Use secure connections to Redis instances#
Security · Azure Cache for Redis · 2020_06
Azure Cache for Redis should only accept secure connections.
Description#
Azure Cache for Redis can be configured to accept encrypted and unencrypted connections. By default, only encrypted communication is accepted. To accept unencrypted connections, the non-SSL port must be enabled. Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.
Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.
Recommendation#
Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.
Examples#
Configure with Azure template#
To deploy caches that pass this rule:
- Set the
properties.enableNonSslPortproperty tofalse.
For example:
Azure Template snippet
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2023-04-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"minimumTlsVersion": "1.2",
"redisVersion": "latest",
"sku": {
"name": "Premium",
"family": "P",
"capacity": 1
},
"redisConfiguration": {
"maxmemory-reserved": "615"
},
"enableNonSslPort": false
},
"zones": [
"1",
"2",
"3"
]
}
Configure with Bicep#
To deploy caches that pass this rule:
- Set the
properties.enableNonSslPortproperty tofalse.
For example:
Azure Bicep snippet
resource cache 'Microsoft.Cache/redis@2023-04-01' = {
name: name
location: location
properties: {
minimumTlsVersion: '1.2'
redisVersion: 'latest'
sku: {
name: 'Premium'
family: 'P'
capacity: 1
}
redisConfiguration: {
'maxmemory-reserved': '615'
}
enableNonSslPort: false
}
zones: [
'1'
'2'
'3'
]
}
Links#
- Data encryption in Azure
- How to configure Azure Cache for Redis
- DP-3: Encrypt sensitive data in transit
- Azure Policy Regulatory Compliance controls for Azure Cache for Redis
- Azure deployment reference
Last update:
2023-07-09