Merge pull request #2254 from snicklezzz/wi540131-private-links

Wi540131 private links

Author: v-ccolin

articles/defender-for-cloud/TOC.yml

@@ -71,6 +71,13 @@
             - name: Connect machines with Azure Arc
               displayName: azure stack, ash, windows, linux, hybrid, arc, on-premises, Microsoft Defender XDR, alerts, integration, m365, m365d, m365 defender
               href: quickstart-onboard-machines.md
+    - name: Networking and connectivity
+      items:
+      - name: Microsoft Security Private Link for Microsoft Defender for Cloud (Preview)
+        displayName: private endpoints, private link, security private link, networking, connectivity, VPN, ExpressRoute
+        href: concept-private-links.md
+      - name: Configure private endpoints with Microsoft Security Private Link (Preview)
+        href: configure-private-endpoints.md
     - name: Enable specific plans
       expanded: false
       items:

articles/defender-for-cloud/concept-private-links.md

@@ -0,0 +1,104 @@
+---
+title: Microsoft Security Private Link for Microsoft Defender for Cloud (Preview)
+description: Learn how Microsoft Security Private Link provides secure, private connectivity between your virtual network and Microsoft Defender for Cloud.
+author: Elazark
+ms.author: elkrieger
+ms.topic: article
+ms.date: 01/07/2025
+---
+
+# Microsoft Security Private Link for Microsoft Defender for Cloud (Preview)
+
+Microsoft Security Private Link allows workloads in your virtual network to connect to Microsoft Defender for Cloud. You enable this connection by creating a Security Private Link resource in your subscription and private endpoints in your Azure virtual networks that connect to it.
+
+With private endpoints, all security-related traffic from your workloads traverses the Microsoft backbone network without exposure to the public internet. This includes telemetry from Defender agents, sensors, add-ons, and extensions.
+
+> [!NOTE]
+> Microsoft Security Private Link isn't supported in sovereign cloud regions, such as Azure Government and Azure operated by 21Vianet (21Vianet).
+
+## Supported scenarios
+
+Microsoft Security Private Link supports the following scenarios:
+
+- **Network-isolated environments**  
+  Protect workloads in isolated or restricted networks where outbound internet access is limited or not permitted.
+
+- **Hybrid and on-premises connectivity**  
+  Securely connect on-premises or hybrid environments to Microsoft Defender for Cloud by using [VPN](/azure/vpn-gateway/vpn-gateway-about-vpngateways) or [ExpressRoute](/azure/expressroute/expressroute-locations) with private peering.
+
+> [!IMPORTANT]
+> For network-isolated workloads, Microsoft Security Private Link replaces the need for Azure Monitor Private Link Scope (AMPLS) and Azure Firewall egress rules.
+
+## Connectivity architecture
+
+Microsoft Security Private Link uses Azure Private Endpoints to establish private connectivity between your virtual network and Defender for Cloud. This allows workloads to connect to Defender for Cloud endpoints using their existing fully qualified domain names (FQDNs) and authorization model.
+
+### How it works
+
+- You create a private endpoint in your virtual network and assign it an IP address from the virtual network address space.
+
+- All traffic between your workloads and Defender services flows through the Microsoft backbone network, never traversing the public internet.
+
+- Multiple Defender services can share a single Security Private Link resource, simplifying network architecture.
+
+> [!NOTE]
+> Using private endpoints might incur additional Azure costs depending on the number of endpoints and the selected architecture. For more information, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
