Skip to content

Enforce namespaces to minimum use TLS 1.2 version#

Security · Service Bus · Rule · 2022_12 · Important

Service Bus namespaces should reject TLS versions older than 1.2.

Description#

Clients connect to Azure Service Bus to send and receive messages over a Transport Layer Security (TLS) encrypted connection. The minimum version of TLS that Service Bus accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS. Additionally, support for TLS 1.0 and 1.1 are on a deprecation path across Azure services.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 are accepted.

When clients connect using an older version of TLS that is disabled, the connection will fail.

Recommendation#

Consider configuring the minimum supported TLS version for Service Bus clients to be 1.2. Also consider enforcing this setting using Azure Policy.

Examples#

Configure with Azure template#

To deploy namespaces that pass this rule:

  • Set the properties.minimumTlsVersion property to 1.2.

For example:

Azure Template snippet
{
  "type": "Microsoft.ServiceBus/namespaces",
  "apiVersion": "2022-10-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "Standard"
  },
  "properties": {
    "disableLocalAuth": true,
    "minimumTlsVersion": "1.2"
  }
}

Configure with Bicep#

To deploy namespaces that pass this rule:

  • Set the properties.minimumTlsVersion property to 1.2.

For example:

Azure Bicep snippet
resource ns 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'Standard'
  }
  properties: {
    disableLocalAuth: true
    minimumTlsVersion: '1.2'
  }
}

Configure with Azure Verified Modules

A pre-built module is avilable on the Azure Bicep public registry. To reference the module, please use the following syntax: br/public:avm/res/service-bus/namespace:<version>

Configure with Azure CLI#

Azure CLI snippet
az servicebus namespace update -n '<name>' -g '<resource_group>' --minimum-tls-version '1.2'

Configure with Azure PowerShell#

Azure PowerShell snippet
$ns = Get-AzServiceBusNamespace  -Name '<name>' -ResourceGroupName '<resource_group>'
Set-AzServiceBusNamespace -InputObject $ns -MinimumTlsVersion '1.2'

Comments