{"id":441,"date":"2026-04-14T01:49:12","date_gmt":"2026-04-14T01:49:12","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/azure-microsoft-defender-for-cloud-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-hybrid-multicloud\/"},"modified":"2026-04-14T01:49:12","modified_gmt":"2026-04-14T01:49:12","slug":"azure-microsoft-defender-for-cloud-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-hybrid-multicloud","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/azure-microsoft-defender-for-cloud-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-hybrid-multicloud\/","title":{"rendered":"Azure Microsoft Defender for Cloud Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Hybrid + Multicloud"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Hybrid + Multicloud<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Microsoft Defender for Cloud is Azure\u2019s cloud security platform for improving security posture (CSPM) and protecting workloads (CWPP) across <strong>Azure, Hybrid, and Multicloud<\/strong> environments.<\/p>\n\n\n\n<p>In simple terms: it continuously checks your cloud resources for security risks, shows you what to fix first, and (if you enable protection plans) detects threats for servers, containers, databases, storage, and other workloads.<\/p>\n\n\n\n<p>Technically, Microsoft Defender for Cloud is a <strong>control-plane security service<\/strong> that aggregates signals from Azure Resource Manager, Azure Policy, workload telemetry (agents and\/or agentless scanning depending on plan), and cloud connectors (AWS\/GCP), then produces <strong>recommendations, secure score, regulatory compliance posture, attack-path context<\/strong>, and <strong>security alerts<\/strong> that can be integrated into Microsoft Sentinel and Microsoft Defender XDR.<\/p>\n\n\n\n<p>It solves common problems like inconsistent security baselines, misconfigurations across multiple subscriptions\/accounts, limited visibility into exposed resources, and difficulty prioritizing remediation based on risk and compliance impact.<\/p>\n\n\n\n<blockquote>\n<p>Naming note (important): Microsoft Defender for Cloud is the current product name. It was previously known as <strong>Azure Security Center<\/strong> (legacy name). Workload protection features were previously branded as <strong>Azure Defender<\/strong>; today they\u2019re offered as <strong>Defender plans<\/strong> within Microsoft Defender for Cloud.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Microsoft Defender for Cloud?<\/h2>\n\n\n\n<p><strong>Official purpose (what it\u2019s for):<\/strong><br\/>\nMicrosoft Defender for Cloud helps you <strong>prevent<\/strong>, <strong>detect<\/strong>, and <strong>respond<\/strong> to security risks across cloud workloads by providing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Security Posture Management (CSPM)<\/strong>: visibility, secure score, recommendations, compliance posture, and (plan-dependent) advanced context like attack paths.<\/li>\n<li><strong>Cloud Workload Protection (CWPP)<\/strong>: threat detection and protections for supported workload types via Defender plans.<\/li>\n<\/ul>\n\n\n\n<p><strong>Core capabilities (high level):<\/strong>\n&#8211; Asset inventory and security coverage visibility\n&#8211; Secure score and prioritized recommendations\n&#8211; Regulatory compliance reporting (mapping to standards)\n&#8211; Security alerts and incident correlation (with Defender plans)\n&#8211; Workflow automation (route findings to ITSM\/SOAR tools)\n&#8211; Continuous export to Log Analytics, Event Hubs, or partner SIEMs (capabilities vary\u2014verify current options in your tenant)\n&#8211; Hybrid + multicloud onboarding (Azure Arc, AWS, GCP connectors)<\/p>\n\n\n\n<p><strong>Major components you\u2019ll interact with:<\/strong>\n&#8211; <strong>Defender for Cloud portal experience<\/strong> in the Azure portal\n&#8211; <strong>Environment settings<\/strong> (management group\/subscription level controls for plans and coverage)\n&#8211; <strong>Recommendations<\/strong> and <strong>Secure score<\/strong>\n&#8211; <strong>Regulatory compliance<\/strong> dashboards and standards mappings\n&#8211; <strong>Security alerts<\/strong> (when Defender plans are enabled and data sources are connected)\n&#8211; <strong>Workbooks \/ reports<\/strong> (often backed by Azure Monitor workbooks and Resource Graph)<\/p>\n\n\n\n<p><strong>Service type:<\/strong><br\/>\nA <strong>managed cloud security service<\/strong> (SaaS-like control-plane) integrated into Azure.<\/p>\n\n\n\n<p><strong>Scope (how it\u2019s \u201cscoped\u201d in Azure):<\/strong>\n&#8211; Typically managed at <strong>management group<\/strong> and\/or <strong>subscription<\/strong> scope.\n&#8211; Recommendations and secure score are produced for resources under those scopes.\n&#8211; For multicloud, you onboard AWS accounts and GCP projects using connectors so Defender for Cloud can assess them.\n&#8211; For hybrid servers, you typically use <strong>Azure Arc<\/strong> to project machines into Azure for policy\/assessment and (plan-dependent) protection.<\/p>\n\n\n\n<p><strong>Regional\/global behavior:<\/strong>\n&#8211; The Defender for Cloud management plane is <strong>global<\/strong> (you manage it from the Azure portal across regions).\n&#8211; Some collected data and integrations depend on <strong>regional resources<\/strong> you select (for example, Log Analytics workspaces, data collection rules, storage destinations, etc.).\n&#8211; Always confirm where security data is stored\/processed for your configuration in official docs and your tenant settings (especially for compliance).<\/p>\n\n\n\n<p><strong>How it fits into the Azure ecosystem:<\/strong>\n&#8211; Uses <strong>Azure Policy<\/strong> heavily for posture evaluation and governance.\n&#8211; Integrates with <strong>Azure Resource Graph<\/strong> for inventory and querying.\n&#8211; Feeds security alerts into <strong>Microsoft Sentinel<\/strong> (SIEM\/SOAR) and can integrate with <strong>Microsoft Defender XDR<\/strong> for cross-domain detection\/response.\n&#8211; Complements (but does not replace) <strong>Azure Policy<\/strong>, <strong>Microsoft Sentinel<\/strong>, <strong>Microsoft Defender for Endpoint<\/strong>, and <strong>Microsoft Purview<\/strong>.<\/p>\n\n\n\n<p>Official docs landing page: https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Microsoft Defender for Cloud?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce breach likelihood<\/strong> by continuously identifying misconfigurations and exposures.<\/li>\n<li><strong>Improve audit readiness<\/strong> with built-in compliance mappings and evidence-like posture reporting.<\/li>\n<li><strong>Unify security oversight<\/strong> across Azure + hybrid + multicloud instead of managing separate tools per environment.<\/li>\n<li><strong>Prioritize remediation<\/strong> using risk-based recommendations (secure score + contextual details).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Continuous discovery and assessment of cloud resources<\/li>\n<li>Standardized recommendations aligned to benchmarks (for example, Azure Security Benchmark)<\/li>\n<li>Integration with native Azure controls (Policy, RBAC, Resource Graph, Monitor, Sentinel)<\/li>\n<li>Coverage that extends to <strong>AWS\/GCP<\/strong> and <strong>on-prem<\/strong> (via connectors and Arc)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Central place for security posture across subscriptions and accounts<\/li>\n<li>Assignable recommendations and ownership workflows (capabilities vary\u2014verify in your tenant)<\/li>\n<li>Automation hooks to route findings to ticketing\/notifications<\/li>\n<li>Continuous export for custom reporting and long-term retention<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regulatory compliance dashboards (standards mapping varies by offering\/region\u2014verify)<\/li>\n<li>Continuous monitoring and security baselining<\/li>\n<li>Threat detection via Defender plans for supported workloads (servers, containers, data services, etc.)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scales across thousands of resources and many subscriptions<\/li>\n<li>Central governance at management group level supports enterprise scale landing zones<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You run workloads in <strong>Azure<\/strong> and need native posture + threat detection.<\/li>\n<li>You manage <strong>multiple subscriptions<\/strong> and want centralized security governance.<\/li>\n<li>You have <strong>hybrid<\/strong> servers (Arc) or <strong>AWS\/GCP<\/strong> workloads and want a single posture view.<\/li>\n<li>You already use Microsoft security stack (Sentinel, Defender XDR, Entra ID).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it (or should limit scope)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need a single tool that covers every niche platform equally (some third-party CNAPP tools may support broader non-Azure services).<\/li>\n<li>You want full feature parity without enabling paid plans (many advanced capabilities are plan-dependent).<\/li>\n<li>You cannot meet data residency\/processing constraints for required telemetry destinations (verify requirements and options).<\/li>\n<li>You have a mature CNAPP already and only need a subset of features; in that case, integrate carefully to avoid paying twice.