Share via

Clarification on TLS 1.0/1.1 Deprecation Notification | Azure application gateway

$@chin 150 Reputation points
2025-04-22T19:03:12.77+00:00

Hi,

I received a Health Advisor alert regarding the recommendation to update Azure Application Gateway to TLS 1.2 or later. Upon reviewing the listener settings, I can confirm that the current SSL policy is already configured to use TLS 1.2, which is the latest supported version.

However, under Azure Service Retirement, a few Application Gateways are still flagged for the TLS update, while others are not—even though all of them are configured with the same settings. Additionally, although the predefined SSL policy lists TLS 1.0, we are not using that policy. We are using the default policy that supports only TLS 1.2.

Given that all our Application Gateways are using the same SSL policy with TLS 1.2, I’m trying to understand why the Health Advisor alert is being triggered and why only a subset of gateways appear under the service retirement notice. Could this be a false positive, or is there another configuration aspect that needs to be addressed ?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,172 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 5,706 Reputation points Microsoft Employee
    2025-04-23T02:50:25.73+00:00

    Hi @$@chin , I understand that you're receiving Health Advisor alert about App Gateways on TLS Policy.

    According to documentation: when no specific SSL Policy is specified in the application gateway resource configuration, a default TLS policy gets applied. The selection of this default policy is based on the API version used to create that gateway.

    • For API versions 2023-02-01 or higher, the minimum protocol version is set to 1.2 (version up to 1.3 is supported). The gateways created with these API versions will see a read-only property defaultPredefinedSslPolicy:AppGwSslPolicy20220101 in the resource configuration. This property defines the default TLS policy to use.
    • For older API versions < 2023-02-01, the minimum protocol version is set to 1.0 (versions up to 1.2 are supported) as they use the predefined policy AppGwSslPolicy20150501 as default.

    It could be that some of your App Gateways were created before Feb-2023, so with default policy, the minimum protocol is set to TLS 1.0.

    You can change TLS policy for the App Gateways mentioned in the Health Advisor alert:

    # You have to change these parameters to match your environment. 
$AppGWname = "YourAppGwName" 
$RG = "YourResourceGroupName" 
$AppGw = get-Azapplicationgateway -Name $AppGWname -ResourceGroupName $RG
# TLS Predefined Policy
Set-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName "AppGwSslPolicy20220101" -ApplicationGateway $AppGW
# Update AppGW 
# The TLS policy options are not validated or updated on the Application Gateway until this cmdlet is executed. 
$SetGW = Set-AzApplicationGateway -ApplicationGateway $AppGW
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.