Ensure Application Gateway is using the latest version of TLS encryption

Application Gateway allows to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for secure connections.

Risk Level: High
Cloud Entity: Azure Application Gateway
CloudGuard Rule ID: D9.AZU.NET.35
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

ApplicationGateway should have sslPolicy.minProtocolVersion='1.2'

REMEDIATION

From Portal

  1. Navigate to the Azure portal (https://portal.azure.com).
  2. Search for Application Gateway in portal, select Application gateways, and click on your existing Application Gateway.
  3. Select SSL settings from the left-side menu.
  4. Click on the plus sign next to SSL Profiles at the top to create a new SSL profile.
  5. Enter a name under 'SSL Profile Name'.
  6. Go to the SSL Policy tab and check the Enable listener-specific SSL Policy box.
  7. Set up 'Min protocol version' to TLSv1_2.
  8. Select Add to save.

From TF

resource "azurerm_application_gateway" "example" {
	ssl_profile {
		min_protocol_version = "TLSv1_2"
	}
}

From Command Line
Use the below command to set Min protocol version of Application Gateway
Run

az network application-gateway ssl-policy set --gateway-name GATEWAYNAME --resource-group RESOURCEGROUP --policy-type Predefined --policy-name POLICYNAME --min-protocol-version TLSv1_2

References

  1. https://docs.microsoft.com/en-us/cli/azure/network/application-gateway/ssl-policy?view=azure-cli-latest#az_network_application_gateway_ssl_policy_set
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#min_protocol_version
  3. https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-configure-listener-specific-ssl-policy

Azure Application Gateway

Azure Application Gateway gives you application-level routing and load balancing services that let you build a scalable and highly-available web front end in Azure. You control the size of the gateway and scale your deployment based on your needs.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset