Cosmos DB account minimum TLS version
March 21, 2025 ยท View on GitHub
SYNOPSIS
Cosmos DB accounts should reject TLS versions older than 1.2.
DESCRIPTION
The minimum version of TLS that Azure Cosmos DB accepts for client communication is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure Cosmos DB lets you disable outdated protocols and enforce TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
RECOMMENDATION
Consider configuring the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
EXAMPLES
Configure with Azure template
To deploy database accounts that pass this rule:
- Set the
properties.minimalTlsVersionproperty toTls12.
For example:
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-11-15",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"enableFreeTier": false,
"consistencyPolicy": {
"defaultConsistencyLevel": "Session"
},
"databaseAccountOfferType": "Standard",
"locations": [
{
"locationName": "[parameters('location')]",
"failoverPriority": 0,
"isZoneRedundant": true
}
],
"disableKeyBasedMetadataWriteAccess": true,
"minimalTlsVersion": "Tls12"
}
}
Configure with Bicep
To deploy database accounts that pass this rule:
- Set the
properties.minimalTlsVersionproperty toTls12.
For example:
resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
name: name
location: location
properties: {
enableFreeTier: false
consistencyPolicy: {
defaultConsistencyLevel: 'Session'
}
databaseAccountOfferType: 'Standard'
locations: [
{
locationName: location
failoverPriority: 0
isZoneRedundant: true
}
]
disableKeyBasedMetadataWriteAccess: true
minimalTlsVersion: 'Tls12'
}
}