|
1 | 1 | --- |
2 | | -title: Overview of TLS/SSL |
| 2 | +title: Overview of TLS/SSL for Azure App Service |
3 | 3 | description: Get an overview of TLS/SSL certificates in Azure App Service and understand how they secure your custom domains. |
4 | 4 | keywords: TLS/SSL certificates, Azure App Service security, HTTPS overview, domain encryption |
5 | | -ms.topic: article |
| 5 | +ms.topic: concept-article |
6 | 6 | ms.date: 02/18/2025 |
7 | 7 | ms.author: msangapu |
8 | 8 | author: msangapu-msft |
9 | 9 | ms.custom: UpdateFrequency3 |
10 | 10 | ms.collection: ce-skilling-ai-copilot |
11 | 11 | --- |
12 | | -# TLS/SSL certificates for Azure App Service |
| 12 | +# TLS/SSL certificates for Azure App Service overview |
13 | 13 |
|
14 | | -> [!NOTE] |
15 | | -> The [retirement of TLS 1.1 and 1.0 on Azure services](https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/) doesn't affect applications running on App Service, Azure Functions, or Logic Apps (Standard). Applications on either App Service, Azure Functions, or Logic Apps (Standard) configured to accept TLS 1.0 or TLS 1.1 for incoming requests **will continue to run unaffected**. |
| 14 | +Transport Layer Security (TLS) is a widely adopted security protocol that is designed to secure connections and communications between servers and clients. In Azure App Service, you can use TLS/Secure Sockets Layer (SSL) certificates to secure incoming requests to your web app. App Service currently supports different set of TLS features. |
16 | 15 |
|
17 | | -Transport Layer Security (TLS) is a widely adopted security protocol designed to secure connections and communications between servers and clients. App Service allows customers to use TLS/SSL certificates to secure incoming requests to their web apps. App Service currently supports different set of TLS features for customers to secure their web apps. |
| 16 | +> [!NOTE] |
| 17 | +> The [retirement of TLS 1.1 and TLS 1.0 on Azure services](https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/) doesn't affect applications running on App Service, Azure Functions, or Azure Logic Apps (Standard). Applications on these Azure services that are configured to accept TLS 1.1 or TLS 1.0 for incoming requests *continue to run unaffected*. |
18 | 18 |
|
19 | 19 | > [!TIP] |
20 | 20 | > |
21 | | -> You can also ask Azure Copilot these questions: |
| 21 | +> Try asking Azure Copilot these questions: |
22 | 22 | > |
23 | 23 | > - *What versions of TLS are supported in App Service?* |
24 | 24 | > - *What are the benefits of using TLS 1.3 over previous versions?* |
25 | | -> - *How can I change the cipher suite order for my App Service Environment?* |
| 25 | +> - *How can I change the cipher suite order for my Azure App Service Environment deployment?* |
26 | 26 | > |
27 | | -> To find Azure Copilot, on the [Azure portal](https://portal.azure.com) toolbar, select **Copilot**. |
| 27 | +> To find Azure Copilot, in the [Azure portal](https://portal.azure.com) toolbar, select **Copilot**. |
| 28 | +
|
| 29 | +## App Service supported TLS versions |
| 30 | + |
| 31 | +For incoming requests to your web app, App Service supports TLS versions 1.3, TLS 1.2, TLS 1.1, and TLS 1.0. |
28 | 32 |
|
29 | | -## Supported TLS Version on App Service? |
| 33 | +## Minimum TLS versions |
30 | 34 |
|
31 | | -For incoming requests to your web app, App Service supports TLS versions 1.0, 1.1, 1.2, and 1.3. |
| 35 | +The following sections describe how to set the minimum TLS version in various scenarios. |
32 | 36 |
|
33 | | -### Set Minimum TLS Version |
34 | | -Follow these steps to change the Minimum TLS version of your App Service resource: |
35 | | -1. Browse to your app in the [Azure portal](https://portal.azure.com/) |
36 | | -1. In the left menu, select **configuration** and then select the **General settings** tab. |
37 | | -1. On __Minimum Inbound TLS Version__, using the dropdown, select your desired version. |
38 | | -1. Select **Save** to save the changes. |
| 37 | +### Set the minimum TLS version by using the Azure portal |
39 | 38 |
|
40 | | -### Minimum TLS Version with Azure Policy |
| 39 | +To change the minimum TLS version of your App Service resource: |
