Which all are the Azure resources which use TLS ?

Udhayakumar Sundaramurty 21 Reputation points
2023-11-20T11:27:52.8433333+00:00

TLS version needs to be updated to the latest in our subscription. So apart from storage accounts which all are the Azure resources which uses TLS which can be configured ?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,853 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Udhayakumar Sundaramurty 21 Reputation points
    2023-11-21T06:29:23.7533333+00:00

    Hello @AdamZachary . Thank you for the reply. I could see the tls configuration for storage accounts for configuring it. But I couldn't find the same for function app , key vault , aks , aad and logic apps. your assistance is required on this one. Thanks again.


  2. Adam Zachary 2,911 Reputation points
    2023-11-22T01:10:35.54+00:00

    Hi @Udhayakumar Sundaramurty

    Well, yes not all Azure resources have a straightforward dropdown list where you can choose the minimum TLS version.

    So, based on the latest information from Microsoft's documentation, here's an overview of how TLS can be configured for the following Azure resources:

    Azure Function App:

    TLS configuration for Function Apps is available through the Azure Portal. To configure the minimum TLS version, you need to select your Function App, go to Settings tab -> Configuration -> General Settings​​. then under Platform settings you'll find "Minimum Inbound TLS version"

    FX-TLS

    Azure Logic Apps: Go to Azure portal, Search your Logic App. Go to -> Settings -> Configurations -> General Settings tab -> Stack Settings -> Minimum Inbound TLS version.

    TLS 1.3 support for Logic Apps, as part of Azure App Service, began rolling out in October 2023 and is expected to continue into 2024. During the initial release phase, there might be intermittent issues with TLS 1.3, so it's advised not to set TLS 1.3 as the minimum version until January 2024 to avoid connection failures or denied requests​​.

    Logic App TLS

    Azure Key Vault: As for Azure Key Vault, the approach to managing TLS versions differs from other Azure services. Key Vault does not allow for the direct configuration of the minimum TLS version at the service level. Instead, the control of TLS versions is largely dependent on the client-side configuration.

    TLS Configuration on the Client Side:

    • TLS version restrictions for Azure Key Vault can be implemented through client-side configurations. This means the applications or services communicating with Azure Key Vault should enforce the desired TLS version, such as TLS 1.2​​.

    In short for Azure Key Vault, the emphasis is on ensuring that the client applications and services that interact with the Key Vault are configured to use the desired TLS version, as the service itself does not provide a direct mechanism to enforce a minimum TLS version.

    Azure Kubernetes Service (AKS):

    Configuring TLS/SSL settings for AKS primarily involves the use of an ingress controller.

    TLS can be used with an ingress controller to secure communication between applications. The NGINX ingress controller, for example, supports TLS termination. Certificates for HTTPS can be retrieved and configured in several ways, including automatic generation and management through cert-manager​​​​. In short, there is no option from the Azure portal to flip a switch and choose the minimum TLS version.

    Azure Active Directory (AAD):

    For configuring TLS/SSL settings in Azure Active Directory (Azure AD) or Microsoft Entra ID, the focus is primarily on ensuring that the client-side applications and systems interacting with Azure AD support the required TLS version. Based on the latest Microsoft documentation:

    1. Update Client Applications and Services:
      • Ensure that any applications communicating with or authenticating against Microsoft Entra ID can use TLS 1.2. This includes applications like Microsoft Entra Connect, Microsoft Graph PowerShell, and others​​.
    2. Update Operating Systems and .NET Framework:
      • Configure both client and server operating systems to support TLS 1.2 and contemporary cipher suites. This might involve updating the Windows OS and the default TLS for "WinHTTP".
        • Update and configure your .NET Framework installation to support TLS 1.2​​.
    3. Check and Update Web Browsers and Proxies:
      • Ensure that web browsers and web proxies used in your environment support TLS 1.2. This may include updating to the latest versions and checking the vendor's documentation for TLS support​​.

    If you find the provided information helpful and it resolves your query, please consider accepting the answer. Your feedback is valuable and helps ensure the quality and relevance of the responses.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.