Skip to content

Application Gateways use a minimum TLS 1.2#

Security · Application Gateway · Rule · 2020_06

Application Gateway should only accept a minimum of TLS 1.2.

Description#

Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.

Recommendation#

Consider configuring Application Gateway to accept a minimum of TLS 1.2.

Configure with Azure template#

To deploy Application Gateways that pass this rule use a predefined or custom policy:

  • Custom — Set the properties.sslPolicy.policyType property to Custom.
    • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
    • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Predefined — Set the properties.sslPolicy.policyType property to Predefined.
    • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

For example:

Azure Template snippet
{
    "type": "Microsoft.Network/applicationGateways",
    "apiVersion": "2020-11-01",
    "name": "appGw-001",
    "location": "[resourceGroup().location]",
    "properties": {
        "sku": {
            "name": "WAF_v2",
            "tier": "WAF_v2"
        },
        "sslPolicy": {
          "policyType": "Custom",
          "minProtocolVersion": "TLSv1_2",
          "cipherSuites": [
                  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
          ]
        }
    }
}

Configure with Bicep#

To deploy Application Gateways that pass this rule use a predefined or custom policy:

  • Custom — Set the properties.sslPolicy.policyType property to Custom.
    • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
    • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Predefined — Set the properties.sslPolicy.policyType property to Predefined.
    • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

For example:

Azure Bicep snippet
resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
  name: 'appGw-001'
  location: location
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    }
    sslPolicy: {
      policyType: 'Custom'
      minProtocolVersion: 'TLSv1_2'
      cipherSuites: [
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
      ]
    }
  }
}

Last update: 2023-03-01

Comments