Skip to content

Use Entra ID authentication with cache instances#

Security · Azure Cache for Redis · Rule · 2024_06 · Critical

Use Entra ID authentication with cache instances.

Description#

Azure Cache for Redis by default requires that all requests be authenticated. Two methods are supported for authenticating and authorizing requests to Redis cache instances.

  • Access keys - Cryptographic keys are secret similar to a shared password, and as a result have a number of limitations that impact security and maintainability.
    • Access keys have a long number of characters, so are not easily guessable but once exposed grant full access.
    • Auditing based on user or application is not possible when using access keys.
    • Each access key must be stored securely within any applications or scripts that use it. This can introduce additional dependencies and code to maintain, that might not normally be required if using Entra ID. Azure Key Vault provides a secure storage for access keys as a secret.
    • You have two keys (primary/ secondary) to manage, each should be rotated independently on a regular basis. Rotation should occur regularly using automation with a documented manual process as a backup.
  • Microsoft Entra ID - An OAuth2 access token issued by Microsoft Entra ID provides advantages over access keys including:
    • More granular access control instead of only full access.
    • Strong identity protection methods such as Multi-Factor Authentication (MFA) and conditional access.
    • Central management and auditing.

Currently Redis Enterprise and Redis Enterprise Flash tiers are not supported. Entra ID authentication is supported on Basic, Standard, and Premium tiers.

Recommendation#

Consider configuring and using Microsoft Entra ID to authenticate all connections to Redis cache instances.

Examples#

Configure with Azure template#

To deploy cache instances that pass this rule:

  • Set the properties.redisConfiguration.aad-enabled to "True".

For example:

Azure Template snippet
{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "redisVersion": "6",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "aad-enabled": "True",
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep#

To deploy cache instances that pass this rule:

  • Set the properties.redisConfiguration.aad-enabled to 'True'.

For example:

Azure Bicep snippet
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: name
  location: location
  properties: {
    redisVersion: '6'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'aad-enabled': 'True'
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cache/redis:<version>

To use the latest version:

br/public:avm/res/cache/redis:0.7.2

Notes#

Microsoft Entra ID based authentication isn't supported in the Enterprise/ Enterprise Flash tiers.

Comments