41 | 40 |
|
42 | | -You can use Azure Policy to help audit your resources when it comes to minimum TLS version. You can refer to [App Service apps should use the latest TLS version policy definition](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) and change the values to your desired minimum TLS version. For similar policy definitions for other App Service resources, refer to [List of built-in policy definitions - Azure Policy for App Service](../governance/policy/samples/built-in-policies.md#app-service). |
| 41 | +1. In the [Azure portal](https://portal.azure.com/), go to your app. |
| 42 | +1. On the resource menu, select **Configuration**, and then select the **General settings** tab. |
| 43 | +1. For **Minimum Inbound TLS Version**, select the version. |
| 44 | +1. Select **Save**. |
43 | 45 |
|
44 | | -### Minimum TLS Version and SCM Minimum TLS Version |
| 46 | +### Set the minimum TLS version by using Azure Policy |
45 | 47 |
|
46 | | -App Service also allows you to set minimum TLS version for incoming requests to your web app and to SCM site. By default, the minimum TLS version for incoming requests to your web app and to SCM is set to 1.2 on both portal and API. |
| 48 | +You can use Azure Policy to help you confirm that your resources to accept a minimum TLS version. To set the minimum TLS version for your app, go to [App Service apps should use the latest TLS version policy definition](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b). For similar policy definitions for other App Service resources, see [List of built-in policy definitions - Azure Policy for App Service](../governance/policy/samples/built-in-policies.md#app-service). |
47 | 49 |
|
48 | | -### TLS 1.3 |
| 50 | +### Minimum TLS version and SCM minimum TLS version |
49 | 51 |
|
50 | | -TLS 1.3 is the latest and most secure TLS version supported on Azure App Service. It introduces significant security and performance improvements over TLS 1.2 by simplifying cryptographic algorithms, reducing handshake latency, and enhancing encryption. |
| 52 | +You also can set your App Service apps to accept a minimum TLS version for incoming requests and a minimum TLS version for a Source Control Manager (SCM) site. By default, the minimum TLS version for incoming requests to your web app and to SCM site is set to TLS 1.2 in both the portal and the API. |
| 53 | + |
| 54 | +## TLS 1.3 |
| 55 | + |
| 56 | +TLS 1.3 is the latest and most secure TLS version that App Service supports. It introduces significant security and performance improvements over TLS 1.2 by simplifying cryptographic algorithms, reducing handshake latency, and enhancing encryption. |
51 | 57 |
|
52 | 58 | Key benefits include: |
53 | | -- **Stronger Security**: Removes outdated cipher suites, enforces Perfect Forward Secrecy (PFS), and encrypts more of the handshake process. |
54 | | -- **Faster Handshake**: Reduces round trips, improving connection latency, especially for repeated sessions (0-RTT support). |
55 | | -- **Better Performance**: Uses streamlined encryption algorithms that lower computational overhead and improve efficiency. |
56 | | -- **Enhanced Privacy**: Encrypts handshake messages, reducing metadata exposure and mitigating downgrade attacks. |
57 | 59 |
|
58 | | -#### Cipher Suites |
59 | | -A [Minimum TLS Cipher Suite](#minimum-tls-cipher-suite) setting is available with TLS 1.3. This includes two cipher suites at the top of the cipher suite order: |
| 60 | +- **Stronger security**: Removes outdated cipher suites, enforces Perfect Forward Secrecy (PFS), and encrypts more of the handshake process. |
| 61 | +- **Faster handshake**: Reduces round trips, improving connection latency, especially for repeated sessions (0-RTT support). |
| 62 | +- **Better performance**: Uses streamlined encryption algorithms that lower computational overhead and improve efficiency. |
| 63 | +- **Enhanced privacy**: Encrypts handshake messages, reducing metadata exposure and mitigating downgrade attacks. |
| 64 | + |
| 65 | +### Cipher suites |
| 66 | + |
| 67 | +A [minimum TLS cipher suite](#minimum-tls-cipher-suite) setting is available with TLS 1.3. The setting includes two cipher suites at the top of the cipher suite order: |
| 68 | + |
60 | 69 | - TLS_AES_256_GCM_SHA384 |
61 | | -- TLS_AES_128_GCM_SHA256 |
| 70 | +- TLS_AES_128_GCM_SHA256 |
62 | 71 |
|
63 | | -Since TLS 1.3 removes legacy cryptographic algorithms, it's recommended for applications that require modern security standards, improved performance, and reduced latency. |
| 72 | +Because TLS 1.3 removes legacy cryptographic algorithms, we recommend that you use TLS 1.3 for applications that require modern security standards, improved performance, and reduced latency. |
64 | 73 |
|
65 | | -### TLS 1.2 |
| 74 | +## TLS 1.2 |
66 | 75 |
|
67 | | -TLS 1.2 is the default TLS version for Azure App Service. It provides strong encryption, improved security over older versions, and compliance with industry standards such as PCI DSS. Since TLS 1.2 is the default, no action is required unless you are migrating from an older TLS version. If your app currently uses TLS 1.0 or 1.1, updating to TLS 1.2 is recommended to maintain security, performance, and compliance. Azure App Service supports a predefined set of TLS 1.2 cipher suites to ensure secure communication between clients and your web app. |
| 76 | +TLS 1.2 is the default TLS version for Azure App Service. TLS 1.2 provides strong encryption, improved security over earlier versions, and compliance with industry standards like Payment Card Industry Data Security Standard (PCI DSS). Because TLS 1.2 is the default setting, no action is required unless you migrate from an earlier version of TLS. If your app currently uses TLS 1.1 or TLS 1.0, we recommend that you update to TLS 1.2 to maintain security, performance, and compliance. App Service supports a predefined set of TLS 1.2 cipher suites to ensure secure communication between clients and your web app. |
68 | 77 |
|
69 | | -### TLS 1.0 and 1.1 |
| 78 | +## TLS 1.1 and TLS 1.0 |
70 | 79 |
|
71 | | -TLS 1.0 and 1.1 are considered legacy protocols and are no longer considered secure. It's recommended for customers to use TLS 1.2 or above as the minimum TLS version. When creating a web app, the default minimum TLS version is TLS 1.2. |
| 80 | +TLS 1.1 and TLS 1.0 are considered legacy protocols and no longer secure. We recommend that you use TLS 1.2 as a minimum TLS version. When you create a web app, the setting for default minimum TLS version is TLS 1.2. |
72 | 81 |
|
73 | | -To ensure backward compatibility for TLS 1.0 and TLS 1.1, App Service will continue to support TLS 1.0 and 1.1 for incoming requests to your web app. However, since the default minimum TLS version is set to TLS 1.2, you need to update the minimum TLS version configurations on your web app to either TLS 1.0 or 1.1 so the requests won't be rejected. |
| 82 | +To ensure backward compatibility for TLS 1.1 and TLS 1.0, App Service continues to support TLS 1.1 and TLS 1.0 for incoming requests to your web app. Because the default minimum TLS version is set to TLS 1.2, in this scenario, you must update the minimum TLS version setting on your web app to either TLS 1.1 or TLS 1.0 so that the requests aren't rejected. |
74 | 83 |
|
75 | 84 | > [!IMPORTANT] |
76 | | -> Incoming requests to web apps and incoming requests to Azure are treated differently. App Service will continue to support TLS 1.0 and 1.1 for incoming requests to the web apps. For incoming requests directly to the Azure control plane, for example through ARM or API calls, it's not recommended to use TLS 1.0 or 1.1. |
| 85 | +> Incoming requests to web apps and to Azure are handled differently. |
| 86 | +> |
| 87 | +> App Service continues to support TLS 1.1 and TLS 1.0 for incoming requests to *web apps*. |
| 88 | +> |
| 89 | +> For incoming requests to the *Azure control plane*, such as through Azure Resource Manager (ARM) or API calls, we recommend that you use TLS 1.2 at a minimum. |
77 | 90 | > |
78 | 91 |
|
79 | 92 | ## Minimum TLS cipher suite |
80 | 93 |
|
81 | 94 | > [!NOTE] |
82 | | -> Minimum TLS Cipher Suite is supported on Basic SKUs and higher on multitenant App Service. |
| 95 | +> A minimum TLS cipher suite is supported on Basic SKUs and later on multitenant App Service. |
| 96 | +
|