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Microsoft Defender for Cloud used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial services (compliance reporting, secure baseline enforcement)<\/li>\n<li>Healthcare (audit readiness, hybrid datacenters)<\/li>\n<li>Retail\/e-commerce (large attack surface, containerized workloads)<\/li>\n<li>Manufacturing\/IoT (hybrid footprints, OT-adjacent monitoring boundaries)<\/li>\n<li>SaaS and software companies (DevOps security posture, multicloud workloads)<\/li>\n<li>Public sector (governance, compliance mapping, centralized controls)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud platform teams (landing zones, guardrails)<\/li>\n<li>Security engineering (posture, detection engineering, integrations)<\/li>\n<li>SOC teams (alert triage via Sentinel\/Defender XDR)<\/li>\n<li>DevOps\/SRE (infrastructure security, container\/Kubernetes posture)<\/li>\n<li>Compliance\/GRC (control mapping and reporting)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure IaaS VMs, PaaS services, storage, key management<\/li>\n<li>AKS and container registries (plan-dependent features)<\/li>\n<li>Databases (Azure SQL and other supported data platforms)<\/li>\n<li>Hybrid servers via Azure Arc<\/li>\n<li>AWS accounts and GCP projects via connectors (capabilities vary by connector type)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enterprise landing zones (management groups, policy at scale)<\/li>\n<li>Hub-and-spoke networks with shared services<\/li>\n<li>Multi-subscription app portfolios<\/li>\n<li>Multicloud reference architectures (central security management plane)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> focus on risk reduction, alerting, compliance posture, automation to ITSM\/SOAR<\/li>\n<li><strong>Dev\/test:<\/strong> secure defaults, reduce public exposure, prevent drift; often use free CSPM signals plus targeted paid plans where needed<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios you can implement with Microsoft Defender for Cloud in Azure <strong>Hybrid + Multicloud<\/strong> environments.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Subscription security posture baseline (Secure score)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams don\u2019t know what\u2019s misconfigured across subscriptions.<\/li>\n<li><strong>Why it fits:<\/strong> Provides centralized recommendations and secure score at management group\/subscription scope.<\/li>\n<li><strong>Example:<\/strong> A platform team monitors secure score across 30 subscriptions and tracks improvement after policy rollouts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Exposed management ports detection (SSH\/RDP open to Internet)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Internet-exposed VMs increase breach risk.<\/li>\n<li><strong>Why it fits:<\/strong> Posture checks identify risky NSG rules and recommend restricting access.<\/li>\n<li><strong>Example:<\/strong> Defender for Cloud flags VM NSGs allowing <code>0.0.0.0\/0<\/code> to port 22\/3389, prompting a change to Bastion or IP-restricted rules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Regulatory compliance posture reporting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Auditors need evidence that controls are implemented.<\/li>\n<li><strong>Why it fits:<\/strong> Compliance dashboards map findings to standards and provide a continuous view.<\/li>\n<li><strong>Example:<\/strong> A regulated company uses compliance dashboards to track Azure Security Benchmark alignment across production subscriptions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Hybrid server posture via Azure Arc<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> On-prem servers are unmanaged compared to cloud resources.<\/li>\n<li><strong>Why it fits:<\/strong> Arc onboarding brings servers into Azure for assessment and governance; Defender plans can add protections.<\/li>\n<li><strong>Example:<\/strong> A factory datacenter onboards Windows\/Linux servers through Arc and monitors baseline misconfigurations centrally.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Multicloud posture (AWS + GCP) in one console<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Security teams lack a unified view across clouds.<\/li>\n<li><strong>Why it fits:<\/strong> Cloud connectors onboard AWS\/GCP to collect posture signals and (optionally) threat signals.<\/li>\n<li><strong>Example:<\/strong> A SaaS provider connects AWS accounts and GCP projects and monitors high-risk misconfigurations across all three clouds.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Kubernetes and container security (AKS posture + runtime signals)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Kubernetes clusters drift from best practices; runtime threats occur.<\/li>\n<li><strong>Why it fits:<\/strong> Defender plans for containers can provide posture insights and threat detection (coverage depends on plan).<\/li>\n<li><strong>Example:<\/strong> Security engineers review cluster hardening recommendations and detect suspicious container activity in production.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Storage security hardening (public access, network restrictions, data protection)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Data leakage due to overly permissive storage configuration.<\/li>\n<li><strong>Why it fits:<\/strong> Recommendations highlight exposure; specific Defender plans can add threat detection (plan-dependent).<\/li>\n<li><strong>Example:<\/strong> Defender for Cloud identifies storage accounts allowing public access and recommends private endpoints or firewall restrictions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Central alert routing to Microsoft Sentinel<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Alerts are scattered; SOC wants a single queue.<\/li>\n<li><strong>Why it fits:<\/strong> Defender for Cloud alerts can stream into Sentinel for correlation and response.<\/li>\n<li><strong>Example:<\/strong> A SOC uses Sentinel analytics rules to correlate Defender for Cloud alerts with identity signals.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Automated remediation workflows (SOAR\/ITSM)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Findings don\u2019t get fixed because they aren\u2019t operationalized.<\/li>\n<li><strong>Why it fits:<\/strong> Workflow automation can route recommendations\/alerts to email, Teams, ServiceNow, etc. (integration options vary).<\/li>\n<li><strong>Example:<\/strong> Critical recommendations create tickets with owners and SLAs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Continuous export for custom dashboards and data retention<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Built-in views aren\u2019t enough; data needs longer retention.<\/li>\n<li><strong>Why it fits:<\/strong> Export posture and alerts to centralized data platforms for custom analytics.<\/li>\n<li><strong>Example:<\/strong> A security team exports recommendations to Log Analytics and builds workbooks by business unit.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Risk-based prioritization using attack paths (plan-dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Too many recommendations; unclear what enables real compromise.<\/li>\n<li><strong>Why it fits:<\/strong> Attack-path context (where available) helps prioritize changes that break likely attacker routes.<\/li>\n<li><strong>Example:<\/strong> Defender for Cloud highlights a path from a public IP \u2192 vulnerable VM \u2192 managed identity \u2192 sensitive storage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) DevOps security visibility (code-to-cloud) (availability varies)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Misconfigurations are introduced in IaC and pipelines.<\/li>\n<li><strong>Why it fits:<\/strong> DevOps security integrations (where available) surface repo\/IaC risks and relate them to cloud posture.<\/li>\n<li><strong>Example:<\/strong> A team identifies insecure Terraform settings that later appear as cloud misconfigurations.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Defender for Cloud evolves frequently. For the authoritative list of features and plan entitlements in your tenant, verify in the Azure portal under <strong>Microsoft Defender for Cloud \u2192 Environment settings<\/strong> and the official docs.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Foundational CSPM (posture management)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides baseline posture capabilities such as asset inventory, recommendations, and secure score.<\/li>\n<li><strong>Why it matters:<\/strong> Establishes \u201cwhat\u2019s wrong\u201d and \u201cwhat to fix first\u201d without requiring full workload protection.<\/li>\n<li><strong>Practical benefit:<\/strong> Quickly improves baseline security and reduces misconfiguration risk across subscriptions.<\/li>\n<li><strong>Caveats:<\/strong> Advanced features (for example, deeper risk context, agentless scanning) may require paid plans.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 Secure score<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Quantifies security posture using a score derived from implemented recommendations and controls.<\/li>\n<li><strong>Why it matters:<\/strong> Helps teams measure progress and prioritize work.<\/li>\n<li><strong>Practical benefit:<\/strong> Supports KPI tracking across business units and subscriptions.<\/li>\n<li><strong>Caveats:<\/strong> Secure score is an optimization tool, not a guarantee of security; treat it as directional.