Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,172 questions
Update Azure Application Gateway to TLS 1.2 or later before 31 August 2025
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 61%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFE%3C/text%3E%3C/svg%3E)
FPI Erick Aspiras(Erick Aspiras)
20
Reputation points
Need help on this. Currently, I do not have any SSL profile configured in my application gateway.
Do I need to do anything about it? I'm concerned about the Azure notice on - Update Azure Application Gateway to TLS 1.2 or later before 31 August 2025
To align with security best practices, we'll require all connections to Application Gateway to be secured using Transport Layer Security (TLS) 1.2 or later beginning 31 August 2025, when support for TLS 1.0 and 1.1 will end.
If your frontend or backend connections aren't using TLS 1.2 or later, you may need to update your TLS policy, ensure backend compatibility, or take both actions before 31 August 2025.
TLS 1.2 and later provide improved security features, including perfect forward secrecy and stronger cipher suites.
If your frontend and backend connections are already using TLS 1.2 or later, no further action is required.
Required action
To avoid service disruptions, you may need to take one or both of the following actions before 31 August 2025:
- For frontend connections, update your TLS policy to the predefined AppGwSslPolicy20220101S or AppGwSslPolicy20220101, or configure a custom policy with minimum TLS version 1.2. If you're using the CustomV2 policy, no action is required.
- For backend connections, ensure your servers in the backend pools are compatible with TLS 1.2. This will prevent any issues with backend TLS/HTTPS connection.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 75%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Shikha Ghildiyal 4,865 Reputation points Microsoft Employee2025-04-24T11:50:20.9933333+00:00 Hi FPI Erick Aspiras(Erick Aspiras)
Thanks for reaching out to Microsoft Q&A.
Starting August 31, 2025, all clients and backend servers interacting with Azure Application Gateway must use Transport Layer Security (TLS) 1.2 or higher, as support for TLS 1.0 and 1.1 will be discontinued.
Kindly follow this document for steps that needs to be followed to enable TLS- https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 45%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Shravan Addagatla 540 Reputation points Microsoft External Staff2025-04-24T11:57:40.84+00:00 Hi FPI Erick Aspiras(Erick Aspiras)
I understand your concern about the upcoming requirement to use TLS 1.2 or later with your Azure Application Gateway by August 31, 2025.
Since you mentioned that you don’t have SSL (HTTPS) connections configured on your Application Gateway, it means you're likely handling traffic over HTTP. In this case, the upcoming TLS 1.2 enforcement won't impact your connectivity, unless you decide to introduce SSL/TLS in the future. Also, if you're not using SSL/TLS, your traffic isn't encrypted, and the TLS policy changes won't affect your current setup.
However, if you enable SSL/TLS on the Application Gateway, you'll need to configure it to use TLS 1.2 or later to comply with Azure’s security requirements.
Here’s what you can do:
- Frontend TLS Connections: Since you don’t have an SSL profile configured, update the TLS policy for your frontend connections by either:
- Switching to one of the predefined policies, such as AppGwSslPolicy20220101S or AppGwSslPolicy20220101, which enforce a minimum TLS version of 1.2.
- Ensuring your custom policy specifies TLS 1.2 or later.
- Backend Connections: Check your backend servers to confirm they support TLS 1.2 or later, as Azure Application Gateway does not control the backend server's TLS versions.
Refer the below articles.
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
Please let me know if you have any further questions, so we can address them.
- Frontend TLS Connections: Since you don’t have an SSL profile configured, update the TLS policy for your frontend connections by either:
-
Shravan Addagatla 540 Reputation points Microsoft External Staff
2025-04-25T09:54:21.68+00:00 Hi FPI Erick Aspiras(Erick Aspiras)
Just checking in to see if above information was helpful. If you have any further updates on this issue, please let me know. Thank you
Sign in to comment
Sign in to answer