+
+:::image type="content" source="media/concept-private-links/security-private-link-diagram.png" alt-text="Diagram showing how Microsoft Defender for Cloud connects to protected resources through private endpoints." lightbox="media/concept-private-links/security-private-link-diagram.png":::
+
+## Roles and permissions
+
+Microsoft Security Private Link uses [Azure role-based access control (RBAC)](/azure/role-based-access-control/overview) to manage access to the Security Private Link resource and private endpoint connections. The following roles are typically involved:
+
+- **Private Link resource owner**  
+  Owns the Microsoft Security Private Link resource and can approve, reject, or delete private endpoint connection requests.
+
+- **Network Contributor**  
+  Can create private endpoints within a virtual network.
+
+- **Security Admin**  
+  Can approve, reject, or delete private endpoint connections but can't create private endpoints in a virtual network unless extra network permissions are granted.
+
+These roles can be assigned to different users or teams to separate network management from security governance responsibilities.
+
+## Approval workflow
+
+Private endpoint connections to Microsoft Security Private Link resources follow the standard [Azure Private Link approval workflow](/azure/private-link/private-endpoint-overview#access-to-a-private-link-resource-using-approval-workflow).
+
+When a private endpoint is created, a connection request is sent to the owner of the Microsoft Security Private Link resource. The resource owner can approve or reject the request from the **Private endpoint connections** tab in the Azure portal.
+
+If the user requesting the private endpoint is also an owner of the Security Private Link, the request is automatically approved.
+
+Approved and pending connections can be managed at any time through the Private Link resource in the Azure portal.
+
+## DNS configuration
+
+When you create a private endpoint, a [private DNS zone](/azure/dns/private-dns-overview) is provisioned by default that corresponds to the Defender for Cloud private Link subdomain `*.defender.microsoft.com`.
+
+> [!NOTE]
+> For details about how to configure DNS for private endpoints, see [Azure Private Endpoint DNS integration](/azure/private-link/private-endpoint-dns).
+
+When workloads connect to Defender service endpoints from within the virtual network with private endpoints configured, the FQDN resolves to the private IP address of the endpoint. Connections from outside the virtual network (if public access is still enabled) resolve to the public endpoint.
+
+Each Microsoft Defender for Cloud service uses specific domain endpoints. For example:
+
+| Service | Name | Type | Value | Port |
+|---------|------|------|-------|------|
+| Defender for Containers | `*.cloud.defender.microsoft.com` | CNAME | `*.privatelink.cloud.defender.microsoft.com` | 443 |
+| Defender for Containers | `*.privatelink.cloud.defender.microsoft.com` | A | 10.0.0.5 | 443 |
+
+If you're using a custom DNS server, configure delegation or A records to resolve FQDNs to the private endpoint IP address.
+
+## Connectivity comparison with Microsoft Security Private Link
+
+| Feature | Without Private Endpoint | With Security Private Link |
+|--------|--------------------------|----------------------------|
+| Internet exposure | Yes | No |
+| Compliance alignment | Limited | Strong |
+| Multi-service integration | Manual | Simplified |
+
+## Next steps
+
+- [Configure private endpoints with Microsoft Security Private Link](configure-private-endpoints.md)
+
+- Learn more about [Azure Private Link](/azure/private-link).