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Security recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lists configuration and security improvement actions for resources (often backed by Azure Policy assessments).<\/li>\n<li><strong>Why it matters:<\/strong> Provides actionable remediation guidance.<\/li>\n<li><strong>Practical benefit:<\/strong> Enables consistent hardening across large estates.<\/li>\n<li><strong>Caveats:<\/strong> Recommendation names, thresholds, and availability can differ by resource type, cloud, and plan.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Regulatory compliance dashboard<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Maps posture signals to controls in standards\/benchmarks.<\/li>\n<li><strong>Why it matters:<\/strong> Converts technical findings into compliance reporting.<\/li>\n<li><strong>Practical benefit:<\/strong> Helps GRC and engineering speak the same language.<\/li>\n<li><strong>Caveats:<\/strong> Mapping is not the same as certification; you still need governance processes and evidence.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 Asset inventory and coverage insights<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Shows resources by type, exposure, health, and coverage.<\/li>\n<li><strong>Why it matters:<\/strong> You can\u2019t secure what you can\u2019t see.<\/li>\n<li><strong>Practical benefit:<\/strong> Identifies \u201cshadow IT\u201d resources and coverage gaps.<\/li>\n<li><strong>Caveats:<\/strong> Inventory completeness depends on connected scopes (subscriptions\/accounts\/projects) and permissions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Defender plans (workload protection \/ CWPP)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Adds threat detection and additional security capabilities for supported workloads (servers, containers, databases, storage, etc.).<\/li>\n<li><strong>Why it matters:<\/strong> Posture alone won\u2019t detect active attacks; CWPP provides runtime\/behavioral detections depending on workload.<\/li>\n<li><strong>Practical benefit:<\/strong> Detects suspicious activity, known attack patterns, and risky behaviors; integrates with SOC tooling.<\/li>\n<li><strong>Caveats:<\/strong> Plans are paid and priced by protected resource or usage dimension. Enabling a plan can increase telemetry ingestion and cost.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Multicloud connectors (AWS\/GCP)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Connects AWS accounts and GCP projects to Defender for Cloud for posture (and in some cases protection signals).<\/li>\n<li><strong>Why it matters:<\/strong> Unifies governance across multicloud.<\/li>\n<li><strong>Practical benefit:<\/strong> Single dashboard and reporting layer across clouds.<\/li>\n<li><strong>Caveats:<\/strong> You must deploy roles\/service accounts and permissions in AWS\/GCP; capabilities differ per cloud and connector type.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 Hybrid onboarding via Azure Arc<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Onboards non-Azure machines into Azure management for governance and (plan-dependent) protection.<\/li>\n<li><strong>Why it matters:<\/strong> Extends cloud security controls to datacenters and edge locations.<\/li>\n<li><strong>Practical benefit:<\/strong> Central policy and inventory across hybrid servers.<\/li>\n<li><strong>Caveats:<\/strong> Requires Arc deployment and connectivity; some protections require additional agents and configuration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.9 Workflow automation (alerts and recommendations routing)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Triggers actions when certain findings occur (for example, notify, create a ticket, call a webhook).<\/li>\n<li><strong>Why it matters:<\/strong> Security improves when remediation becomes operational work with owners and SLAs.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster mean time to remediate (MTTR).<\/li>\n<li><strong>Caveats:<\/strong> Automations can create noise if poorly tuned; ensure least-privilege for automation identities.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.10 Continuous export (posture and alerts)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Streams findings to external destinations for retention, analytics, and integration.<\/li>\n<li><strong>Why it matters:<\/strong> Enables custom dashboards, correlation, and long-term retention strategies.<\/li>\n<li><strong>Practical benefit:<\/strong> Centralize security data across multiple subscriptions.<\/li>\n<li><strong>Caveats:<\/strong> Export destinations (Log Analytics\/Event Hubs\/etc.) incur costs and require governance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.11 Advanced risk context (for example, attack paths) (plan-dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Highlights chains of misconfigurations\/exposures that can lead to compromise.<\/li>\n<li><strong>Why it matters:<\/strong> Helps prioritize \u201cfix this first\u201d based on real-world exploitability paths.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduces time wasted on low-impact hardening tasks.<\/li>\n<li><strong>Caveats:<\/strong> Availability and exact feature set depend on your Defender for Cloud plans (verify in docs).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Microsoft Defender for Cloud operates as a management-plane service that evaluates your environments through:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control-plane signals:<\/strong> Azure Resource Manager metadata, Azure Policy evaluations, configuration state<\/li>\n<li><strong>Telemetry signals (plan-dependent):<\/strong> agent-based or agentless scanning, workload logs\/events, threat detections<\/li>\n<li><strong>Cloud connectors:<\/strong> AWS\/GCP configurations and findings pulled into Defender for Cloud<\/li>\n<li><strong>Outputs:<\/strong> recommendations, secure score, compliance posture, and (if enabled) security alerts<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (typical)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Discovery:<\/strong> Defender for Cloud discovers resources in connected scopes (subscriptions, accounts, projects).<\/li>\n<li><strong>Assessment:<\/strong> It evaluates configurations using policy\/assessment logic.<\/li>\n<li><strong>Enrichment:<\/strong> Some findings are enriched with context (exposure, identity relationships, internet reachability) depending on your setup and plans.<\/li>\n<li><strong>Presentation:<\/strong> Findings show up in the Defender for Cloud portal (recommendations, score, compliance).<\/li>\n<li><strong>Action:<\/strong> You remediate manually, via policy, via automation, or via infrastructure changes.<\/li>\n<li><strong>Export\/Integrate:<\/strong> Optionally export to Log Analytics\/Event Hubs and send alerts to Sentinel\/Defender XDR.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Azure Policy:<\/strong> Many posture assessments are policy-driven; policy can enforce\/deny or audit.<\/li>\n<li><strong>Azure Resource Graph:<\/strong> inventory and query layer.<\/li>\n<li><strong>Azure Monitor \/ Log Analytics:<\/strong> storage and analytics for exported data and some detections (depending on plans and configurations).<\/li>\n<li><strong>Microsoft Sentinel:<\/strong> SIEM\/SOAR for alert ingestion and incident management.<\/li>\n<li><strong>Microsoft Defender XDR:<\/strong> cross-domain correlation (availability and integration specifics vary\u2014verify in docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services (common)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Resource Manager<\/li>\n<li>Azure Policy<\/li>\n<li>Azure Monitor (optional but common)<\/li>\n<li>Log Analytics workspaces (optional\/required depending on plans and export)<\/li>\n<li>Azure Arc (for hybrid servers)<\/li>\n<li>AWS IAM \/ GCP IAM (for multicloud connectors)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Azure RBAC<\/strong> controls who can view\/modify Defender for Cloud settings and who can see findings.<\/li>\n<li>Defender for Cloud reads resource configuration using Azure control-plane access; for connectors, it requires cloud-native roles\/permissions in AWS\/GCP.<\/li>\n<li>Automation typically uses a <strong>managed identity<\/strong> or service principal with least privilege.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Cloud is accessed via the Azure portal and Azure APIs over HTTPS.<\/li>\n<li>For hybrid\/multicloud, connectivity depends on:<\/li>\n<li>Azure Arc agent connectivity to Azure endpoints<\/li>\n<li>AWS\/GCP API access for connector deployments<\/li>\n<li>Any agent\/extension connectivity requirements for selected Defender plans<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>activity logs<\/strong> and <strong>resource logs<\/strong> to audit changes to Defender for Cloud configuration.<\/li>\n<li>Use <strong>management groups<\/strong> for centralized governance and consistent plan enablement.<\/li>\n<li>Establish naming, tagging, and subscription boundaries to align secure score reporting with ownership.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  subgraph Azure[\"Azure Subscription(s)\"]\n    RG[\"Resources (VMs, Storage, AKS, SQL, etc.)