Redis Cache minimum TLS version

March 21, 2025 ยท View on GitHub

SYNOPSIS

Redis Cache should reject TLS versions older than 1.2.

DESCRIPTION

The minimum version of TLS that Redis Cache accepts was previously configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Depending on when your cache was deployed you may be using a default that specifies an older version of TLS. Any new deployments do not allow TLS 1.0 or 1.1 to be specified, however existing cache deployment may require updating.

Support for TLS 1.0 and TLS 1.1 will be removed in 1 November 2024.

RECOMMENDATION

Consider configuring the minimum supported TLS version to be 1.2. No action is required for new cache deployments from March 2024, which only support a minimum of TLS 1.2.

EXAMPLES

Configure with Azure template

To deploy caches that pass this rule:

  • Set the properties.minimumTlsVersion property to a minimum of 1.2 for existing caches with an old version of TLS configured. It is not possible to set the properties.minimumTlsVersion on new cache deployments from March 2024. New cache deployments only support a minimum TLS version of 1.2.

For example:

{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "minimumTlsVersion": "1.2",
    "redisVersion": "latest",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep

To deploy caches that pass this rule:

  • Set the properties.minimumTlsVersion property to a minimum of 1.2 for existing caches with an old version of TLS configured. It is not possible to set the properties.minimumTlsVersion on new cache deployments from March 2024. New cache deployments only support a minimum TLS version of 1.2.

For example:

resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: name
  location: location
  properties: {
    minimumTlsVersion: '1.2'
    redisVersion: 'latest'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure CLI

To deploy caches that pass this rule:

  • Use the --set parameter. This parameter only applies to old cache deployments using TLS 1.0 or TLS 1.1.

For example:

az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2

Configure with Azure PowerShell

To deploy caches that pass this rule:

  • Use the -MinimumTlsVersion parameter. This parameter only applies to old cache deployments using TLS 1.0 or TLS 1.1.

For example:

Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'