Azure Security Center (ASC) was originally developed with the intention of becoming the reference tool for protecting resources in the Azure environment. The much felt need of customers to protect the resources located in environments other than Azure has led to an evolution of the solution that, thanks to integration with Azure Arc, allows you to extend the protection and security management tools to any infrastructure. This article explains how Azure Security Center and Azure Arc allow you to protect non-Azure resources located on-premises or on other cloud providers, as virtual machines, Kubernetes services and SQL resources.
The adoption of Azure Defender using the principles of Azure Arc
Azure Arc allows you to manage workloads residing outside Azure, on the on-premises corporate network or at another cloud provider. This management experience is designed to provide consistency with native Azure management methodologies.
Thanks to the fact thatAzure Security Center and Azure Arc can be used jointly, you have the ability to offer advanced protection for three different scenarios:
By enabling the Azure Defender protection of workloads at the subscription level in the Azure Security Center, it is also possible to consider the resources and workloads residing in hybrid and multicloud environments, all in an extremely simple way thanks to Azure Arc.
Azure Defender for Arc-enabled server systems
By connecting a server machine to Azure via Arc, it is considered to all intents and purposes as an Azure resource. Each connected machine has a specific ID, is included in a resource group and benefits from standard Azure constructs such as Azure Policies and tagging. This applies to both Windows and Linux systems.
To offer this experience, the installation of the specific Azure Arc agent is required on each machine that is planned to connect to Azure ("Azure Connected Machine").
The Azure Arc Connected Machine agent consists of the following logical components:
- TheHybrid Instance Metadata service (HIMDS) that manages the connection to Azure and the Azure identity of the connected machine.
- TheGuest Configurationagent that provides in-guest policy and guest configuration features.
- TheExtension Manageragent that manages installation processes, uninstalling and updating machine extensions.
The Connected Machine agent requires secure outbound communication to Azure Arc on TCP port 443.
This agent provides no other features and does not replace the Azure Log Analytics agent, which remains necessary when you want to proactively monitor the operating system and workloads running on the machine.
For more information about installing Azure Arc, seethis official Microsoft document.
Azure Arc-enabled servers can benefit from several Azure Resource Manager-related features such as Tags, Policies and RBAC, as well as some features related to Azure Management.
Activating Azure Defender for Server with Azure Arc
The projection of server resources in Azure using Arc is a useful step to ensure that all the machines in the infrastructure are protected by Azure Defender for Server. Similar to an Azure VM, it will also be necessary to deploy the Log Analytics agent on the target system. To simplify the onboarding process this agent is deployed using the VM extension, and this is one of the advantages of using Arc.
Once the Log Analytics agent has been installed and connected to a workspace used by ASC, the machine will be ready to use and benefit from the various security features offered in the Azure Defender for Servers plan.
For each resource, it is possible to view the status of the agent and its current security recommendations:
In case there is a need to onboard a non-Azure server in Azure Defender with an operating system version not yet supported by the Azure Arc agent, however, it is possible to perform onboarding by installing only the Log Analytics agent on the machine.
The icons in the Azure portal allow you to easily distinguish the different resources:
Azure Defender for Arc-enabled Kubernetes resources
Azure Defender for Kubernetes also allows you to protect clusters located on-premises with the same threat detection features offered for Azure Kubernetes Service clusters (AKS).
For all Kubernetes clusters other than AKS, is necessary connect the cluster environment to Azure Arc. Once the cluster environment is connected, Azure Defender for Kubernetes can be activated as cluster extension on Azure Arc-enabled Kubernetes resources.
The extension components collect the Kubernetes audit logs from all the nodes of the cluster control plane and send them to the back-end of Azure Defender for Kubernetes in the cloud for further analysis. The extension is registered with a Log Analytics workspace that is used for the data pipeline, but the audit logs are not stored in the Log Analytics workspace.
The extension also allows you to protect Kubernetes clusters located at other cloud providers, but it does not allow you to contemplate their managed Kubernetes services.
Azure Defender for Arc-enabled SQL Server resources
Azure Defender for SQL allows you to constantly monitor SQL Server implementations for known threats and vulnerabilities. These features are also usable not only for virtual machines in Azure, but also for SQL Server activated in an on-premises environment and in multicloud deployment. Azure Arc-enabled SQL Servers are also part of Azure Arc for servers. To enable Azure services, the’SQL Server instance must be registered with Azure Arc using the Azure portal and a special registration script. After registration, the instance will be represented on Azure as a resource SQL Server – Azure Arc. The properties of this resource reflect a subset of the SQL Server configuration settings.
Manage security and maintain control of workloads running on-premises, in Azure and on other cloud platforms it can be particularly challenging. Thanks to Azure Arc, it is possible to easily extend Azure Defender coverage to workloads residing outside the Azure environment. Furthermore, Azure Security Center allows you to obtain detailed information on the security of your hybrid environment in a single centralized console, useful for effectively controlling the security of your IT infrastructure.