\"]\n    POL[\"Azure Policy Assessments\"]\n  end\n\n  DFC[\"Microsoft Defender for Cloud\\n(Posture + Plans)\"]\n\n  RG --&gt; DFC\n  POL --&gt; DFC\n  DFC --&gt; REC[\"Recommendations + Secure Score\"]\n  DFC --&gt; COMP[\"Regulatory Compliance\"]\n  DFC --&gt; ALERTS[\"Security Alerts (if plans enabled)\"]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style Hybrid + Multicloud diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph MG[\"Management Group \/ Central Governance\"]\n    DFC[\"Microsoft Defender for Cloud\"]\n    POL[\"Azure Policy \/ Initiatives\"]\n  end\n\n  subgraph AZ[\"Azure\"]\n    SUB1[\"Prod Subscription\"]\n    SUB2[\"Dev Subscription\"]\n    AKS[\"AKS Clusters\"]\n    VM[\"VMs\"]\n    PaaS[\"PaaS (Storage, Key Vault, SQL, etc.)\"]\n  end\n\n  subgraph HY[\"Hybrid\"]\n    ARC[\"Azure Arc-enabled Servers\"]\n  end\n\n  subgraph MC[\"Multicloud\"]\n    AWS[\"AWS Accounts\\n(Connector + IAM Role)\"]\n    GCP[\"GCP Projects\\n(Connector + Service Account)\"]\n  end\n\n  subgraph SECOPS[\"SecOps Tooling\"]\n    SENT[\"Microsoft Sentinel\"]\n    XDR[\"Microsoft Defender XDR\"]\n    LA[\"Log Analytics \/ Data Platform\\n(optional export)\"]\n    ITSM[\"ITSM \/ SOAR (Logic Apps, ServiceNow, etc.)\"]\n  end\n\n  POL --&gt; SUB1\n  POL --&gt; SUB2\n\n  SUB1 --&gt; DFC\n  SUB2 --&gt; DFC\n  AKS --&gt; DFC\n  VM --&gt; DFC\n  PaaS --&gt; DFC\n\n  ARC --&gt; DFC\n  AWS --&gt; DFC\n  GCP --&gt; DFC\n\n  DFC --&gt; SENT\n  DFC --&gt; XDR\n  DFC --&gt; LA\n  DFC --&gt; ITSM\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/subscription\/tenant requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An <strong>Azure subscription<\/strong> where you can deploy a small lab workload.<\/li>\n<li>If using management group scope (enterprise), you need permissions at the <strong>management group<\/strong> level.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions (IAM roles)<\/h3>\n\n\n\n<p>At minimum:\n&#8211; To <strong>view<\/strong> Defender for Cloud posture: <strong>Security Reader<\/strong> (or broader Reader roles).\n&#8211; To <strong>change settings \/ enable plans \/ configure exports<\/strong>: typically <strong>Security Admin<\/strong> or <strong>Owner<\/strong> at the relevant scope.\n&#8211; To deploy lab resources: <strong>Contributor<\/strong> (or Owner) on the target subscription\/resource group.<\/p>\n\n\n\n<p>Role requirements can vary depending on the feature (connectors, workflow automation, continuous export). Verify in official docs for your scenario.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Foundational posture features may be available without enabling paid plans, but <strong>workload protection plans are paid<\/strong>.<\/li>\n<li>Your subscription must have an active payment method if you enable paid plans or deploy billable resources (VMs, public IPs, disks).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure CLI (recommended): https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli<\/li>\n<li>Azure portal access<\/li>\n<li>SSH client (if you choose to connect to the VM)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Cloud is a global service, but some plan features and data handling options are region-dependent.<\/li>\n<li>Choose a region that supports your target workload types. If unsure, <strong>verify in official docs<\/strong> for the feature you plan to use.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standard Azure subscription quotas apply (VM cores, public IPs, etc.).<\/li>\n<li>Some Defender for Cloud capabilities may have service limits (for example, export rules, connectors). Verify in official docs if you are implementing at scale.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services for the lab<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource group<\/li>\n<li>Virtual network + subnet<\/li>\n<li>Network Security Group (NSG)<\/li>\n<li>One small Linux VM (low cost)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Microsoft Defender for Cloud pricing is <strong>usage- and resource-based<\/strong>, and varies by:\n&#8211; <strong>Selected Defender plans<\/strong> (for example, servers, containers, storage, databases)\n&#8211; <strong>Measured units<\/strong> (per resource, per node, per vCore, per transaction, per GB, etc.\u2014depends on the plan)\n&#8211; <strong>Region<\/strong> and sometimes <strong>billing agreement\/offer<\/strong>\n&#8211; Whether you enable <strong>advanced CSPM features<\/strong> (for example, Defender CSPM) vs foundational posture<\/p>\n\n\n\n<p>Official pricing page (authoritative):<br\/>\nhttps:\/\/azure.microsoft.com\/pricing\/details\/defender-for-cloud\/<\/p>\n\n\n\n<p>Azure Pricing Calculator (for scenario estimates):<br\/>\nhttps:\/\/azure.microsoft.com\/pricing\/calculator\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (common patterns)<\/h3>\n\n\n\n<p>Depending on the plan you enable, costs often align to:\n&#8211; <strong>Per server \/ per hour-month<\/strong> (Defender for Servers)\n&#8211; <strong>Per node \/ per vCore<\/strong> (containers\/Kubernetes-related protection)\n&#8211; <strong>Per storage account and\/or per transaction\/GB scanned<\/strong> (storage protection features)\n&#8211; <strong>Per database server\/instance<\/strong> (database protection)\n&#8211; <strong>Per resource protected<\/strong> for specific PaaS services<\/p>\n\n\n\n<p>Because Microsoft updates plan packaging, included features, and meters over time, <strong>verify the exact meters for each plan in the pricing page and your Azure portal<\/strong> before enabling at scale.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier \/ no-cost capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Cloud includes baseline posture capabilities (often referred to as foundational CSPM) that can be used without enabling all paid Defender plans.<\/li>\n<li>Exact entitlements can change\u2014verify current free vs paid boundaries in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Main cost drivers<\/h3>\n\n\n\n<p>Direct:\n&#8211; Enabling one or more <strong>Defender plans<\/strong> across subscriptions\n&#8211; Protecting <strong>large fleets<\/strong> (servers, nodes, databases)\n&#8211; <strong>Data processing<\/strong> features (agentless scanning, vulnerability assessments) depending on plan<\/p>\n\n\n\n<p>Indirect (often overlooked):\n&#8211; <strong>Log Analytics ingestion and retention<\/strong> if you export data or use features that depend on it\n&#8211; <strong>Network egress<\/strong> if exporting to external systems across regions\n&#8211; <strong>Azure Arc<\/strong> operational overhead (not usually costly itself, but associated monitoring\/agents may be)\n&#8211; <strong>Automation<\/strong> services (Logic Apps runs, Functions executions) if you enable workflow automation<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exporting findings to centralized workspaces\/event streams can generate cross-region traffic and ingestion.<\/li>\n<li>Multicloud connectors pull data from AWS\/GCP APIs; while that\u2019s not Azure egress, it can have <strong>API and logging<\/strong> implications in those clouds (verify in AWS\/GCP billing docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost (practical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with <strong>posture (foundational CSPM)<\/strong> across all subscriptions.<\/li>\n<li>Enable paid Defender plans only where needed:<\/li>\n<li>production subscriptions first<\/li>\n<li>high-value workloads (internet-facing, sensitive data, regulated environments)<\/li>\n<li>Use management groups to apply plans consistently, but consider segmentation to avoid enabling paid plans in dev\/test inadvertently.<\/li>\n<li>Review and tune export destinations and retention (Log Analytics costs can exceed expectations).<\/li>\n<li>Use tagging and subscription strategy so costs can be allocated accurately (chargeback\/showback).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n<p>A low-cost way to start:\n&#8211; Use foundational posture features across the subscription.\n&#8211; Deploy a tiny VM only for testing recommendations, then delete it.<\/p>\n\n\n\n<p>Costs you should expect:\n&#8211; VM compute + OS disk + public IP for a short time (Azure IaaS charges; varies by region\/size).\n&#8211; No additional Defender plan charges if you do not enable paid plans.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, cost planning typically includes:\n&#8211; Defender plans for critical workload types (servers, containers, databases, storage)\n&#8211; Central export and retention strategy (Log Analytics, Sentinel ingestion)\n&#8211; Coverage for hybrid servers (Arc + any required agents)\n&#8211; Multicloud connector scope (number of AWS accounts\/GCP projects)<\/p>\n\n\n\n<p>For a real estimate:\n1. Inventory the protected resources (servers, clusters, databases).\n2. Decide which plans apply to which subscriptions.\n3. Model Log Analytics\/Sentinel ingestion and retention.\n4. Use the pricing calculator and validate against the official pricing page.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab focuses on <strong>posture management<\/strong> (recommendations and secure score) and demonstrates how Defender for Cloud helps you identify and remediate a common issue: <strong>a VM management port exposed to the Internet<\/strong>.<\/p>\n\n\n\n<p>This lab is designed to be safe and low-cost, but it deploys a VM, which is billable until you clean it up.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and explore Microsoft Defender for Cloud posture features in Azure.<\/li>\n<li>Create a deliberately risky configuration (SSH open to the Internet).<\/li>\n<li>Observe the recommendation in Defender for Cloud.<\/li>\n<li>Remediate the issue by restricting SSH exposure.<\/li>\n<li>Verify the recommendation improves after re-evaluation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create a resource group and a small Linux VM.