Skip to content

Use secure connections to Redis instances#

Security · Azure Cache for Redis · Rule · 2020_06 · Critical

Azure Cache for Redis should only accept secure connections.

Description#

Azure Cache for Redis can be configured to accept encrypted and unencrypted connections. By default, only encrypted communication is accepted. To accept unencrypted connections, the non-SSL port must be enabled. Using the non-SSL port for Azure Redis cache allows unencrypted communication to Redis cache.

Unencrypted communication can potentially allow disclosure of sensitive information to an untrusted party.

Recommendation#

Consider only using secure connections to Redis cache by enabling SSL and disabling the non-SSL port.

Examples#

Configure with Azure template#

To deploy caches that pass this rule:

  • Set the properties.enableNonSslPort property to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2023-04-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "minimumTlsVersion": "1.2",
    "redisVersion": "latest",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep#

To deploy caches that pass this rule:

  • Set the properties.enableNonSslPort property to false.

For example:

Azure Bicep snippet
resource cache 'Microsoft.Cache/redis@2023-04-01' = {
  name: name
  location: location
  properties: {
    minimumTlsVersion: '1.2'
    redisVersion: 'latest'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Comments