Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,509 questions
Need to identify which azure services will effect from TSL1.0 & 1.1 support ending on 31st Oct,2024
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 22%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Yasar Shaikh
65
Reputation points
Hi Team,
Microsoft has announced the end of support for TSL1.0 and 1.1 on October 31, 2024. I've included the services that operate below TLS 1.2 in my production. Could you please assist me determine which services must be upgraded to TLS 1.2 in order to avoid any effect, as well as provide a detailed explanation.
Services running below TLS 1.2 are as follows :-
- Application Gateway ( Listener )
- Azure Database for PostgreSQL
- Event Hub
- Function App
- Service Bus
- SQL database
- SQL managed instance
- SQL server
- SQL Virtual machine
- Storage Account
- WebApp
- KeyVault (with or without certificates)
- NSG,Vnet ,Virtual network gateway,express route
Also, share the steps to identify traffic below TLS 1.2 on each service .
Thanks in advance
{count} votes
-
Yasar Shaikh 65 Reputation points
2024-09-06T06:09:54.6866667+00:00 Hi Team,
Please I am still waiting for my answer on the above question This is very urgent to me please share your inputs.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde 1,080 Reputation points Microsoft Vendor2024-09-06T11:21:54.3266667+00:00 Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
1. Application Gateway (Listener)
- Upgrade Requirement: The Application Gateway supports TLS 1.0, 1.1, and 1.2. It is crucial to configure the gateway to enforce a minimum TLS version of 1.2 to ensure compliance and security.
Steps to Identify Traffic Below TLS 1.2:
- Navigate to the Azure portal.
- Locate the Application Gateway and select it.
- Under the "Protocols" tab, check the status of supported protocols (SSL 3.0, TLS 1.0, TLS 1.1).
- Review any incoming requests that continue to use older versions.
For your reference: ttps://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.SSLPolicy/
2. Azure Database for PostgreSQL
Upgrade Requirement:
Azure Database for PostgreSQL enforces TLS connections by default. Ensure that TLS 1.2 is set as the minimum TLS version for clients connecting to the database.
Steps to Identify Traffic Below TLS 1.2:
- In the Azure portal, go to your Azure Database for PostgreSQL server.
- Under "Connection security," check the "Enforce SSL connection" setting to confirm it's enabled.
- Use the SQL query:
sql SELECT datname as "Database name", usename as "User name", ssl, client_addr, application_name FROM pg_stat_ssl JOIN pg_stat_activity ON pg_stat_ssl.pid = pg_stat_activity.pid;For your reference: https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-tls-configurations
3. Event Hub
Upgrade Requirement:
Make sure that your Event Hub namespace is configured to accept only TLS 1.2 or newer versions.
Steps to Identify Traffic Below TLS 1.2:
- Configure your Event Hub namespace to require connections using a minimum TLS version of 1.2.
- Review logs and connections to identify requests made with older TLS versions; utilize Azure Monitor or Event Hubs' diagnostics tools.
For your reference: https://learn.microsoft.com/en-us/azure/event-hubs/transport-layer-security-configure-minimum-version
https://github.com/hashicorp/terraform-provider-azurerm/issues/25049
4. Function App
Upgrade Requirement:
Function Apps should be configured to enforce a minimum TLS version of 1.2.
Steps to Identify Traffic Below TLS 1.2:
- Go to the Azure portal and select your Function App.
- Under "TLS/SSL settings," ensure the Minimum TLS Version is set to 1.2.
- Monitor the app logs for any failed connections that may reference unsupported TLS versions.
- To configure the TLS:
- TLS configuration for Function Apps is available through the Azure Portal. To configure the minimum TLS version, you need to select your Function App, go to Settings tab -> Configuration -> General Settings. then under Platform settings you'll find "Minimum Inbound TLS version"
5. Service Bus
Upgrade Requirement:
Make sure your Service Bus is set to enforce the use of TLS 1.2.
Steps to Identify Traffic Below TLS 1.2:
- Check the Service Bus namespace settings to configure the minimum TLS version as 1.2.
- Review service logs and metrics for any failed connections due to TLS version mismatches.