\n2. Add an NSG rule allowing inbound SSH from <code>0.0.0.0\/0<\/code>.\n3. Use Defender for Cloud to identify the exposure and view recommendations.\n4. Fix the NSG rule (limit SSH to your IP or remove the rule).\n5. Trigger\/confirm reassessment and validate the improvement.\n6. Delete the resource group to stop charges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Prepare your environment (Azure CLI + variables)<\/h3>\n\n\n\n<p>1) Sign in and select the right subscription:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az login\naz account show --output table\naz account set --subscription \"&lt;YOUR_SUBSCRIPTION_ID_OR_NAME&gt;\"\n<\/code><\/pre>\n\n\n\n<p>2) Set variables (choose a region close to you):<\/p>\n\n\n\n<pre><code class=\"language-bash\">RG=\"rg-defenderforcloud-lab\"\nLOC=\"eastus\"\nVMNAME=\"vm-dfc-lab\"\nADMINUSER=\"azureuser\"\n<\/code><\/pre>\n\n\n\n<p>3) Create a resource group:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group create --name \"$RG\" --location \"$LOC\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Resource group is created successfully.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a VM with an NSG (and then intentionally expose SSH)<\/h3>\n\n\n\n<p>1) Create an SSH key (if you don\u2019t already have one):<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh-keygen -t ed25519 -f ~\/.ssh\/id_ed25519_dfc_lab -N \"\"\n<\/code><\/pre>\n\n\n\n<p>2) Create a small Ubuntu VM. This command also creates a VNet, subnet, NSG, and public IP by default:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az vm create \\\n  --resource-group \"$RG\" \\\n  --name \"$VMNAME\" \\\n  --image \"Ubuntu2204\" \\\n  --size \"Standard_B1s\" \\\n  --admin-username \"$ADMINUSER\" \\\n  --ssh-key-values ~\/.ssh\/id_ed25519_dfc_lab.pub\n<\/code><\/pre>\n\n\n\n<p>3) Get the public IP:<\/p>\n\n\n\n<pre><code class=\"language-bash\">PUBLICIP=$(az vm show -d -g \"$RG\" -n \"$VMNAME\" --query publicIps -o tsv)\necho \"$PUBLICIP\"\n<\/code><\/pre>\n\n\n\n<p>4) Intentionally open SSH to the Internet (bad practice) by adding an NSG rule allowing <code>0.0.0.0\/0<\/code> to port 22.<\/p>\n\n\n\n<p>First, find the NSG name:<\/p>\n\n\n\n<pre><code class=\"language-bash\">NSG=$(az network nsg list -g \"$RG\" --query \"[0].name\" -o tsv)\necho \"$NSG\"\n<\/code><\/pre>\n\n\n\n<p>Create the rule:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az network nsg rule create \\\n  --resource-group \"$RG\" \\\n  --nsg-name \"$NSG\" \\\n  --name \"Allow-SSH-From-Internet\" \\\n  --priority 200 \\\n  --access Allow \\\n  --protocol Tcp \\\n  --direction Inbound \\\n  --source-address-prefixes \"*\" \\\n  --source-port-ranges \"*\" \\\n  --destination-address-prefixes \"*\" \\\n  --destination-port-ranges 22\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The VM exists and SSH is reachable from any IP address on the Internet (insecure on purpose).<\/p>\n\n\n\n<p>Optional verification (network reachability):<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i ~\/.ssh\/id_ed25519_dfc_lab ${ADMINUSER}@${PUBLICIP}\n<\/code><\/pre>\n\n\n\n<p>Exit the SSH session:<\/p>\n\n\n\n<pre><code class=\"language-bash\">exit\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Review Microsoft Defender for Cloud posture and recommendations<\/h3>\n\n\n\n<p>1) In the Azure portal, go to:\n&#8211; <strong>Microsoft Defender for Cloud<\/strong>: https:\/\/portal.azure.com\/#view\/Microsoft_Azure_Security\/SecurityMenuBlade\/~\/0<\/p>\n\n\n\n<p>2) In Defender for Cloud:\n&#8211; Open <strong>Secure score<\/strong> and note the current score for your subscription.\n&#8211; Open <strong>Recommendations<\/strong> and filter\/sort by <strong>Resource group<\/strong> = <code>rg-defenderforcloud-lab<\/code> (or search for your VM name).<\/p>\n\n\n\n<p>3) Look for a recommendation related to:\n&#8211; <strong>Management ports<\/strong> being open (SSH\/RDP), or\n&#8211; <strong>Restricting access<\/strong> to management ports, or\n&#8211; <strong>NSG rules<\/strong> allowing inbound access from the Internet.<\/p>\n\n\n\n<blockquote>\n<p>Recommendation names can change as policies evolve. If you don\u2019t see it immediately, wait 15\u201360 minutes and proceed to Step 4 to trigger a scan.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can see posture findings for resources in the subscription, and Defender for Cloud is actively evaluating your VM\/NSG configuration.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Trigger a policy compliance scan (to speed up evaluation)<\/h3>\n\n\n\n<p>Defender for Cloud posture findings are often backed by Azure Policy evaluations, which can be periodic. You can trigger a scan to speed up feedback.<\/p>\n\n\n\n<p>Run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az policy state trigger-scan --resource-group \"$RG\"\n<\/code><\/pre>\n\n\n\n<p>If your Azure CLI version doesn\u2019t support that command, update Azure CLI or trigger a scan at the subscription scope:<\/p>\n\n\n\n<pre><code class=\"language-bash\">SUBID=$(az account show --query id -o tsv)\naz policy state trigger-scan --subscription \"$SUBID\"\n<\/code><\/pre>\n\n\n\n<p>Now re-check Defender for Cloud recommendations in the portal after a few minutes.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> Recommendations should update sooner (though some assessments still take time).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Remediate by restricting SSH exposure<\/h3>\n\n\n\n<p>Best-practice options include:\n&#8211; Use <strong>Azure Bastion<\/strong> (costs extra, but avoids inbound SSH entirely)\n&#8211; Use <strong>Just-In-Time access<\/strong> (availability depends on Defender plan and configuration\u2014verify)\n&#8211; Restrict SSH to your corporate IP(s) only\n&#8211; Use a private VM with no public IP (recommended for production)<\/p>\n\n\n\n<p>For this lab, restrict SSH to <strong>your current public IP<\/strong>.<\/p>\n\n\n\n<p>1) Find your public IP (quick method):\n&#8211; Use a trusted \u201cwhat is my IP\u201d service in your browser, or your corporate egress IP.<\/p>\n\n\n\n<p>Set it as a variable (example uses <code>\/32<\/code>):<\/p>\n\n\n\n<pre><code class=\"language-bash\">MYIP=\"&lt;YOUR_PUBLIC_IP&gt;\/32\"\necho \"$MYIP\"\n<\/code><\/pre>\n\n\n\n<p>2) Update the NSG rule to only allow your IP:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az network nsg rule update \\\n  --resource-group \"$RG\" \\\n  --nsg-name \"$NSG\" \\\n  --name \"Allow-SSH-From-Internet\" \\\n  --source-address-prefixes \"$MYIP\"\n<\/code><\/pre>\n\n\n\n<p>Optional: verify the rule:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az network nsg rule show \\\n  --resource-group \"$RG\" \\\n  --nsg-name \"$NSG\" \\\n  --name \"Allow-SSH-From-Internet\" \\\n  --query \"{name:name, sourceAddressPrefixes:sourceAddressPrefixes, destPort:destinationPortRange, access:access}\" \\\n  -o json\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> SSH is no longer open to the entire Internet; only your IP can connect.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Re-check Defender for Cloud recommendations and secure score<\/h3>\n\n\n\n<p>1) Trigger another compliance scan:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az policy state trigger-scan --resource-group \"$RG\"\n<\/code><\/pre>\n\n\n\n<p>2) In the Azure portal:\n&#8211; Return to <strong>Microsoft Defender for Cloud \u2192 Recommendations<\/strong>\n&#8211; Find the previous \u201cmanagement ports open\u201d related recommendation and confirm it changes state over time (for example, from unhealthy to healthy), depending on the assessment cycle.<\/p>\n\n\n\n<p>3) Check <strong>Secure score<\/strong> again after the recommendation state updates.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> The recommendation eventually reflects the improved configuration, and secure score may improve.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>NSG rule validation (CLI):<\/strong><\/li>\n<li><code>sourceAddressPrefixes<\/code> is set to your <code>\/32<\/code> IP, not <code>*<\/code> or <code>0.0.0.0\/0<\/code>.<\/li>\n<li><strong>Portal validation (Defender for Cloud):<\/strong><\/li>\n<li>Recommendation related to open management ports is no longer flagged (or shows as remediated) after reassessment.<\/li>\n<li>Secure score reflects improvement (timing depends on evaluation).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p><strong>Issue: I don\u2019t see any recommendations for my VM\/NSG<\/strong>\n&#8211; Wait longer: some assessments can take 30\u201360 minutes.\n&#8211; Trigger a scan with <code>az policy state trigger-scan<\/code>.\n&#8211; Confirm you\u2019re viewing the correct scope (subscription and resource group).\n&#8211; Confirm you have at least <strong>Security Reader<\/strong> permissions.<\/p>\n\n\n\n<p><strong>Issue: Azure CLI command <code>az policy state trigger-scan<\/code> fails<\/strong>\n&#8211; Update Azure CLI:\n  &#8211; https:\/\/learn.microsoft.com\/cli\/azure\/update-azure-cli\n&#8211; Ensure you\u2019re logged in to the correct tenant\/subscription.\n&#8211; Try triggering at subscription scope instead of resource group.<\/p>\n\n\n\n<p><strong>Issue: Secure score didn\u2019t change<\/strong>\n&#8211; Secure score changes can lag behind recommendation state changes.\n&#8211; Not all recommendations affect secure score equally.\n&#8211; Verify that the recommendation you remediated is score-impacting.