Skip to content

Use secure connections to Redis instances#

Security · Azure Cache for Redis · Rule · 2020_06 · Critical

Azure Cache for Redis should only accept secure connections.

Description#

Azure Cache for Redis can be configured to accept encrypted and unencrypted connections. By default, only encrypted communication is accepted. To accept unencrypted connections, the non-SSL port must be enabled. Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.

Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.

Recommendation#

Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.

Examples#

Configure with Azure template#

To deploy caches that pass this rule:

  • Set the properties.enableNonSslPort property to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "redisVersion": "6",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "aad-enabled": "True",
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep#

To deploy caches that pass this rule:

  • Set the properties.enableNonSslPort property to false.

For example:

Azure Bicep snippet
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: name
  location: location
  properties: {
    redisVersion: '6'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'aad-enabled': 'True'
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cache/redis:<version>

To use the latest version:

br/public:avm/res/cache/redis:0.8.0

Comments