You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/application-gateway/application-gateway-tls-version-retirement.md
+34-1Lines changed: 34 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: application gateway
5
5
author: jaesoni
6
6
ms.service: azure-application-gateway
7
7
ms.topic: concept-article
8
-
ms.date: 07/29/2025
8
+
ms.date: 07/31/2025
9
9
ms.author: mbender
10
10
ms.custom:
11
11
- build-2025
@@ -107,6 +107,39 @@ You can also check the [Application Gateway Access logs](monitor-application-gat
107
107
### Error information
108
108
Once support for TLS versions 1.0 and 1.1 is discontinued, clients may encounter errors such as `curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure`. Depending on the browser being used, various messages indicating TLS handshake failures may be displayed.
109
109
110
+
## FAQs
111
+
112
+
### What does a default TLS policy mean?
113
+
A default TLS policy for Application Gateway is a packaged set of supported TLS versions and cipher suites. This allows customers to begin using secured traffic by only configuring HTTPS or TLS listeners and backend settings, without any additional configuration for TLS version or ciphers. Application Gateway uses one of its predefined policies as the default.
114
+
115
+
### How will the default TLS policies be impacted after legacy TLS versions 1.0 and 1.1 retirement?
116
+
Until September 2025, V2 SKUs utilize two [default TLS policies](application-gateway-ssl-policy-overview.md#default-tls-policy) based on the API version specified during resource deployment. Deployments using API version **2023-02-01 or later** apply `AppGwSslPolicy20220101` by default, while earlier API versions use `AppGwSslPolicy20150501`. With the deprecation of TLS 1.0 and 1.1, the older `AppGwSslPolicy20150501` policy, will be discontinued. Consequently, `AppGwSslPolicy20220101` will become the default policy for all V2 gateways.
117
+
118
+
The default policy for the V1 SKU will remain unchanged since `AppGwSslPolicy20220101` will not be introduced for this retiring SKU.
119
+
120
+
> [!NOTE]
121
+
> A default TLS policy is applied only when the "Default" option is selected in the Portal or when no TLS policy is specified within the resource configuration by means such as REST, PowerShell, or AzCLI.
122
+
>
123
+
> Accordingly, using a default policy in configuration is not same as explicitly selecting `AppGwSslPolicy20150501` policy, even if `AppGwSslPolicy20150501` is the default policy for your API version.
124
+
125
+
### Which TLS policies in Application Gateway are getting deprecated?
126
+
The predefined policies `AppGwSslPolicy20150501` and `AppGwSslPolicy20170401` that support TLS versions 1.0 and 1.1 will be removed from the Azure Resource Manager configuration. Similarly, the Custom policy will stop supporting TLS versions 1.0 and 1.1 along with their associated cipher suites. This applies to both V1 and V2 SKUs.
127
+
128
+
### Will Application Gateway product team automatically update the configuration to a supported TLS policy?
129
+
Application Gateway will not modify any resource having customer-defined TLS configurations. Only the default TLS policy for gateways that have not explicitly set a TLS policy or lack any TLS-related settings (such as HTTPS or TLS listeners) will be automatically updated to use `AppGwSslPolicy20220101`.
130
+
131
+
### Will my gateway go in a Failed state?
132
+
If you have chosen any to-be-discounted TLS policy in the configuration of your gateway and don’t update it to one of the supported policies by August 2025, your gateway will enter a Failed state when performing a configuration update.
133
+
134
+
A non-functional TLS configuration, such an SSLProfile not linked to any listener, will not have any impact on the control plane of the gateway.
135
+
136
+
### How is the release for this change planned?
137
+
Given the scale of our fleet, after 30 August 2025, the deprecation of TLS versions will be implemented separately for the Data and Control Planes (in that order). Any region-specific details will not be available; therefore, we strongly advise you to take all necessary actions before this retirement date.
138
+
139
+
### Is there any potential impact if I haven’t selected any TLS policy and my gateway uses only HTTP/TCP configurations?
140
+
If your gateway does not use any TLS configuration — either through SSLPolicy or SSLProfile — there will be no impact after August 2025.
0 commit comments