<\/p>\n\n\n\n<p><strong>Issue: I locked myself out of SSH<\/strong>\n&#8211; Confirm your current public IP didn\u2019t change (home ISPs can rotate IPs).\n&#8211; Temporarily add your new IP to the NSG rule.\n&#8211; Consider using Azure Bastion for stable access in real environments.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>Delete the entire resource group to stop all charges:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group delete --name \"$RG\" --yes --no-wait\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> VM, disk, public IP, VNet, and NSG are deleted.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Manage Defender for Cloud at the <strong>management group<\/strong> level for consistent coverage across subscriptions.<\/li>\n<li>Use a <strong>landing zone<\/strong> strategy: separate prod\/non-prod subscriptions to avoid enabling paid plans everywhere.<\/li>\n<li>Centralize security operations:<\/li>\n<li>Export findings to a centralized workspace (when needed)<\/li>\n<li>Integrate alerts with Sentinel for SOC workflows<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use least privilege:<\/li>\n<li>Security teams: <strong>Security Reader<\/strong> for visibility, <strong>Security Admin<\/strong> for configuration changes<\/li>\n<li>Limit who can enable paid plans (cost control)<\/li>\n<li>Use PIM (Privileged Identity Management) for just-in-time elevation for security admins (Entra ID feature\u2014verify licensing).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start with posture management everywhere; selectively enable Defender plans where justified.<\/li>\n<li>Implement chargeback\/showback:<\/li>\n<li>Use subscriptions aligned to cost centers<\/li>\n<li>Tag resources and exports<\/li>\n<li>Monitor Log Analytics\/Sentinel ingestion, retention, and export frequency.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Cloud is mostly control-plane; performance concerns usually relate to:<\/li>\n<li>Export volume<\/li>\n<li>Workspace query costs<\/li>\n<li>Automation frequency<\/li>\n<li>Avoid high-frequency automations that generate noise or large volumes of tickets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use infrastructure-as-code for policy assignments and baseline configurations.<\/li>\n<li>Ensure workflow automation has retries and dead-letter patterns (where supported).<\/li>\n<li>Document operational runbooks for \u201ctop 10 recommendations\u201d remediation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a recurring triage cadence:<\/li>\n<li>Daily: critical alerts (if plans enabled)<\/li>\n<li>Weekly: top secure score deltas and critical recommendations<\/li>\n<li>Monthly: compliance posture review<\/li>\n<li>Track ownership:<\/li>\n<li>Map subscriptions to application owners<\/li>\n<li>Use consistent resource group naming\/tagging to identify teams<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce tags: <code>Owner<\/code>, <code>CostCenter<\/code>, <code>Environment<\/code>, <code>DataClassification<\/code><\/li>\n<li>Use naming conventions that encode environment and app identity.<\/li>\n<li>Use Azure Policy to prevent known bad states (deny policies) where appropriate and safe.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Cloud uses <strong>Azure RBAC<\/strong> for access control.<\/li>\n<li>Grant read-only access broadly (Security Reader) and restrict configuration changes to a small group (Security Admin\/Owner).<\/li>\n<li>For multicloud connectors, use <strong>least privilege IAM roles<\/strong> in AWS and <strong>least privilege service accounts<\/strong> in GCP.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Cloud is a managed service; data at rest and in transit is handled by Azure platform security.<\/li>\n<li>If exporting findings, ensure destinations (Log Analytics\/Event Hubs\/Storage) enforce encryption at rest and private access patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Defender for Cloud is accessed via Azure management endpoints; lock down who can access the portal and APIs using identity controls and conditional access.<\/li>\n<li>For resources, prioritize removing public exposure:<\/li>\n<li>no public IPs where possible<\/li>\n<li>private endpoints for PaaS<\/li>\n<li>restrict NSG rules, use Bastion<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid embedding secrets in automation runbooks.<\/li>\n<li>Prefer <strong>managed identities<\/strong> for workflow automation and exports.<\/li>\n<li>Store secrets in <strong>Azure Key Vault<\/strong> when required and restrict access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log and review:<\/li>\n<li>Azure Activity Log changes to Defender for Cloud settings<\/li>\n<li>Policy assignment and exemption changes<\/li>\n<li>Connector configuration changes (AWS\/GCP)<\/li>\n<li>Consider exporting relevant logs to Sentinel for SOC oversight.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm:<\/li>\n<li>Where exported data is stored (region\/workspace)<\/li>\n<li>Retention settings<\/li>\n<li>Access controls and separation of duties<\/li>\n<li>Regulatory compliance dashboards help map posture to standards but do not replace audits.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enabling paid plans broadly without scoping (unexpected cost + noisy alerts)<\/li>\n<li>Granting too many users Security Admin\/Owner access<\/li>\n<li>Treating secure score as the only goal instead of risk reduction<\/li>\n<li>Exporting security data to insecure destinations (public endpoints, weak access control)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Roll out in phases:\n  1. Foundational posture everywhere\n  2. Policy baselines (audit first, then enforce carefully)\n  3. Enable Defender plans for high-value workloads\n  4. Integrate with Sentinel and automate response<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Feature availability varies by plan and resource type:<\/strong> Some capabilities require specific Defender plans or add-ons (verify entitlements).<\/li>\n<li><strong>Assessment timing lag:<\/strong> Recommendations may take time to update; don\u2019t expect immediate changes after remediation.<\/li>\n<li><strong>Multicloud parity is not identical:<\/strong> AWS\/GCP connector capabilities differ from Azure-native coverage.<\/li>\n<li><strong>Cost surprises from telemetry\/export:<\/strong> Log Analytics ingestion and retention (and Sentinel ingestion) can become major cost drivers.<\/li>\n<li><strong>RBAC complexity at scale:<\/strong> Management group vs subscription scopes can cause confusion about where settings apply.<\/li>\n<li><strong>Noisy recommendations:<\/strong> Some recommendations may not fit your risk model; use governance processes (and where supported, suppressions\/exemptions) carefully.<\/li>\n<li><strong>Automation risk:<\/strong> Over-automating remediation without change control can break workloads.<\/li>\n<li><strong>Hybrid onboarding overhead:<\/strong> Azure Arc deployment and lifecycle management require operational maturity.<\/li>\n<li><strong>Policy conflicts:<\/strong> Existing Azure Policy initiatives may overlap with Defender recommendations; rationalize baselines.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Microsoft Defender for Cloud is best compared as part of the broader <strong>CNAPP<\/strong> landscape (CSPM + CWPP), plus native and third-party alternatives.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Microsoft Defender for Cloud<\/strong> (Azure)<\/td>\n<td>Azure-first + hybrid + multicloud teams<\/td>\n<td>Deep Azure integration (Policy, RBAC, portal), unified posture + workload protection plans, Sentinel\/XDR integration<\/td>\n<td>Plan complexity; costs can grow; multicloud parity varies<\/td>\n<td>You want Azure-native security governance and integrated security operations<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Policy<\/strong><\/td>\n<td>Governance and guardrails<\/td>\n<td>Strong enforcement\/deny, IaC-friendly, scalable<\/td>\n<td>Not a full security product; no threat detection<\/td>\n<td>You need preventative controls and compliance enforcement (often used with Defender for Cloud)<\/td>\n<\/tr>\n<tr>\n<td><strong>Microsoft Sentinel<\/strong><\/td>\n<td>SIEM\/SOAR<\/td>\n<td>Correlation, incident management, automation<\/td>\n<td>Not a posture tool; costs tied to data ingestion<\/td>\n<td>You need SOC operations; integrate Defender for Cloud alerts into Sentinel<\/td>\n<\/tr>\n<tr>\n<td><strong>Microsoft Defender for Endpoint<\/strong><\/td>\n<td>Endpoint EDR<\/td>\n<td>Strong endpoint detections and response<\/td>\n<td>Not a cloud posture manager<\/td>\n<td>You need endpoint protection; combine with Defender for Cloud for server protection scenarios<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Security Hub + GuardDuty<\/strong><\/td>\n<td>AWS-native security<\/td>\n<td>Native AWS posture + threat services<\/td>\n<td>AWS-only (primarily)<\/td>\n<td>Your environment is primarily AWS and you want AWS-native tooling<\/td>\n<\/tr>\n<tr>\n<td><strong>GCP Security Command Center<\/strong><\/td>\n<td>GCP-native security<\/td>\n<td>Native GCP security posture and detections<\/td>\n<td>GCP-only<\/td>\n<td>Your environment is primarily GCP<\/td>\n<\/tr>\n<tr>\n<td><strong>Wiz \/ Prisma Cloud \/ Lacework (examples)<\/strong><\/td>\n<td>Cross-cloud CNAPP<\/td>\n<td>Strong multicloud coverage, rich context<\/td>\n<td>Additional vendor, cost, and integration work<\/td>\n<td>You need broad multicloud depth beyond native tools<\/td>\n<\/tr>\n<tr>\n<td><strong>Open-source (Prowler, ScoutSuite, Trivy, Falco)<\/strong><\/td>\n<td>Cost-sensitive or custom pipelines<\/td>\n<td>Flexible, can embed in CI\/CD<\/td>\n<td>Requires integration\/maintenance, not unified governance<\/td>\n<td>You want security checks embedded in pipelines and accept operational overhead<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example (regulated, hybrid, multi-subscription)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A financial services organization runs 100+ Azure subscriptions with strict compliance requirements and also has on-prem servers.