Redis Cache minimum TLS version
March 21, 2025 ยท View on GitHub
SYNOPSIS
Redis Cache should reject TLS versions older than 1.2.
DESCRIPTION
The minimum version of TLS that Redis Cache accepts was previously configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Depending on when your cache was deployed you may be using a default that specifies an older version of TLS. Any new deployments do not allow TLS 1.0 or 1.1 to be specified, however existing cache deployment may require updating.
Support for TLS 1.0 and TLS 1.1 will be removed in 1 November 2024.
RECOMMENDATION
Consider configuring the minimum supported TLS version to be 1.2. No action is required for new cache deployments from March 2024, which only support a minimum of TLS 1.2.
EXAMPLES
Configure with Azure template
To deploy caches that pass this rule:
- Set the
properties.minimumTlsVersionproperty to a minimum of1.2for existing caches with an old version of TLS configured. It is not possible to set theproperties.minimumTlsVersionon new cache deployments from March 2024. New cache deployments only support a minimum TLS version of 1.2.
For example:
{
"type": "Microsoft.Cache/redis",
"apiVersion": "2024-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"minimumTlsVersion": "1.2",
"redisVersion": "latest",
"sku": {
"name": "Premium",
"family": "P",
"capacity": 1
},
"redisConfiguration": {
"maxmemory-reserved": "615"
},
"enableNonSslPort": false,
"publicNetworkAccess": "Disabled"
},
"zones": [
"1",
"2",
"3"
]
}
Configure with Bicep
To deploy caches that pass this rule:
- Set the
properties.minimumTlsVersionproperty to a minimum of1.2for existing caches with an old version of TLS configured. It is not possible to set theproperties.minimumTlsVersionon new cache deployments from March 2024. New cache deployments only support a minimum TLS version of 1.2.
For example:
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
name: name
location: location
properties: {
minimumTlsVersion: '1.2'
redisVersion: 'latest'
sku: {
name: 'Premium'
family: 'P'
capacity: 1
}
redisConfiguration: {
'maxmemory-reserved': '615'
}
enableNonSslPort: false
publicNetworkAccess: 'Disabled'
}
zones: [
'1'
'2'
'3'
]
}
Configure with Azure CLI
To deploy caches that pass this rule:
- Use the
--setparameter. This parameter only applies to old cache deployments using TLS 1.0 or TLS 1.1.
For example:
az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2
Configure with Azure PowerShell
To deploy caches that pass this rule:
- Use the
-MinimumTlsVersionparameter. This parameter only applies to old cache deployments using TLS 1.0 or TLS 1.1.
For example:
Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'