articles/defender-for-cloud/configure-private-endpoints.md

@@ -0,0 +1,141 @@
+---
+title: Configure private endpoints with Microsoft Security Private Link
+description: Configure private endpoints with Microsoft Security Private Link to securely connect your virtual network to Microsoft Defender for Cloud.
+author: Elazark
+ms.author: elkrieger
+ms.topic: how-to
+ms.date: 01/07/2025
+#customer intent: As a security administrator, I want to configure a private endpoint for Microsoft Defender for Cloud so that Defender traffic stays within my private network.
+
+---
+
+# Configure private endpoints with Microsoft Security Private Link (Preview)
+
+Use a [private endpoint](/azure/private-link/private-endpoint-overview) with Microsoft Security Private Link to connect workloads in your private network to Microsoft Defender for Cloud over [Azure Private Link](/azure/private-link/private-link-overview).
+
+> [!NOTE]
+> Microsoft Security Private Link isn't supported in sovereign cloud regions, such as Azure Government and Azure operated by 21Vianet.
+
+## Prerequisites
+
+Before you begin, make sure that:
+
+- Defender for Cloud is enabled on your Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
+
+- A [virtual network and subnet](/azure/virtual-network/quick-create-portal) where your workloads are deployed. This is where the private endpoint is created.
+
+- You reviewed the required [roles and permissions](concept-private-links.md#roles-and-permissions).
+
+## Create a private endpoint using a Security Private Link resource (Azure portal)
+
+A Security Private Link resource must belong to a resource group.
+
+When you create a Security Private Link resource, you can create a private endpoint as part of the same workflow.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. Select **Create a resource**.
+
+1. Search for **Security Private Link**.
+
+1. Under **Security Private Link** select **Create**.
+
+   :::image type="content"source="media/configure-private-endpoints/marketplace-create-security-private-link.png"alt-text="Screenshot of the Azure Marketplace showing the Security Private Link tile with the Create button."lightbox="media/configure-private-endpoints/marketplace-create-security-private-link.png":::
+
+1. Select a subscription and an existing resource group, or create a new one.
+
+1. If needed, select a resource group location.
+
+1. Enter a name.
+
+1. Select **Next: Networking**.
+
+    > [!NOTE]
+    > Microsoft Security Private Link currently supports the **containers** sub-resource, which is used by the Defender for Containers plan.
+
+1. Select **Create a private endpoint**.
+
+1. Enter a name and a location.
+
+      :::image type="content" source="media/configure-private-endpoints/create-private-endpoint-blade-networking-tab.png" alt-text="Screenshot of the Create Security Private Link wizard on the Networking tab, showing the Create a private endpoint pane with sub-resource and Private DNS integration." lightbox="media/configure-private-endpoints/create-private-endpoint-blade-networking-tab.png":::
+
+1. Select **containers** as the target sub-resource.
+
+1. Select the virtual network and subnet.
+
+1. Enable **Private DNS integration** to create a private DNS zone automatically.
+
+1. Select **Add**.
+
+1. Select **Next: Tags** and add any required tags.
+
+1. Select **Review + create**
+
+1.  Select **Create**.
+
+## Create a private endpoint for an existing Security Private Link resource (Azure portal)
+
+If you already have a Security Private Link resource, you can create a private endpoint separately and connect it to that resource.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. Navigate to **Network foundation** > **Private Link** > **Private endpoints**.  
+
+1. Select **Create**.
+
+   :::image type="content" source="media/configure-private-endpoints/network-foundation-create-private-endpoint.png" alt-text="Screenshot of the Network foundation Private endpoints page, showing the Create button." lightbox="media/configure-private-endpoints/network-foundation-create-private-endpoint.png":::
+
+1. Select a subscription and an existing resource group, or create a new one.
+
+1. Enter a name and network interface name, and select a region.
+
+1. Select **Next: Resource**.
+
+    > [!NOTE]
+    > Microsoft Security Private Link currently supports the **containers** sub-resource, which is used by the Defender for Containers plan.
+
+1. Select **Connect to an Azure resource in my directory**.
+
+1. Select a subscription.
+
+1. Select **Microsoft.Security/privateLinks** as the resource type.
+
+1. Select the Security Private Link resource for Defender for Cloud.
+
+1. Select **containers** as the target sub-resource, then select **Next: Virtual Network**.
+
+1. Select the virtual network and the subnet.
+
+1. Leave the private IP address allocation set to **Dynamic**, then select **Next: DNS**.
+
+1. Enable **Integrate with private DNS zone** and verify that the private DNS zone is populated automatically.
+
+1. Select **Next: Tags**.
+
+1. Add any required tags.
+
+1. Select **Review + create**.
+
+ 1. Select **Create**.
+
+## Approve the private endpoint connection
+
+When the private endpoint is created, a connection request is sent to the Security Private Link resource.
+
+- If the requester is an **Owner**, the connection is approved automatically.
+
+- Otherwise, an **Owner** must approve the request from **Private endpoint connections** in the Azure portal.
+
+## Validate the private endpoint connection
+
+From a workload connected to the virtual network, run:
+
+```bash
+nslookup api.cloud.defender.microsoft.com
+```
+
+The FQDN should resolve to a private IP address under `privatelink.cloud.defender.microsoft.com`.
+
+## Related content
+
+- Learn more about [Microsoft Security Private Link for Microsoft Defender for Cloud](concept-private-links.md).

