Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server

Ensure TLS version on MySQL flexible servers is set to the default value

Risk Level: High
Cloud Entity: My SQL DB Flexible Server
CloudGuard Rule ID: D9.AZU.CRY.33
Covered by Spectral: Yes
Category: Database


MySQLDBFlexibleServer should have parameters with [ name='tls_version' and value='TLSv1.2' ]


From Portal

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to Azure Database for MySQL flexible servers
  3. For each database, click on Server parameters under Settings
  4. In the search box, type in tls_version
  5. Click on the VALUE dropdown, and ensure only TLSV1.2 is selected for tls_version

From TF
Set the 'ssl_enforcement_enabled' to 'true':

resource 'azurerm_mysql_server' 'example' {
	ssl_minimal_tls_version_enforced  = "TLS1_2"

From Command Line

az mysql flexible-server parameter set --name tls_version --resource-group RESOURCEGROUPNAME --server-name SERVERNAME --value TLSV1.2


  1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security
  2. https://docs.microsoft.com/en-us/cli/azure/mysql/flexible-server/parameter?view=azure-cli-latest#az-mysql-flexible-server-parameter-set
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#ssl_minimal_tls_version_enforced

My SQL DB Flexible Server

Azure Database for MySQL Flexible Server is a fully managed production-ready database service designed for more granular control and flexibility over database management functions and configuration settings. The flexible server architecture allows users to opt for high availability within single availability zone and across multiple availability zones.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset