You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/overview-tls.md
+24-1Lines changed: 24 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Transport Layer Security (TLS) overview
3
3
description: Learn about Transport Layer Security (TLS) on App Service.
4
4
keywords: app service, azure app service, tls, transport layer security, support, web app, troubleshooting,
5
5
ms.topic: article
6
-
ms.date: 11/06/2023
6
+
ms.date: 07/24/2024
7
7
ms.author: msangapu
8
8
author: msangapu-msft
9
9
ms.custom: UpdateFrequency3
@@ -32,5 +32,28 @@ To ensure backward compatibility for TLS 1.0 and TLS 1.1, App Service will conti
32
32
> Incoming requests to web apps and incoming requests to Azure are treated differently. App Service will continue to support TLS 1.0 and 1.1 for incoming requests to the web apps. For incoming requests directly to Azure, for example through ARM or API, it's not recommended to use TLS 1.0 or 1.1.
33
33
>
34
34
35
+
### TLS 1.3
36
+
With TLS 1.3, a "Minimum TLS Cipher Suite" setting is now available. This includes two cipher suites at the top of the cipher suite order:
37
+
- TLS_AES_256_GCM_SHA384
38
+
- TLS_AES_128_GCM_SHA256
39
+
40
+
> [!NOTE]
41
+
> Minimum TLS Cipher Suite is supported on Premium SKUs and higher on multi-tenant App Service.
42
+
>
43
+
44
+
#### What are cipher suites and how do they work on App Service?
45
+
46
+
A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. By default, the front-end's OS would pick the most secure cipher suite that is supported by both App Service and the client. However, if the client only supports weak cipher suites, then the front-end's OS would end up picking a weak cipher suite that is supported by them both. If your organization has restrictions on what cipher suites should not be allowed, you may update your web app’s minimum TLS cipher suite property to ensure that the weak cipher suites would be disabled for your web app.
47
+
48
+
#### App Service Environment (ASE) V3 with Cluster Setting "FrontEndSSLCipherSuiteOrder"
49
+
50
+
For App Service Environments with "FrontEndSSLCipherSuiteOrder" cluster setting, you need to update your settings to include two TLS 1.3 cipher suites (TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256). Once updated, restart your front-end for the change to take effect. You must still include the two required cipher suites as mentioned in the docs.
51
+
52
+
## End-to-end TLS Encryption (preview)
53
+
54
+
End-to-end (E2E) TLS encryption is available in Standard App Service plans and higher. Front-end intra-cluster traffic between App Service front-ends and the workers running application workloads can now be encrypted. Below is a simple diagram to help you understand how it works.
55
+
56
+
INSERT-IMAGE-HERE
57
+
35
58
## Next steps
36
59
*[Secure a custom DNS name with a TLS/SSL binding](configure-ssl-bindings.md)
0 commit comments