Introduction
With Defender for Cloud, you can directly onboard your non-Azure servers by deploying the Defender for Endpoint agent. With this, you can get protection for both your cloud and non-cloud assets under a single offering.
This article describes how to deploy Defender for Cloud on your non-Azure servers such as AWS or GCP. Most of the information provided in this article is derived from Microsoft at Onboard non-Azure machines with Defender for Endpoint - Microsoft Defender for Cloud | Microsoft Learn and Onboard to Microsoft Defender for Endpoint | Microsoft Learn.
Instructions
For instructions on how to onboard Defender for Endpoint on your servers, please see Onboard to Microsoft Defender for Endpoint | Microsoft Learn. Below is listed some limitations according to Microsoft (Onboard non-Azure machines with Defender for Endpoint - Microsoft Defender for Cloud | Microsoft Learn).
Current limitations
Virginia Tech currently has Plan 2 enabled in the tenant.
- Certain features in Plan 2 still require the deployment of the Azure Monitor Agent, which is only available with Azure Arc on non-Azure machines.
- Multi-cloud support: You can directly onboard VMs in AWS and GCP using the Defender for Endpoint agent. However, if you plan to simultaneously connect your AWS or GCP account to Defender for Servers using multi-cloud connectors, it's currently still recommended to deploy Azure Arc.
- Simultaneous onboarding limited support: Defender for Cloud makes a best effort to correlate servers onboarded using multiple billing methods. However, in certain server deployment use cases, there may be limitations where Defender for Cloud is unable to correlate your machines. This may result in overcharges on certain devices if direct onboarding is also enabled on your tenant.
The following are deployment use cases currently with this limitation when used with direct onboarding of your tenant:
Location | Deployment Use Case |
All |
Windows 2012, 2016: Azure VMs or Azure Arc machines already onboarded and billed by Defender for Servers via an Azure subscription or Log Analytics workspace, running the Defender for Endpoint modern unified agent without the MDE.Windows Azure extension. For such machines, you can enable Defender for Cloud integration with Defender for Endpoint to deploy the extension. |
On-premises (not running Azure Arc) |
Windows Server 2012, 2016: Servers running the Defender for Endpoint modern unified agent, and already billed by Defender for Servers P2 via the Log Analytics workspace |
AWS, GCP (not running Azure Arc) |
Windows Server 2012, 2016: AWS or GCP VMs using the modern unified Defender for Endpoint solution, already onboarded and billed by Defender for Servers via multicloud connectors, Log Analytics workspace, or both. |