Use secure connections to Redis instances

Security · Azure Cache for Redis · Rule · 2020_06 · Critical

Azure Cache for Redis should only accept secure connections.

Description

Azure Cache for Redis can be configured to accept encrypted and unencrypted connections. By default, only encrypted communication is accepted. To accept unencrypted connections, the non-SSL port must be enabled. Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.

Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.

Recommendation

Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.

Examples

Configure with Azure template

To deploy caches that pass this rule:

• Set the properties.enableNonSslPort property to false.

For example:

Azure Template snippet

{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "redisVersion": "6",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "aad-enabled": "True",
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep

To deploy caches that pass this rule:

• Set the properties.enableNonSslPort property to false.

For example:

Azure Bicep snippet

resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: name
  location: location
  properties: {
    redisVersion: '6'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'aad-enabled': 'True'
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cache/redis:<version>

To use the latest version:

br/public:avm/res/cache/redis:0.9.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Links

• SE:07 Encryption
• How to configure Azure Cache for Redis
• DP-3: Encrypt sensitive data in transit
• Azure Policy Regulatory Compliance controls for Azure Cache for Redis
• Azure deployment reference

Comments