S
sakshigupta
Ensuring Secure Connectivity by Transitioning to Modern Protocols
As we work on improving our systems' security, it's essential to update our server configurations to support only modern and strong protocols. Starting October 31st, the minimum supported version for TLS (Transport Layer Security) will be TLS 1.2. Here is a comprehensive plan to ensure a smooth transition.
Azure support for TLS 1.0 and TLS 1.1 will end by October 31, 2024 - Microsoft Lifecycle | Microsoft Learn
Overview
From November 1st, any Azure SQL server left with the "Select an option" or "NONE" setting (where "NONE" means no enforced minimum TLS version) will only allow connections using TLS 1.2 and TLS 1.3. Connections using TLS 1.0 or TLS 1.1 will be rejected. It is critical for all customers to configure their servers correctly and ensure that their client applications can operate with TLS 1.2 or higher.
Required Actions for Customers
Develop plans to migrate these servers to support TLS 1.2 or TLS 1.3.
Effect on Applications
Applications currently using TLS 1.0 or TLS 1.1 will face connectivity issues if the server (such as Azure SQL and Managed Instance) is configured to use "NONE" after October 31st. Therefore, both servers and client applications are advised to use the same communication protocol to avoid disruptions.
How to Identify the Encryption Settings?
```sql
resources
| where type == 'microsoft.sql/servers'
| project subscriptionId, resourceGroup, name, properties.minimalTlsVersion
resources
| where type == "microsoft.sql/managedinstances"
| project subscriptionId, resourceGroup, name, properties.minimalTlsVersion
```
Login to the Azure Portal -> Connect to SQL Single database -> Networking under security -> Encryption in transit -> Ensure there is a Minimum TLS version set.
Impact of TLS Settings
If servers are set to "NONE" for TLS settings, it allows clients and servers to use any mutually supported protocol. The system defaults to the strongest available protocol.
Recommendations
Our goal is to ensure customers use TLS 1.2 or TLS 1.3 for their workloads. Here’s how customers can identify which client drivers use protocols below TLS 1.2:
Conduct a Thorough Inventory
Review all client applications and libraries to determine their current TLS version usage.
Utilize resource graph queries for server-side settings.
Client-side settings can be verified using Azure Portal metrics with successful connections by applying filters for TLS version or using extended events. - Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics | Microsoft Learn
Update and Test:
Upgrade to supported versions and rigorously test to ensure compatibility and secure communication.
Upgrade Client Application:
Make sure client applications are upgraded to use TLS version 1.2.
Test Changes in Non-Production:
It's recommended to test these configurations in a non-production environment before moving to production to prevent issues.
Conclusion
Enforcing TLS 1.2 as the minimum supported version is significant for enhancing security. By following these guidelines and managing the transition proactively, customers can ensure continuous connectivity and robust security for their systems. Should you need any assistance, please reach out to our MSFT support team. We appreciate your cooperation in maintaining a secure environment.
Continue reading...
As we work on improving our systems' security, it's essential to update our server configurations to support only modern and strong protocols. Starting October 31st, the minimum supported version for TLS (Transport Layer Security) will be TLS 1.2. Here is a comprehensive plan to ensure a smooth transition.
Azure support for TLS 1.0 and TLS 1.1 will end by October 31, 2024 - Microsoft Lifecycle | Microsoft Learn
Overview
From November 1st, any Azure SQL server left with the "Select an option" or "NONE" setting (where "NONE" means no enforced minimum TLS version) will only allow connections using TLS 1.2 and TLS 1.3. Connections using TLS 1.0 or TLS 1.1 will be rejected. It is critical for all customers to configure their servers correctly and ensure that their client applications can operate with TLS 1.2 or higher.
Required Actions for Customers
Develop plans to migrate these servers to support TLS 1.2 or TLS 1.3.
Effect on Applications
Applications currently using TLS 1.0 or TLS 1.1 will face connectivity issues if the server (such as Azure SQL and Managed Instance) is configured to use "NONE" after October 31st. Therefore, both servers and client applications are advised to use the same communication protocol to avoid disruptions.
How to Identify the Encryption Settings?
- You can utilize the sample resource graph below to validate:
```sql
resources
| where type == 'microsoft.sql/servers'
| project subscriptionId, resourceGroup, name, properties.minimalTlsVersion
resources
| where type == "microsoft.sql/managedinstances"
| project subscriptionId, resourceGroup, name, properties.minimalTlsVersion
```
- Another way to check the server-level settings:
Login to the Azure Portal -> Connect to SQL Single database -> Networking under security -> Encryption in transit -> Ensure there is a Minimum TLS version set.
Impact of TLS Settings
If servers are set to "NONE" for TLS settings, it allows clients and servers to use any mutually supported protocol. The system defaults to the strongest available protocol.
Recommendations
Our goal is to ensure customers use TLS 1.2 or TLS 1.3 for their workloads. Here’s how customers can identify which client drivers use protocols below TLS 1.2:
Conduct a Thorough Inventory
Review all client applications and libraries to determine their current TLS version usage.
Utilize resource graph queries for server-side settings.
Client-side settings can be verified using Azure Portal metrics with successful connections by applying filters for TLS version or using extended events. - Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics | Microsoft Learn
Update and Test:
Upgrade to supported versions and rigorously test to ensure compatibility and secure communication.
Upgrade Client Application:
Make sure client applications are upgraded to use TLS version 1.2.
Test Changes in Non-Production:
It's recommended to test these configurations in a non-production environment before moving to production to prevent issues.
Conclusion
Enforcing TLS 1.2 as the minimum supported version is significant for enhancing security. By following these guidelines and managing the transition proactively, customers can ensure continuous connectivity and robust security for their systems. Should you need any assistance, please reach out to our MSFT support team. We appreciate your cooperation in maintaining a secure environment.
Continue reading...