Event Grid Topic accepts insecure TLS versions#
Security · Event Grid Topic · Rule · 2025_03 · Critical
Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.
Description#
The minimum version of TLS that Event Grid Topics accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
When clients connect using an older version of TLS that is disabled, the connection will fail.
Recommendation#
Configure the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
Examples#
Configure with Bicep#
To deploy topics that pass this rule:
- Set the
properties.minimumTlsVersionAllowed
property to1.2
.
For example:
resource topic 'Microsoft.EventGrid/topics@2025-02-15' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: true
publicNetworkAccess: 'Disabled'
minimumTlsVersionAllowed: '1.2'
inputSchema: 'CloudEventSchemaV1_0'
}
}
Configure with Azure template#
To deploy topics that pass this rule:
- Set the
properties.minimumTlsVersionAllowed
property to1.2
.
For example:
{
"type": "Microsoft.EventGrid/topics",
"apiVersion": "2025-02-15",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"disableLocalAuth": true,
"publicNetworkAccess": "Disabled",
"minimumTlsVersionAllowed": "1.2",
"inputSchema": "CloudEventSchemaV1_0"
}
}
Links#
- SE:07 Encryption
- Enforce a minimum required version of Transport Layer Security (TLS) for an Event Grid topic, domain, or subscription
- Preparing for TLS 1.2 in Microsoft Azure
- Azure deployment reference