For your reference: https://learn.microsoft.com/en-us/azure/service-bus-messaging/transport-layer-security-configure-minimum-version
6. SQL Database
Upgrade Requirement:
Make sure that SQL databases are using TLS 1.2. SQL Server 2016, 2017, and 2019 support TLS 1.2 by default.
Steps to Identify Traffic Below TLS 1.2:
- Run queries to check the version of SQL Server and its support for TLS 1.2.
- Use Extended Events to capture the TLS version used for connections:
sql CREATE EVENT SESSION [tls] ON SERVER ADD EVENT sqlsni.trace( WHERE (([sqlserver].[like_i_sql_unicode_string] ...7. SQL Managed Instance
Upgrade Requirement:
SQL Managed Instances should support and enforce TLS 1.2 connections.
Steps to Identify Traffic Below TLS 1.2:
- Verify instance settings to ensure TLS 1.2 is configured for connections.
- Use diagnostic logs to find instances where older versions are still in use.
8. SQL Server
Upgrade Requirement:
SQL Server needs to be updated to support TLS 1.2.Steps to Identify Traffic Below TLS 1.2:
Use built-in SQL Server Extended Events or queries to monitor TLS versions in use:
sql SELECT * FROM sys.dm_exec_connections WHERE encrypt_option = 'No';For your reference: https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/connect/tls-1-2-support-microsoft-sql-server
9. SQL Virtual Machine
Upgrade Requirement:
Make sure SQL Server on Virtual Machines is configured to use TLS 1.2.
Steps to Identify Traffic Below TLS 1.2:
- Enable Extended Events to track the TLS version used:
sql CREATE EVENT SESSION [tls] ON SERVER ADD EVENT sqlsni.trace;2. Analyze traffic using network monitoring tools like Wireshark.10. Storage Account
Upgrade Requirement:
Make sure the storage account enforces connections that use TLS 1.2.
Steps to Identify Traffic Below TLS 1.2:
- In the Azure portal, navigate to the storage account configuration.
- Check and configure the "Minimum TLS version" setting to 1.2.
- Review logs to find requests using lower TLS versions.
For your reference: https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
11. WebApp
Upgrade Requirement
Web Apps should be updated to require TLS 1.2 or higher.
Steps to Identify Traffic Below TLS 1.2:
- Go to the WebApp’s settings in the Azure portal.
- Under “Configuration,” check the "Minimum TLS version" setting.
- Inspect application logs for requests that failed due to TLS issues.
For your reference: https://github.com/aquasecurity/cloud-security-remediation-guides/blob/master/en/azure/appservice/tls-version-check.md
12. Key Vault
Upgrade Requirement:
Make sure Key Vault is configured to enforce the use of TLS 1.2 or later.
Steps to Identify Traffic Below TLS 1.2:
- Monitor Key Vault logs for TLS versions used by incoming requests.
- Review logs using a sample query to check traffic for lower TLS versions.
- TLS configuration on Client side:
- TLS version restrictions for Azure Key Vault can be implemented through client-side configurations. This means the applications or services communicating with Azure Key Vault should enforce the desired TLS version, such as TLS 1.2.
- In short for Azure Key Vault, the emphasis is on ensuring that the client applications and services that interact with the Key Vault are configured to use the desired TLS version, as the service itself does not provide a direct mechanism to enforce a minimum TLS version.
For your reference: https://learn.microsoft.com/en-us/azure/key-vault/general/whats-new#june-2023
13. NSG, Vnet, Virtual Network Gateway, Express Route
Upgrade Requirement:
These services must be configured to enforce the use of TLS 1.2.
- Steps to Identify Traffic Below TLS 1.2:
- Use Azure Network Watcher to monitor and analyze network traffic.
- Configure policies in Azure Policy to enforce compliance with TLS settings.
- Validate connection logs for any traffic below TLS 1.2 using Azure logs.
Kindly let us know if the above helps or you need further assistance on this issue.