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Management groups aligned to business units<\/li>\n<li>Microsoft Defender for Cloud enabled at management group scope for posture<\/li>\n<li>Azure Arc onboarding for on-prem Windows\/Linux fleets<\/li>\n<li>Selected Defender plans enabled for production workloads only<\/li>\n<li>Alerts exported to Microsoft Sentinel; SOC uses Sentinel incidents and playbooks<\/li>\n<li><strong>Why Defender for Cloud was chosen:<\/strong><\/li>\n<li>Native Azure integration at enterprise scale<\/li>\n<li>Built-in compliance posture reporting<\/li>\n<li>Central governance with Policy alignment<\/li>\n<li>Integrated alert flow to Sentinel<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Reduced public exposure and baseline drift<\/li>\n<li>Measurable secure score improvement across business units<\/li>\n<li>Faster detection-to-response workflows with SOC integration<\/li>\n<li>Improved audit readiness and reporting consistency<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example (lean ops, Azure + some AWS)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A startup runs most workloads in Azure but has a small AWS footprint; they need visibility without hiring a large security team.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Defender for Cloud posture enabled for Azure subscriptions<\/li>\n<li>AWS account connected via multicloud connector for unified posture view<\/li>\n<li>Minimal automation: notify a shared SecOps channel for high severity findings<\/li>\n<li>Selectively enable Defender plans only for internet-facing production services<\/li>\n<li><strong>Why Defender for Cloud was chosen:<\/strong><\/li>\n<li>Quick onboarding and consolidated visibility<\/li>\n<li>Integrates with existing Microsoft tooling<\/li>\n<li>Allows incremental adoption (posture first, then protection)<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Clear prioritized backlog of security fixes<\/li>\n<li>Reduced chance of simple misconfigurations causing incidents<\/li>\n<li>Cost-controlled security improvements without heavy tooling sprawl<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) Is Microsoft Defender for Cloud the same as Azure Security Center?<\/h3>\n\n\n\n<p>Microsoft Defender for Cloud is the current product name. <strong>Azure Security Center<\/strong> is the older (legacy) name.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) Is Microsoft Defender for Cloud only for Azure?<\/h3>\n\n\n\n<p>No. It supports <strong>Hybrid + Multicloud<\/strong> scenarios, including onboarding <strong>AWS<\/strong> and <strong>GCP<\/strong> via connectors and <strong>on-prem<\/strong> machines via Azure Arc. Feature parity varies\u2014verify for your environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) Does Defender for Cloud replace Azure Policy?<\/h3>\n\n\n\n<p>No. Defender for Cloud uses Azure Policy for many assessments and provides a security-focused experience (score, recommendations, compliance). Azure Policy is still your primary governance\/enforcement tool.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4) Does Defender for Cloud replace Microsoft Sentinel?<\/h3>\n\n\n\n<p>No. Defender for Cloud provides posture and workload protection signals. Sentinel is a SIEM\/SOAR used for correlation, incident management, and response automation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5) Do I need to install agents on VMs?<\/h3>\n\n\n\n<p>Not for many posture checks (control-plane based). Some protection features (threat detection, vulnerability scanning, etc.) can require agents or agentless scanning depending on the plan and workload. Verify per plan in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6) What\u2019s the difference between CSPM and CWPP in Defender for Cloud?<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CSPM:<\/strong> posture management (recommendations, secure score, compliance).<\/li>\n<li><strong>CWPP:<\/strong> workload protection (security alerts and threat detections) via Defender plans.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) What is \u201cFoundational CSPM\u201d vs \u201cDefender CSPM\u201d?<\/h3>\n\n\n\n<p>Foundational CSPM generally refers to baseline posture features, while Defender CSPM refers to enhanced\/paid CSPM capabilities. Exact entitlements can change\u2014verify in the official docs and your tenant.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8) Can I enable Defender plans for only one VM?<\/h3>\n\n\n\n<p>Plan enablement is often done at subscription or management group scope, which can affect all applicable resources in scope. Some scoping\/exclusions may be possible depending on the plan\u2014verify current capabilities before enabling broadly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9) How long does it take for recommendations to update after a fix?<\/h3>\n\n\n\n<p>It varies. Some update quickly, others rely on periodic evaluation cycles. Triggering a policy compliance scan can help for policy-backed assessments, but not all signals update instantly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10) Can I export recommendations and alerts to my SIEM?<\/h3>\n\n\n\n<p>Yes. Defender for Cloud supports exporting to Azure-native services and integrating with Microsoft Sentinel. Exact export destinations and formats can vary\u2014verify in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">11) Does Defender for Cloud support infrastructure-as-code workflows?<\/h3>\n\n\n\n<p>It integrates well with policy-as-code approaches and Azure-native governance. DevOps security integrations may be available depending on offerings\u2014verify current support for your repos and pipelines.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">12) Is secure score a compliance score?<\/h3>\n\n\n\n<p>No. Secure score is a posture metric. Compliance dashboards map findings to standards, but neither is a certification.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">13) What permissions do developers need to view findings?<\/h3>\n\n\n\n<p>Often <strong>Security Reader<\/strong> is sufficient for view-only access. Grant broader permissions only when needed for remediation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">14) Can Defender for Cloud automatically fix issues?<\/h3>\n\n\n\n<p>Some recommendations provide \u201cquick fix\u201d or remediation workflows depending on resource type and policy support. Automatic remediation should be used carefully with change control.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">15) How does Defender for Cloud work in multicloud?<\/h3>\n\n\n\n<p>You deploy connectors that establish secure access (roles\/service accounts) so Defender for Cloud can pull configuration and findings. Capabilities differ by cloud and connector mode.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">16) What\u2019s the safest way to start in production?<\/h3>\n\n\n\n<p>Start with posture visibility:\n1) Turn on posture and review recommendations<br\/>\n2) Fix high-impact exposure items (public endpoints, management ports)<br\/>\n3) Implement policy baselines<br\/>\n4) Enable paid plans for critical workloads only<br\/>\n5) Integrate with SOC tooling<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">17) Where do I configure settings: subscription or management group?<\/h3>\n\n\n\n<p>Enterprises should prefer management group scope for consistency, but be careful: settings can inherit down the hierarchy. Document your scope model and validate impact before enabling paid plans.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Microsoft Defender for Cloud<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Microsoft Defender for Cloud docs \u2013 https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/<\/td>\n<td>Primary reference for features, onboarding, and architecture<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Defender for Cloud pricing \u2013 https:\/\/azure.microsoft.com\/pricing\/details\/defender-for-cloud\/<\/td>\n<td>Authoritative pricing meters and plan breakdowns<\/td>\n<\/tr>\n<tr>\n<td>Pricing tool<\/td>\n<td>Azure Pricing Calculator \u2013 https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/td>\n<td>Build scenario-based cost estimates<\/td>\n<\/tr>\n<tr>\n<td>Getting started<\/td>\n<td>Defender for Cloud overview (docs) \u2013 https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/defender-for-cloud-introduction<\/td>\n<td>Clear introduction and core concepts<\/td>\n<\/tr>\n<tr>\n<td>Concepts<\/td>\n<td>Secure score in Defender for Cloud \u2013 https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/secure-score-security-controls<\/td>\n<td>Explains how score and controls work<\/td>\n<\/tr>\n<tr>\n<td>Concepts<\/td>\n<td>Recommendations in Defender for Cloud \u2013 https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/recommendations-reference<\/td>\n<td>Details recommendation types and remediation guidance<\/td>\n<\/tr>\n<tr>\n<td>Hybrid onboarding<\/td>\n<td>Azure