Front Door Minimum TLS#
Security · Front Door · Rule · 2020_06 · Critical
Front Door Classic instances should reject TLS versions older than 1.2.
Description#
The minimum version of TLS that Azure Front Door accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Front Door lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.
Recommendation#
Consider configuring the minimum supported TLS version to be 1.2 for each endpoint. This applies to Azure Front Door Classic instances only.
Examples#
Configure with Azure template#
To deploy a Front Door resource that passes this rule:
- Set each
properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion
property to1.2
.
For example:
Azure Template snippet
{
"type": "Microsoft.Network/frontDoors",
"apiVersion": "2021-06-01",
"name": "[parameters('name')]",
"location": "global",
"properties": {
"enabledState": "Enabled",
"frontendEndpoints": [
{
"name": "[variables('frontEndEndpointName')]",
"properties": {
"hostName": "[format('{0}.azurefd.net', parameters('name'))]",
"sessionAffinityEnabledState": "Disabled",
"customHttpsConfiguration": {
"minimumTlsVersion": "1.2"
}
}
}
],
"loadBalancingSettings": "[variables('loadBalancingSettings')]",
"backendPools": "[variables('backendPools')]",
"healthProbeSettings": "[variables('healthProbeSettings')]",
"routingRules": "[variables('routingRules')]"
}
}
Configure with Bicep#
To deploy a Front Door resource that passes this rule:
- Set each
properties.frontendEndpoints[*].properties.customHttpsConfiguration.minimumTlsVersion
property to1.2
.
For example:
Azure Bicep snippet
resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {
name: name
location: 'global'
properties: {
enabledState: 'Enabled'
frontendEndpoints: [
{
name: frontEndEndpointName
properties: {
hostName: '${name}.azurefd.net'
sessionAffinityEnabledState: 'Disabled'
customHttpsConfiguration: {
minimumTlsVersion: '1.2'
}
}
}
]
loadBalancingSettings: loadBalancingSettings
backendPools: backendPools
healthProbeSettings: healthProbeSettings
routingRules: routingRules
}
}
Links#
- SE:07 Encryption
- Preparing for TLS 1.2 in Microsoft Azure
- Supported TLS versions
- Azure deployment reference