PSRule for Azure - Azure.AppGw.SSLPolicy (2024)

Table of Contents
Description# Recommendation# Configure with Azure template# Configure with Bicep# Configure with Azure PowerShell# Links# FAQs

Security · Application Gateway · Rule · 2020_06 · Critical

Application Gateway should only accept a minimum of TLS 1.2.

Description#

The minimum version of TLS that Application Gateways accept is configurable.Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2.By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

See Also
Building a POC for TLS inspection in Azure FirewallImport a certificate into the portal—Portal for ArcGISHow to check what SSL/TLS versions are available for a website on a Plesk server? - Support Cases from Plesk Knowledge BaseAdd and manage TLS/SSL certificates - Azure App Service

Application Gateway should only accept a minimum of TLS 1.2 to ensure secure connections.

Recommendation#

Consider configuring Application Gateways to accept a minimum of TLS 1.2.

Configure with Azure template#

To deploy Application Gateways that pass this rule use a predefined or custom policy:

  • Custom — Set the properties.sslPolicy.policyType property to Custom.
    • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
    • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Predefined — Set the properties.sslPolicy.policyType property to Predefined.
    • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

For example:

See Also
Check for TLS Protocol Latest Version

Azure Template snippet

{ "type": "Microsoft.Network/applicationGateways", "apiVersion": "2023-09-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "zones": [ "1", "2", "3" ], "properties": { "sku": { "name": "WAF_v2", "tier": "WAF_v2" }, "sslPolicy": { "policyType": "Custom", "minProtocolVersion": "TLSv1_2", "cipherSuites": [ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ] } }}

Configure with Bicep#

To deploy Application Gateways that pass this rule use a predefined or custom policy:

  • Custom — Set the properties.sslPolicy.policyType property to Custom.
    • Set the properties.sslPolicy.minProtocolVersion property to TLSv1_2.
    • Set the properties.sslPolicy.cipherSuites property to a list of supported ciphers. For example:
      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Predefined — Set the properties.sslPolicy.policyType property to Predefined.
    • Set the properties.sslPolicy.policyName property to a supported predefined policy such as AppGwSslPolicy20220101S.

For example:

Azure Bicep snippet

resource app_gw 'Microsoft.Network/applicationGateways@2023-09-01' = { name: name location: location zones: [ '1' '2' '3' ] properties: { sku: { name: 'WAF_v2' tier: 'WAF_v2' } sslPolicy: { policyType: 'Custom' minProtocolVersion: 'TLSv1_2' cipherSuites: [ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' ] } }}

Configure with Azure PowerShell#

Azure PowerShell snippet

$gw = Get-AzApplicationGateway -Name '<name>' -ResourceGroupName '<resource_group>'Set-AzApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_2 -CipherSuite 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'

Links#

PSRule for Azure - Azure.AppGw.SSLPolicy (2024)

FAQs

How to fix 403 forbidden Microsoft Azure Application Gateway V2? ›

How To Fix a 403 Forbidden Gateway in Azure
  1. Clear Your Browser Cache and History.
  2. Check Your Firewall Settings.
  3. Reconfigure Access Rules.
  4. Follow Upload Size Limits.

Read On
What is PSRule for Azure? ›

PSRule for Azure provides two methods for analyzing Azure resources: Pre-flight - Before resources are deployed from Azure Resource Manager templates. In-flight - After resources are deployed to an Azure subscription.

Discover More Details
What is the maximum number of listeners in Application Gateway? ›

Limited to 100 active listeners that are routing traffic.

Continue Reading
What is the maximum number of WAF rules in Azure? ›

The maximum number of WAF custom rules is 100. For more information about Application Gateway limits, see Azure subscription and service limits, quotas, and constraints.

See Details
How to resolve 403 Forbidden error in Azure? ›

Here are a few things you can try to resolve the issue:
  1. Check your permissions: Make sure you have the appropriate permissions to access Azure Active Directory. ...
  2. Check your network settings: Ensure that you are not behind a proxy server or firewall that is blocking your access to Azure Active Directory.
Feb 28, 2023

Find Out More
How do I fix 403 authorization error? ›

How to Fix a 403 Forbidden Error?
  1. Refresh the Page and Double Check the Address.
  2. Clear Your Browser Cache.
  3. Modify Your File Permissions.
  4. Delete and Restore the .htaccess File.
  5. Deactivate and then Reactivate Your Plugins.
  6. Deactivate CDN Temporarily.
  7. Check to See If Hotlink Protection Is Misconfigured.
  8. Disconnect From Your VPN.
Apr 12, 2024