| 97 | +The minimum TLS cipher suite includes a fixed list of cipher suites that has an optimal priority order that you can't change. Reordering or reprioritizing the cipher suites might expose your web apps to weaker encryption. We recommend that you use the default, optimal priority order. |
| 98 | + |
| 99 | +You also can't add new or different cipher suites to this list. When you select a minimum cipher suite, the system automatically disables all cipher suites that are less secure for your web app. You can't selectively disable cipher suites. |
| 100 | + |
| 101 | +### What are cipher suites and how do they work on App Service? |
83 | 102 |
|
84 | | -The minimum TLS cipher suite includes a fixed list of cipher suites with an optimal priority order that you cannot change. Reordering or reprioritizing the cipher suites isn't recommended as it could expose your web apps to weaker encryption. You also cannot add new or different cipher suites to this list. When you select a minimum cipher suite, the system automatically disables all less secure cipher suites for your web app, without allowing you to selectively disable only some weaker cipher suites. |
| 103 | +A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. By default, the front-end operating system selects the most secure cipher suite that is supported by both App Service and the client. However, if the client supports only weak cipher suites, then the front-end operating system in that scenario would select a weak cipher suite that is supported by them both. |
85 | 104 |
|
86 | | -### What are cipher suites and how do they work on App Service? |
| 105 | +If your organization has restrictions on what cipher suites should not be allowed, you can update your web app’s minimum TLS cipher suite setting to ensure that cipher suites that are less secure are disabled for your web app. |
87 | 106 |
|
88 | | -A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. By default, the front-end's OS would pick the most secure cipher suite that is supported by both App Service and the client. However, if the client only supports weak cipher suites, then the front-end's OS would end up picking a weak cipher suite that is supported by them both. If your organization has restrictions on what cipher suites should not be allowed, you may update your web app’s minimum TLS cipher suite property to ensure that the weak cipher suites would be disabled for your web app. |
| 107 | +### FrontEndSSLCipherSuiteOrder cluster setting |
89 | 108 |
|
90 | | -### App Service Environment (ASE) V3 with cluster setting `FrontEndSSLCipherSuiteOrder` |
| 109 | +For App Service Environments that have the `FrontEndSSLCipherSuiteOrder` cluster setting, you must update your settings to include two TLS 1.3 cipher suites (TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256). After you update, restart your front end for the change to take effect. You must still include the two required [cipher suites](#cipher-suites). |
91 | 110 |
|
92 | | -For App Service Environments with `FrontEndSSLCipherSuiteOrder` cluster setting, you need to update your settings to include two TLS 1.3 cipher suites (TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256). Once updated, restart your front-end for the change to take effect. You must still include the two required cipher suites as mentioned in the docs. |
| 111 | +## End-to-end TLS encryption |
93 | 112 |
|
94 | | -## End-to-end TLS Encryption |
| 113 | +End-to-end TLS encryption is available in Premium App Service plans (and in legacy Standard App Service plans). Front-end intra-cluster traffic between App Service front ends and the workers running application workloads now can be encrypted. |
95 | 114 |
|
96 | | -End-to-end (E2E) TLS encryption is available in Premium App Service plans (and legacy Standard App Service plans). Front-end intra-cluster traffic between App Service front-ends and the workers running application workloads can now be encrypted. |
| 115 | +## Related content |
97 | 116 |
|
98 | | -## Next steps |
99 | | -* [Secure a custom DNS name with a TLS/SSL binding](configure-ssl-bindings.md) |
| 117 | +- [Secure a custom DNS name by using a TLS/SSL binding](configure-ssl-bindings.md) |
0 commit comments