Redis Cache minimum TLS version

Security · Azure Cache for Redis · Rule · 2020_06

Redis Cache should reject TLS versions older than 1.2.

Description

The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Recommendation

Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.

Examples

Configure with Azure template

To deploy caches that pass this rule:

• Set the properties.minimumTlsVersion property to a minimum of 1.2.

For example:

Azure Template snippet

{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2023-04-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "minimumTlsVersion": "1.2",
    "redisVersion": "latest",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep

To deploy caches that pass this rule:

• Set the properties.minimumTlsVersion property to a minimum of 1.2.

For example:

Azure Bicep snippet

resource cache 'Microsoft.Cache/redis@2023-04-01' = {
  name: name
  location: location
  properties: {
    minimumTlsVersion: '1.2'
    redisVersion: 'latest'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure CLI

To deploy caches that pass this rule:

• Use the --set parameter.

For example:

Azure CLI snippet

az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2

Configure with Azure PowerShell

To deploy caches that pass this rule:

• Use the -MinimumTlsVersion parameter.

For example:

Azure PowerShell snippet

Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'

Links

• Data encryption in Azure
• Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
• Configure Azure Cache for Redis settings
• Preparing for TLS 1.2 in Microsoft Azure
• DP-3: Encrypt sensitive data in transit
• Azure deployment reference

---

Last update: 2023-07-09

Comments