Guides
  1. azure policies
  2. Azure Application Gateway

Ensure Application Gateway is using the latest version of TLS encryption

Risk Level: High
Cloud Entity: Azure Application Gateway
CloudGuard Rule ID: D9.AZU.NET.35
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

ApplicationGateway should have sslPolicy.minProtocolVersion='1.2'

REMEDIATION

From Portal

  1. Navigate to the Azure portal (https://portal.azure.com).
  2. Search for Application Gateway in portal, select Application gateways, and click on your existing Application Gateway.
  3. Select SSL settings from the left-side menu.
  4. Click on the plus sign next to SSL Profiles at the top to create a new SSL profile.
  5. Enter a name under 'SSL Profile Name'.
  6. Go to the SSL Policy tab and check the Enable listener-specific SSL Policy box.
  7. Set up 'Min protocol version' to TLSv1_2.
  8. Select Add to save.

From TF

resource "azurerm_application_gateway" "example" {
	ssl_profile {
		min_protocol_version = "TLSv1_2"
	}
}

From Command Line
Use the below command to set Min protocol version of Application Gateway
Run

az network application-gateway ssl-policy set --gateway-name GATEWAYNAME --resource-group RESOURCEGROUP --policy-type Predefined --policy-name POLICYNAME --min-protocol-version TLSv1_2

References

  1. https://docs.microsoft.com/en-us/cli/azure/network/application-gateway/ssl-policy?view=azure-cli-latest#az_network_application_gateway_ssl_policy_set
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#min_protocol_version
  3. https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-configure-listener-specific-ssl-policy

Azure Application Gateway

Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-available web front end in Azure. You control the size of the gateway and scale your deployment based on your needs.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago