Event Hub Namespace accepts insecure TLS versions
March 28, 2025 ยท View on GitHub
SYNOPSIS
Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.
DESCRIPTION
The minimum version of TLS that Event Hub namespaces accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
When clients connect using an older version of TLS that is disabled, the connection will fail.
RECOMMENDATION
Configure the minimum supported TLS version to be 1.2. Also consider enforcing this setting using Azure Policy.
EXAMPLES
Configure with Azure template
To deploy Event Hub namespaces that pass this rule:
- Set the
properties.minimumTlsVersionproperty to1.2.
For example:
{
"type": "Microsoft.EventHub/namespaces",
"apiVersion": "2024-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"sku": {
"name": "Standard"
},
"properties": {
"disableLocalAuth": true,
"minimumTlsVersion": "1.2",
"publicNetworkAccess": "Disabled",
"isAutoInflateEnabled": true,
"maximumThroughputUnits": 10,
"zoneRedundant": true
}
}
Configure with Bicep
To deploy Event Hub namespaces that pass this rule:
- Set the
properties.minimumTlsVersionproperty to1.2.
For example:
resource ns 'Microsoft.EventHub/namespaces@2024-01-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
sku: {
name: 'Standard'
}
properties: {
disableLocalAuth: true
minimumTlsVersion: '1.2'
publicNetworkAccess: 'Disabled'
isAutoInflateEnabled: true
maximumThroughputUnits: 10
zoneRedundant: true
}
}