Application Gateways use a minimum TLS 1.2#
Security · Application Gateway · Rule · 2020_06
Application Gateway should only accept a minimum of TLS 1.2.
Description#
Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.
Recommendation#
Consider configuring Application Gateway to accept a minimum of TLS 1.2.
Configure with Azure template#
To deploy Application Gateways that pass this rule use a predefined or custom policy:
- Custom — Set the
properties.sslPolicy.policyType
property toCustom
.- Set the
properties.sslPolicy.minProtocolVersion
property toTLSv1_2
. - Set the
properties.sslPolicy.cipherSuites
property to a list of supported ciphers. For example:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- Set the
- Predefined — Set the
properties.sslPolicy.policyType
property toPredefined
.- Set the
properties.sslPolicy.policyName
property to a supported predefined policy such asAppGwSslPolicy20220101S
.
- Set the
For example:
Azure Template snippet
{
"type": "Microsoft.Network/applicationGateways",
"apiVersion": "2020-11-01",
"name": "appGw-001",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"name": "WAF_v2",
"tier": "WAF_v2"
},
"sslPolicy": {
"policyType": "Custom",
"minProtocolVersion": "TLSv1_2",
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
}
}
}
Configure with Bicep#
To deploy Application Gateways that pass this rule use a predefined or custom policy:
- Custom — Set the
properties.sslPolicy.policyType
property toCustom
.- Set the
properties.sslPolicy.minProtocolVersion
property toTLSv1_2
. - Set the
properties.sslPolicy.cipherSuites
property to a list of supported ciphers. For example:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- Set the
- Predefined — Set the
properties.sslPolicy.policyType
property toPredefined
.- Set the
properties.sslPolicy.policyName
property to a supported predefined policy such asAppGwSslPolicy20220101S
.
- Set the
For example:
Azure Bicep snippet
resource name_resource 'Microsoft.Network/applicationGateways@2019-09-01' = {
name: 'appGw-001'
location: location
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
}
sslPolicy: {
policyType: 'Custom'
minProtocolVersion: 'TLSv1_2'
cipherSuites: [
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
]
}
}
}
Links#
- Data encryption in Azure
- Application Gateway SSL policy overview
- Configure SSL policy versions and cipher suites on Application Gateway
- Overview of TLS termination and end to end TLS with Application Gateway
- Azure deployment reference
- Predefined TLS policy
- Cipher suites
- Limitations
Last update:
2023-03-01