Ensure that Spring Cloud App has end-to-end TLS enabled

Enabling end-to-end SSL/TLS secures traffic from an ingress controller to applications that support HTTPS.

Risk Level: High
Cloud Entity: Spring Cloud
CloudGuard Rule ID: D9.AZU.CRY.30
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

SpringCloud should have apps contain-all [ properties.enableEndToEndTLS=true ]

REMEDIATION

From Portal

  1. Go to 'Azure Spring Cloud' and choose your Spring Cloud resource
  2. Under 'Settings', select 'Apps' on the navigation menu
  3. For each Spring Cloud app:
  4. Under 'Settings', select 'Ingress-to-app TLS' on the navigation menu
  5. Set 'Ingress-to-app TLS' to 'Yes'

From TF
Set the 'tls_enabled' argument to 'true':

resource "azurerm_spring_cloud_app" "example" {
	..
	tls_enabled = true
	..
}

From Command Line
To enable end-to-end TLS on an existing app, run:

az spring-cloud app update --enable-ingress-to-app-tls --name APP-NAME --resource-group RESOURCE-GROUP --service SPRING-CLOUD-SERVICE

References

  1. https://docs.microsoft.com/en-us/azure/spring-cloud/how-to-enable-end-to-end-tls
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_app#tls_enabled

Spring Cloud

Azure Spring Cloud makes it easy to deploy Spring Boot applications to Azure without any code changes.

Compliance Frameworks

  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset