Skip to content

Enforce encrypted MySQL connections#

Security · Azure Database for MySQL · Rule · 2020_06 · Critical

Enforce encrypted MySQL connections.

Description#

Azure Database for MySQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.

Unencrypted communication to MySQL server instances could allow disclosure of information to an untrusted party.

Recommendation#

Azure Database for MySQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.

Also consider using Azure Policy to audit or enforce this configuration.

Examples#

Configure with Azure template#

To deploy servers that pass this rule:

  • Set the properties.sslEnforcement property to Enabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.DBforMySQL/servers",
  "apiVersion": "2017-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "GP_Gen5_2",
    "tier": "GeneralPurpose",
    "capacity": 2,
    "size": "5120",
    "family": "Gen5"
  },
  "properties": {
    "createMode": "Default",
    "version": "8.0",
    "administratorLogin": "[parameters('administratorLogin')]",
    "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
    "minimalTlsVersion": "TLS1_2",
    "sslEnforcement": "Enabled",
    "publicNetworkAccess": "Disabled",
    "storageProfile": {
      "storageMB": 5120,
      "backupRetentionDays": 7,
      "geoRedundantBackup": "Enabled"
    }
  }
}

Configure with Bicep#

To deploy servers that pass this rule:

  • Set the properties.sslEnforcement property to Enabled.

For example:

Azure Bicep snippet
resource singleServer 'Microsoft.DBforMySQL/servers@2017-12-01' = {
  name: name
  location: location
  sku: {
    name: 'GP_Gen5_2'
    tier: 'GeneralPurpose'
    capacity: 2
    size: '5120'
    family: 'Gen5'
  }
  properties: {
    createMode: 'Default'
    version: '8.0'
    administratorLogin: administratorLogin
    administratorLoginPassword: administratorLoginPassword
    minimalTlsVersion: 'TLS1_2'
    sslEnforcement: 'Enabled'
    publicNetworkAccess: 'Disabled'
    storageProfile: {
      storageMB: 5120
      backupRetentionDays: 7
      geoRedundantBackup: 'Enabled'
    }
  }
}

Notes#

This rule is only applicable for the Azure Database for MySQL Single Server deployment model.

Comments