extension:

     

  • rashadbakirov's avatar
    rashadbakirov
    Brass Contributor

    Lior Arviv thank you for great post. Have here possibility to deploy automatically for multiple On-premise Servers? Or we have to run script manually for each server. How can i deploy it more than 200 VMs?

  • cmateies's avatar
    cmateies
    Copper Contributor

    Hi Lior Arviv , this is to update my previous comment. 

    The VMs were onboarded to Defender portal via the integration and not through the MDE extension as I initially stated. The extension got pushed to our VMs, even if these are not running Server2019 because Security Center doesn't recognize the OS version. Reference https://docs.microsoft.com/en-us/azure/security-center/security-center-wdatp#whats-this-mdewindows-extension-running-on-my-machine The extension is there but it doesn't do anything.

    So we were wrongly waiting to the MDE.Windows extension on our Azure Arc servers.

    We have manually added the Defender workspace in Monitoring Agent settings on the on-prem servers to onboard to Defender console. This workaround was provided by Microsoft Support as none of the Azure Arc servers report to the log analytics workspace for Security Center, which should have onboarded these to Defender. Ticket still opened as that integration doesn't work for us.

    Thanks

     

  • sudeepb2021's avatar
    sudeepb2021
    Copper Contributor

    So if I have 100s of site and each site have 40 servers, lets say I have 400 servers in total and approx. 4TB of log/metrics from each site(total over 100 sites),

    then is there a mechanism to consolidate the logs/metrics to a site specific central agent/server (one option I observe was SCOM server but it could be very costly).

    Looks like the steps involve installing azcmagent, is that same as Azure Monitoring Agent (AMA) ?  whats the difference ? any site explaining the differences ?

    Also if there is a way for this azcmagent to consolidate the metrics for all servers in a site(40 servers) before sending to Azure (using cost effective mechanism and not having a SCOM server entirely) ?