Skip to content

Commit 7a3fabb

Browse files
authored
Create application-gateway-tls-version-retirement.md
1 parent 1f94860 commit 7a3fabb

File tree

1 file changed

+73
-0
lines changed

1 file changed

+73
-0
lines changed
Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
---
2+
title: TLS 1.0 and 1.1 retirement on Application Gateway
3+
description: Guidance for managing your Application Gateway with the upcoming retirement of TLS 1.0 and 1.1
4+
services: application gateway
5+
author: jaesoni
6+
ms.service: azure-application-gateway
7+
ms.topic: concept-article
8+
ms.date: 03/04/2025
9+
ms.author: greglin
10+
---
11+
12+
# Managing your Application Gateway with TLS 1.0 and 1.1 retirement
13+
14+
Starting **31st August 2025**, Azure Application Gateway will no longer support **TLS versions 1.0 and 1.1**. This change aligns with the [Azure-wide retirement](https://azure.microsoft.com/updates?id=update-retirement-tls1-0-tls1-1-versions-azure-services) of these TLS versions to enhance the security. As the owner of an Application Gateway resource, you should review both the Frontend clients and Backend servers TLS connections that may be using these older versions.
15+
16+
## Frontend TLS connections
17+
18+
With deprecation of TLS versions 1.0 and 1.1, the **older Predefined TLS policies** and certain cipher suites from the **Custom TLS policy** will be removed.
19+
20+
### Predefined policies for V2 SKUs
21+
22+
The predefined policies 20150501 and 20170401 that support TLS v1.0 and 1.1 will be discontinued and can no longer be associated with an Application Gateway resource after August 2025. It is advised to transition to one of the recommended TLS policies, 20220101 or 20220101S. Alternatively, the 20170401S policy may be used if specific cipher suites are required.
23+
24+
![A diagram showing predefined policies that will be removed.](media/application-gateway-tls-version-retire/retiring-tls-policies.png)
25+
26+
### Custom policies for V2 SKUs
27+
28+
Azure Application Gateway V2 SKU offers two types of custom policies: Custom and CustomV2. The retirement of these TLS versions will affect only the “Custom” policy. The newer “CustomV2” policy comes with TLS v1.3. Beyond August 2025, the older Custom policy will support only TLS v1.2 and the following cipher suites will NOT be supported.
29+
30+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
31+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
32+
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
33+
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
34+
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
35+
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
36+
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
37+
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
38+
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
39+
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
40+
TLS_RSA_WITH_3DES_EDE_CBC_SHA
41+
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
42+
43+
### Predefined policies for V1 SKUs
44+
45+
The V1 SKU will only support the 20170401S policy after the older policies with TLS versions 1.0 and 1.1 are discontinued. The newer 20220101 or 20220101S policies will not be available for the soon-to-be-retired V1 SKU.
46+
47+
### Custom policies for V1 SKUs
48+
49+
Application Gateway V1 SKU only supports the older “Custom” policy. Beyond August 2025, this older Custom policy will support only TLS v1.2 and the following cipher suites will NOT be supported.
50+
51+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
52+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
53+
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
54+
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
55+
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
56+
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
57+
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
58+
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
59+
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
60+
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
61+
TLS_RSA_WITH_3DES_EDE_CBC_SHA
62+
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
63+
64+
## Backend TLS connections
65+
66+
You need not configure anything on your Application Gateway for the backend connection's TLS version as the selection of TLS policy has no control over the backend TLS connections. After retirement, the connections to backend servers will always be with preferred TLS v1.3 and up to TLS v1.2. Hence, you must ensure that your servers in the backend pools are compatible with these updated protocol versions. This will avoid any disruptions when establishing a TLS/HTTPS connection with those backend servers.
67+
68+
69+
70+
## Next steps
71+
72+
Learn about [TLS policy types and configurations](application-gateway-ssl-policy-overview.md)
73+
Visit Azure Updates for [retirement notice](https://azure.microsoft.com/updates?searchterms=application+gateway)

0 commit comments

Comments
 (0)