articles/defender-for-cloud/defender-portal/integration-faq.md

@@ -88,7 +88,7 @@ Microsoft Defender for Cloud expands within the Defender portal to provide incid
 
 **Customers can continue to use Azure Lighthouse for multi-tenant posture management and operations, in parallel with the Defender portal.** This approach ensures that organizations retain full posture management capabilities while benefiting from the unified incident management and response features available in the Defender portal.
 
-As we build and enhance MTO capabilities in future releases, customers will see expanded support for multitenant posture management and additional experiences directly within the Defender portal. 
+As we build and enhance MTO capabilities in future releases, customers see expanded support for multitenant posture management and additional experiences directly within the Defender portal. 
 
 ### Synchronization & data consistency
 
@@ -102,15 +102,15 @@ In the short term, security recommendations resolved in the Azure portal will be
 
 #### Will the count of healthy and unhealthy resources be consistent across the Azure and the Defender portal? If not, what explains the difference?
 
-Customers may notice differences when using Defender for Cloud in the Defender portal. With this expansion, we're exposing customers with the discovery of their complete environment and hence, the count can be different. This applies to the Secure Score, security recommendations, and the number of discovered resources in the environment.  
+Customers might notice differences when using Defender for Cloud in the Defender portal. With this expansion, we're exposing customers with the discovery of their complete environment and hence, the count can be different. This applies to the Secure Score, security recommendations, and the number of discovered resources in the environment.  
 
 ## Feature availability & roadmap
 
 ### If I only use Foundational CSPM and have other Defender Plans enabled, such as Defender for Storage, will I be able to see Foundational CSPM data in the new portal? 
 
-Yes, security recommendations provided by the Foundational CSPM plan will appear for any subscription with at least one paid plan.
+Yes, security recommendations provided by the Foundational CSPM plan appears for any subscription with at least one paid plan.
 
-### I can see recommendation ownership via Governance feature. Will Governance feature be available in the Defender portal?
+### I can see recommendation ownership via Governance feature. Will the Governance feature be available in the Defender portal?
 
 Governance assignments created manually or automatic will continue to work, and the assignment status including the relevant owner and due date will appear in the Defender portal. However, editing operations such as owner and due date changes will still be done via the Azure portal. In the future, we plan to introduce improved mobilization capabilities to allow security teams to operate and delegate the remediation effort directly to the Defender portal.
 

articles/defender-for-cloud/media/concept-private-links/security-private-link-diagram.png

@@ -27,6 +27,24 @@ This article summarizes what's new in Microsoft Defender for Cloud. It includes
 <!-- 5. Under the relevant month, add a short paragraph about the new feature. Give the paragraph an H3 (###) heading. Keep the title short and not rambling. -->
 <!-- 6. In the Update column, add a bookmark to the H3 paragraph that you created (#<bookmark-name>) .-->
 
+## January 2026
+
+|Date | Category | Update|
+| -------- | -------- | -------- |
+|January 8, 2026| Preview | [Microsoft Security Private Link (Preview)](#microsoft-security-private-link-preview) |
+
+## Microsoft Security Private Link (Preview)
+
+January 8, 2026
+
+Microsoft Defender for Cloud is announcing Microsoft Security Private Link in Preview.
+
+Microsoft Security Private Link enables private connectivity between Defender for Cloud and your workloads. The connection is established by creating private endpoints in your virtual network, allowing Defender for Cloud traffic to remain on the Microsoft backbone network and avoid exposure to the public internet.
+
+Private endpoints are currently supported for the Defender for Containers plan.
+
+Learn more about [Microsoft Security Private Link for Microsoft Defender for Cloud](concept-private-links.md).
+
 ## December 2025
 
 |Date | Category | Update|