Skip to content

Redis Cache minimum TLS version#

Security · Azure Cache for Redis · Rule · 2020_06 · Critical

Redis Cache should reject TLS versions older than 1.2.

Description#

The minimum version of TLS that Redis Cache accepts was previously configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Depending on when your cache was deployed you may be using a default that specifies an older version of TLS. Any new deployments do not allow TLS 1.0 or 1.1 to be specified, however existing cache deployment may require updating.

Support for TLS 1.0 and TLS 1.1 will be removed in 1 November 2024.

Recommendation#

Consider configuring the minimum supported TLS version to be 1.2. No action is required for new cache deployments from March 2024, which only support a minimum of TLS 1.2.

Examples#

Configure with Azure template#

To deploy caches that pass this rule:

  • Set the properties.minimumTlsVersion property to a minimum of 1.2 for existing caches with an old version of TLS configured. It is not possible to set the properties.minimumTlsVersion on new cache deployments from March 2024. New cache deployments only support a minimum TLS version of 1.2.

For example:

Azure Template snippet
{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "minimumTlsVersion": "1.2",
    "redisVersion": "latest",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep#

To deploy caches that pass this rule:

  • Set the properties.minimumTlsVersion property to a minimum of 1.2 for existing caches with an old version of TLS configured. It is not possible to set the properties.minimumTlsVersion on new cache deployments from March 2024. New cache deployments only support a minimum TLS version of 1.2.

For example:

Azure Bicep snippet
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: name
  location: location
  properties: {
    minimumTlsVersion: '1.2'
    redisVersion: 'latest'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cache/redis:<version>

To use the latest version:

br/public:avm/res/cache/redis:0.7.2

Configure with Azure CLI#

To deploy caches that pass this rule:

  • Use the --set parameter. This parameter only applies to old cache deployments using TLS 1.0 or TLS 1.1.

For example:

Azure CLI snippet
az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2

Configure with Azure PowerShell#

To deploy caches that pass this rule:

  • Use the -MinimumTlsVersion parameter. This parameter only applies to old cache deployments using TLS 1.0 or TLS 1.1.

For example:

Azure PowerShell snippet
Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'

Comments