Application Gateways use a minimum TLS 1.2

March 21, 2025 · View on GitHub

SYNOPSIS

Application Gateway should only accept a minimum of TLS 1.2.

DESCRIPTION

The minimum version of TLS that Application Gateways accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.

RECOMMENDATION

Consider configuring Application Gateways to accept a minimum of TLS 1.2.

Configure with Azure template

To deploy Application Gateways that pass this rule use a predefined or custom policy:

  • Custom — Set the properties.sslPolicy.policyType property to Custom.
    • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
    • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Predefined — Set the properties.sslPolicy.policyType property to Predefined.
    • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

For example:

{
  "type": "Microsoft.Network/applicationGateways",
  "apiVersion": "2023-09-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "zones": [
    "1",
    "2",
    "3"
  ],
  "properties": {
    "sku": {
      "name": "WAF_v2",
      "tier": "WAF_v2"
    },
    "sslPolicy": {
      "policyType": "Custom",
      "minProtocolVersion": "TLSv1_2",
      "cipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      ]
    }
  }
}

Configure with Bicep

To deploy Application Gateways that pass this rule use a predefined or custom policy:

  • Custom — Set the properties.sslPolicy.policyType property to Custom.
    • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
    • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Predefined — Set the properties.sslPolicy.policyType property to Predefined.
    • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

For example:

resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = {
  name: name
  location: location
  zones: [
    '1'
    '2'
    '3'
  ]
  properties: {
    sku: {
      name: 'WAF_v2'
      tier: 'WAF_v2'
    }
    sslPolicy: {
      policyType: 'Custom'
      minProtocolVersion: 'TLSv1_2'
      cipherSuites: [
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
      ]
    }
  }
}

Configure with Azure PowerShell

$gw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'
Set-AzApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_2 -CipherSuite 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'