Skip to content

Redis Cache minimum TLS version#

Security · Azure Cache for Redis Enterprise · Rule · 2022_09 · Critical

Redis Cache should reject TLS versions older than 1.2.

Description#

The minimum version of TLS that Redis Cache accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Recommendation#

Consider configuring the minimum supported TLS version to be 1.2. Support for TLS 1.0/ 1.1 version will be removed.

Examples#

Configure with Azure template#

To deploy caches that pass this rule:

  • Set the properties.minimumTlsVersion property to 1.2.

For example:

Azure Template snippet
{
  "type": "Microsoft.Cache/redisEnterprise",
  "apiVersion": "2022-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Enterprise_E10"
  },
  "properties": {
    "minimumTlsVersion": "1.2"
  }
}

Configure with Bicep#

To deploy caches that pass this rule:

  • Set the properties.minimumTlsVersion property to 1.2.

For example:

Azure Bicep snippet
resource cache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Enterprise_E10'
  }
  properties: {
    minimumTlsVersion: '1.2'
  }
}

Configure with Azure CLI#

To deploy caches that pass this rule:

  • Use the --set parameter.

For example:

Azure CLI snippet
az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2

Configure with Azure PowerShell#

To deploy caches that pass this rule:

  • Use the -MinimumTlsVersion parameter.

For example:

Azure PowerShell snippet
Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'

Comments