-
Yasar Shaikh 65 Reputation points
2024-09-06T12:57:16.95+00:00 I am not satisfy with your answer can you help me get the clarity on below points:-
- An NSG doesn't inspect the traffic to make sure it is a certain version of TLS, so doesn't trigger the need for upgrade . So why you mentioned a need to upgarde due to TLS enforcement ?
- Virtual Network has no knowledge of TLS (similar to NSG), so doesn't trigger the need for upgrade.So why you mentioned a need to upgarde due to TLS enforcement ?
- SQL server is inside of the VM, is not an Azure service, so doesn't trigger the need for upgrade.So why you mentioned a need to upgarde due to TLS enforcement ?
- The virtual network has a Virtual network gateway which uses Connections and Local network gateways to connect to our local site ,doesn't use TLS, so doesn't trigger the need for upgrade.So why you mentioned a need to upgarde due to TLS enforcement ?
- Similarly please confirm if Application Gateway, Key vault are also impacted by the TLS enforcement if we didn't upgrade ?
Hope you got the questions i just need which are the services among above services will impact after 31 October due to TLS enforcement on azure services .
-
Sai Prasanna Sinde 1,080 Reputation points Microsoft Vendor
2024-09-09T11:40:46.1566667+00:00 Hi @Yasar Shaikh ,
- As per the Microsoft document: https://azure.microsoft.com/en-us/updates/azure-support-tls-will-end-by-31-october-2024-2/#:~:text=To%20enhance%20security%20and%20provide%20best-in-class%20encryption%20for,support%20for%20TLS%201.0%20and%201.1%20will%20end. the old TLS versions will be deprecated by 31st October 2024.
- TLS 1.2 offers enhanced security and improved speed compared to its predecessors. In an effort to bolster security and prevent potential protocol downgrade attacks, Azure Resource Manager will discontinue support for TLS 1.1 and earlier versions. Ensure that all client applications interfacing with Azure employ TLS 1.2 or a later version to maintain compatibility with Azure Resource Manager. For your information: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tls-support#why-migrate-to-tls-12
- As per the document: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tls-support#why-migrate-to-tls-12 Azure Resource Manager is set to discontinue support for protocols earlier than TLS 1.2 from September 30, 2024.
- According to the recent Microsoft update, upgrading the application gateway and Key Vault to TLS 1.2 is essential, as it provides enhanced security through features like perfect forward secrecy and more robust cipher suites.
- As per the Microsoft document: https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/connect/tls-1-2-support-microsoft-sql-server an update has been released for Microsoft SQL Server to enable TLS 1.2.
- We currently support TLS versions 1.0, 1.1, and 1.2. Establishing a minimum TLS version guarantees support for newer TLS versions. For instance, selecting TLS version 1.1 will accept only connections using TLS 1.1 or 1.2, while rejecting those using TLS 1.0. After verifying that your applications are compatible, it is advisable to set the minimum TLS version to 1.2, as it addresses vulnerabilities found in earlier versions and represents the most advanced version supported by Azure SQL Database. For more information: https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-content-reference-guide?view=azuresql#tls-considerations-for-database-connectivity
- List of resources needs to be upgrade to TLS 1.2 as the older versions are not supported by 30 Sept 2024:
- Application Gateway
- Key Vault
- Web Apps
- Storage Account
- Function app
- Service Bus
- Event Hub
- Azure Database for PostgreSQL
- SQL Server
- Azure SQL Database
- SQL Managed Instance
- Azure SQL VM
- And finally, I apologize for the confusion regarding NSG, Vnet and virtual network gateway. You are absolutely correct with the above points.
Kindly let us know if the above steps helps or you need further assistance on this issue.
-
Sai Prasanna Sinde 1,080 Reputation points Microsoft Vendor
2024-09-11T02:18:30.01+00:00 Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
-
Sai Prasanna Sinde 1,080 Reputation points Microsoft Vendor
2024-09-12T07:23:30.5066667+00:00 Hi @Yasar Shaikh,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Thanks.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 0%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENG%3C/text%3E%3C/svg%3E)
Nikhil George 41 Reputation points2024-10-21T13:15:26.0366667+00:00 Thank you for the question and the clarifications
Sign in to comment
Sign in to answer