Arc-enabled servers documentation \u2013 https:\/\/learn.microsoft.com\/azure\/azure-arc\/servers\/overview<\/td>\n<td>Key for hybrid scenarios that feed into Defender for Cloud<\/td>\n<\/tr>\n<tr>\n<td>Multicloud onboarding<\/td>\n<td>Connect AWS\/GCP to Defender for Cloud (docs landing) \u2013 https:\/\/learn.microsoft.com\/azure\/defender-for-cloud\/<\/td>\n<td>Entry point; search within docs for \u201cAWS connector\u201d and \u201cGCP connector\u201d<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Azure Architecture Center \u2013 https:\/\/learn.microsoft.com\/azure\/architecture\/<\/td>\n<td>Reference architectures and best practices (use with Defender for Cloud)<\/td>\n<\/tr>\n<tr>\n<td>Video learning<\/td>\n<td>Microsoft Security YouTube channel \u2013 https:\/\/www.youtube.com\/@MicrosoftSecurity<\/td>\n<td>Product walkthroughs and security architecture content<\/td>\n<\/tr>\n<tr>\n<td>Product updates<\/td>\n<td>Azure updates \u2013 https:\/\/azure.microsoft.com\/updates\/<\/td>\n<td>Track changes affecting Defender for Cloud plans\/features<\/td>\n<\/tr>\n<tr>\n<td>GitHub samples<\/td>\n<td>Azure samples org \u2013 https:\/\/github.com\/Azure-Samples<\/td>\n<td>Look for governance\/security automation examples that complement Defender for Cloud<\/td>\n<\/tr>\n<tr>\n<td>Community<\/td>\n<td>Microsoft Tech Community (Security) \u2013 https:\/\/techcommunity.microsoft.com\/t5\/security-compliance-and-identity\/ct-p\/MicrosoftSecurityandCompliance<\/td>\n<td>Practical guidance and announcements (validate against docs)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, cloud engineers, SREs, security engineers<\/td>\n<td>Azure security fundamentals, DevSecOps practices, cloud governance<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate IT professionals<\/td>\n<td>Software delivery, DevOps foundations, cloud basics supporting security<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations and platform teams<\/td>\n<td>Cloud operations, monitoring, and operational security basics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability and platform engineers<\/td>\n<td>Reliability practices, operational readiness, security operations alignment<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops\/SRE teams exploring automation<\/td>\n<td>AIOps concepts, automation, operational analytics relevant to SecOps<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud guidance (verify exact offerings)<\/td>\n<td>Beginners to intermediate practitioners<\/td>\n<td>https:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training content and coaching (verify scope)<\/td>\n<td>DevOps engineers, platform teams<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps services\/training (verify services)<\/td>\n<td>Teams needing practical help or short-term guidance<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and enablement (verify scope)<\/td>\n<td>Ops teams seeking implementation support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company Name<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify offerings)<\/td>\n<td>Azure governance, security posture programs, automation<\/td>\n<td>Landing zone + policy baseline rollout; integrating Defender for Cloud with SOC workflows<\/td>\n<td>https:\/\/www.cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>Training + consulting (verify offerings)<\/td>\n<td>Platform enablement, DevSecOps practices, operational readiness<\/td>\n<td>Defender for Cloud onboarding, secure baseline program, cost governance and guardrails<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>CI\/CD, cloud operations, security practices<\/td>\n<td>Implementing policy-as-code; building remediation automation triggered by security findings<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Microsoft Defender for Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure fundamentals:<\/li>\n<li>Subscriptions, resource groups, regions<\/li>\n<li>Azure Resource Manager concepts<\/li>\n<li>Identity and governance:<\/li>\n<li>Microsoft Entra ID basics<\/li>\n<li>Azure RBAC roles and scopes<\/li>\n<li>Management groups<\/li>\n<li>Networking basics:<\/li>\n<li>VNets, subnets, NSGs, private endpoints<\/li>\n<li>Logging\/monitoring basics:<\/li>\n<li>Azure Monitor, Log Analytics concepts<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Microsoft Defender for Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure Policy deep dive (policy-as-code, initiatives, exemptions)<\/li>\n<li>Microsoft Sentinel (SIEM\/SOAR), KQL fundamentals<\/li>\n<li>Microsoft Defender XDR concepts (incident correlation)<\/li>\n<li>Threat modeling and cloud incident response<\/li>\n<li>Kubernetes security (AKS hardening, runtime security concepts)<\/li>\n<li>CI\/CD security (DevSecOps, IaC scanning, secrets management)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Security Engineer \/ Cloud Security Architect<\/li>\n<li>Platform Engineer (security guardrails)<\/li>\n<li>DevOps \/ SRE (operational security posture)<\/li>\n<li>SOC Analyst (alert triage via Sentinel\/XDR)<\/li>\n<li>GRC \/ Compliance Analyst (posture reporting)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (examples to consider)<\/h3>\n\n\n\n<p>Microsoft certification offerings change over time. Commonly relevant paths include:\n&#8211; Azure fundamentals and admin\/architect tracks\n&#8211; Security-focused Microsoft certifications<\/p>\n\n\n\n<p>Verify current certification names and paths in official Microsoft certification pages:\nhttps:\/\/learn.microsoft.com\/credentials\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a secure Azure landing zone with management groups + policy baselines, then measure secure score improvements.<\/li>\n<li>Connect a dev AWS account and compare posture findings across clouds.<\/li>\n<li>Export Defender for Cloud recommendations to Log Analytics and create a custom workbook.<\/li>\n<li>Create an automation workflow that opens a ticket only for high-severity recommendations affecting internet-exposed resources.<\/li>\n<li>Onboard a hybrid VM with Azure Arc and validate posture assessments.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CSPM (Cloud Security Posture Management):<\/strong> Tools and processes to assess and improve cloud configuration security continuously.<\/li>\n<li><strong>CWPP (Cloud Workload Protection Platform):<\/strong> Security protections and threat detection for workloads like VMs, containers, and databases.<\/li>\n<li><strong>Secure score:<\/strong> A numerical representation of security posture based on implemented recommendations.<\/li>\n<li><strong>Recommendation:<\/strong> An actionable security improvement item identified by Defender for Cloud.<\/li>\n<li><strong>Azure Policy:<\/strong> Azure governance service used to audit, enforce, and assess configuration against rules.<\/li>\n<li><strong>Management group:<\/strong> A scope above subscriptions used to apply governance consistently across many subscriptions.<\/li>\n<li><strong>NSG (Network Security Group):<\/strong> Azure resource that controls inbound\/outbound traffic rules for subnets and NICs.<\/li>\n<li><strong>Azure Arc:<\/strong> Azure service that projects non-Azure resources (like on-prem servers) into Azure for management\/governance.<\/li>\n<li><strong>Connector:<\/strong> Integration mechanism for onboarding AWS accounts or GCP projects into Defender for Cloud.<\/li>\n<li><strong>Microsoft Sentinel:<\/strong> Microsoft\u2019s SIEM\/SOAR service for security analytics and incident response.<\/li>\n<li><strong>Microsoft Defender XDR:<\/strong> Integrated detection and response across Microsoft security products (identity, endpoint, email, cloud apps, etc.).<\/li>\n<li><strong>Log Analytics workspace:<\/strong> Azure Monitor data store used for log ingestion, querying, and retention.<\/li>\n<li><strong>Hybrid + Multicloud:<\/strong> Operating model spanning Azure plus other clouds (AWS\/GCP) and on-prem environments.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Microsoft Defender for Cloud is Azure\u2019s security platform for <strong>posture management (CSPM)<\/strong> and <strong>workload protection (CWPP)<\/strong> across <strong>Azure, Hybrid, and Multicloud<\/strong> environments. It helps you discover assets, prioritize risks through recommendations and secure score, track compliance posture, and (with paid Defender plans) detect threats across key workload types.<\/p>\n\n\n\n<p>Cost-wise, start with foundational posture features across all subscriptions, then selectively enable paid plans for high-value production workloads, while keeping a close eye on telemetry\/export and Log Analytics\/Sentinel ingestion costs.<\/p>\n\n\n\n<p>Security-wise, use least privilege (Security Reader vs Security Admin), manage scope via management groups, and operationalize remediation with clear ownership and automation that doesn\u2019t create noise or risk.<\/p>\n\n\n\n<p>Next step: implement a management-group baseline (policy + posture review cadence), then integrate Defender for Cloud alerts with Microsoft Sentinel for end-to-end SecOps workflows.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hybrid + Multicloud<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,45,10],"tags":[],"class_list":["post-441","post","type-post","status-publish","format-standard","hentry","category-azure","category-hybrid-multicloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=441"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/441\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}