Skip to content

Minimum TLS version#

Security · Event Hub · Rule · 2023_03

Event Hub namespaces should reject TLS versions older than 1.2.

Description#

The minimum version of TLS that Event Hub namespaces accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Recommendation#

Configure the minimum supported TLS version to be 1.2.

Examples#

Configure with Azure template#

To deploy Event Hub namespaces that pass this rule:

  • Set the properties.minimumTlsVersion property to 1.2.

For example:

Azure Template snippet
{
  "type": "Microsoft.EventHub/namespaces",
  "apiVersion": "2024-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "Standard"
  },
  "properties": {
    "disableLocalAuth": true,
    "minimumTlsVersion": "1.2",
    "publicNetworkAccess": "Disabled",
    "isAutoInflateEnabled": true,
    "maximumThroughputUnits": 10,
    "zoneRedundant": true
  }
}

Configure with Bicep#

To deploy Event Hub namespaces that pass this rule:

  • Set the properties.minimumTlsVersion property to 1.2.

For example:

Azure Bicep snippet
resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'Standard'
  }
  properties: {
    disableLocalAuth: true
    minimumTlsVersion: '1.2'
    publicNetworkAccess: 'Disabled'
    isAutoInflateEnabled: true
    maximumThroughputUnits: 10
    zoneRedundant: true
  }
}

Comments