Azure: Enable TLS 1.2 in Application Gateway

Update: You can do it through Azure portal by selecting the listener and then clicking on SSL Policy, you will see a small “Change” link, click on that and it will take you to Change SSL Policy section.

SSL Policy

If you wish to continue doing it through PowerShell then follow the below process.

If you ever come across requirement to enable TLS version 1.2 on Azure Application gateway remember for now it’s limited to doing it through PowerShell, you cannot do it from Azure Portal, as matter of fact and as far as i seen you can’t even go and see what version of TLS is enabled, you can only verify through PowerShell.

so let’s see how to verify which TLS version is enabled and how to set it’s not there or how to change to higher TLS version.

As much as i have seen when you setup a new app gateway and if you do not specify exclusively there’s no TLS version set, you have to go and do it.

Verify Current Settings;

so to check the current status of the application gateway you can run the following PowerShell command.

Get-AzApplicationGateway -ResourceGroupName “NAME OF RESOURCE GROUP” -Name “APPLICATION GATEWAY NAME”

You have to pay attention to two properties specifically.

a. SslPolicy

b. SslPolicyText

Like i said earlier if there’s no policy set then it’s expected that these two properties are going to be blank.

Enable TLS Version:

Now you got options to enable different version, Azure provides you predefined policy type or the custom policy type, I am not an TLS expert and neither i have great understanding about the ciphersuites, moreover whatever Azure provides should cover up your security requirements.

The Get-AzApplicationGatewayAvailableSslOptions cmdlet provides a listing of available pre-defined policies, available cipher suites and protocol version that can be configured.

Let’s enable TLS version 1.2

First requirement is to get context of Application gateway.

$gw = Get-AzApplicationGateway -ResourceGroupName “NAME OF RESOURCE GROUP” -Name “APPLICATION GATEWAY NAME”

Then set the Application Gateway Policy.

Set-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName AppGwSslPolicy20170401S -ApplicationGateway $gw

PolicyType: Predefined

PolicyName: AppGwSslPolicy20170401s (defined by Microsoft)

$gw = Context of Application gateway

Commit the Changes:

Once you have set the policy it’s time to commit the changes to Application Gateway using following PowerShell cmdlet.

Set-AzApplicationGateway -ApplicationGateway $gw

Final Result:

That’s about it doesn’t take more then few mins to get the change done and we shouldn’t expect any downtime too, you can also restrict certain old version but that’s for another blog.

Leave a Reply

Your email address will not be published. Required fields are marked *