Tell Me More
How to use Azure for free? ›

Steps : How to Get Azure Free Subscription
  1. Go to the Azure Home Page.
  2. Click on Free Azure Account on the top right corner. ...
  3. Click on Start Free.
  4. Sign-in/Sign-up for a Microsoft account using an email address and password.
  5. Enter your Country/Region and Date of Birth and click next.
Jan 10, 2024

Show Me More
What is Azure IaC tool? ›

IaC in Azure allows you to define and deploy your cloud infrastructure using code. This includes all the necessary components such as networks, virtual machines, load balancers, connection topology, etc.

Explore More
Why do I need Azure arc? ›

Azure Arc is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. Develop cloud-native applications with a consistent development, operations, and security model.

Continue Reading
Does Azure Application Gateway support rate limiting? ›

Azure's regional Web Application Firewall (WAF) running on Application Gateway now supports rate-limit custom rules. Rate-limiting enables you to detect and block abnormally high levels of traffic destined for your application.

Show Me More

How many ingress controller instances can be associated with one application gateway? ›

You can only deploy one AGIC add-on per AKS cluster, and each AGIC add-on currently can only target one Application Gateway instance.

Read The Full Story
What is the size limit for Azure Application Gateway? ›

Azure Application gateway V2 has a maximum file upload limit of 4 GB for both Standard and WAF SKU (when you are using the new WAF engine with CRS 3.2 or newer). So, it doesn't matter if you are using WAF or not, the maximum limit for file upload remains at 4 GB as of today.

See Details
How many maximum slots are available with Azure web apps? ›

The maximum number of slots available depends on the pricing tier of your Web App. For instance, the Standard tier allows up to 5 deployment slots, while the Premium tier offers up to 20 slots. This flexibility empowers you to customize your deployment strategy based on your application's requirements.

Get More Info Here
How to write WAF rule? ›

​​ Configuring a custom response for blocked requests
  1. With response type: Choose a content type or the default WAF block response from the list. ...
  2. With response code: Choose an HTTP status code for the response, in the range 400-499. ...
  3. Response body: The body of the response.
Feb 6, 2024

Continue Reading
Is Azure firewall a WAF? ›

Azure WAF is a cloud native service that helps protect web apps against common web threats and security vulnerabilities like cross-site scripting (XSS) and SQL injection (SQLi). You can deploy Azure WAF in minutes to block malicious attacks and get visibility into your environment.

View More
What does 502 Bad Gateway Microsoft Azure Application Gateway V2 mean? ›

In Application Gateway v2, if the application gateway doesn't receive a response from the backend application in this interval, the request will be tried against a second backend pool member. If the second request fails, the user request gets a 502 error. The solution in cases will be to increase the request-timeout.

View Details
What is Microsoft Azure Application Gateway V2? ›

Application Gateway is available under a Standard_v2 SKU. Web Application Firewall (WAF) is available under a WAF_v2 SKU. The v2 SKU offers performance enhancements and adds support for critical new features like autoscaling, zone redundancy, and support for static VIPs.

See More
Why is API Gateway returning 403? ›

If a request to a deployed API returns an HTTP 403 error to the API client, it means the requested URL is valid but access is forbidden for some reason. A deployed API has the permissions associated with roles granted to the service account that you used when you created the API config.

Learn More
What is V2 504 error in Microsoft Azure Application Gateway? ›

504 – Gateway timeout

Azure application Gateway V2 SKU sent HTTP 504 errors if the backend response time exceeds the time-out value that is configured in the Backend Setting. If your backend server is IIS, see Default Limits for Web Sites to set the timeout value. Refer to the connectionTimeout attribute for details.

Discover More Details
Top Articles
25-year-old Sahil Mehta and his brother built a $9 million real estate portfolio. He explains how they got started on their first property and are now able to earn up to $15,000 a month by renting.
The Money Series | Before The Cross
Four Embarcadero Center - Lot #77
SCU Username Password Management - Technology at SCU
Latest Posts
Wie kaufe und verkaufe ich Bitcoin?
How to Invest in Penny Stocks - NerdWallet
Article information

Author: Moshe Kshlerin

Last Updated:

Views: 5831

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.