Merge pull request #288988 from seligj95/ciphersuite

add tls 1.3 ciphers

Author: prmerger-automator[bot]

articles/app-service/environment/app-service-app-service-environment-custom-settings.md

@@ -13,11 +13,12 @@ ms.custom: mvc, devx-track-arm-template
 # Custom configuration settings for App Service Environments
 
 ## Overview
+
 Because App Service Environments are isolated to a single customer, there are certain configuration settings that can be applied exclusively to App Service Environments. This article documents the various specific customizations that are available for App Service Environments.
 
 > [!NOTE]
 > This article covers the features, benefits, and use cases of App Service Environment v3, which is used with App Service Isolated v2 plans.
-> 
+>
 
 If you do not have an App Service Environment, see [How to Create an App Service Environment v3](./creation.md).
 
@@ -48,6 +49,7 @@ The following abbreviated Resource Manager template snippet shows the **clusterS
 The **clusterSettings** attribute can be included in a Resource Manager template to update the App Service Environment.
 
 ## Use Azure Resource Explorer to update an App Service Environment
+
 Alternatively, you can update the App Service Environment by using [Azure Resource Explorer](https://resources.azure.com).
 
 1. In Resource Explorer, go to the node for the App Service Environment (**subscriptions** > **{your Subscription}** > **resourceGroups** > **{your Resource Group}** > **providers** > **Microsoft.Web** > **hostingEnvironments**). Then click the specific App Service Environment that you want to update.
@@ -71,12 +73,12 @@ The App Service Environment operates as a black box system where you cannot see
     }
 ],
 ```
-Setting InternalEncryption to true encrypts internal network traffic in your App Service Environment between the front ends and workers, encrypts the pagefile and also encrypts the worker disks. After the InternalEncryption clusterSetting is enabled, there can be an impact to your system performance. When you make the change to enable InternalEncryption, your App Service Environment will be in an unstable state until the change is fully propagated. Complete propagation of the change can take a few hours to complete, depending on how many instances you have in your App Service Environment. We highly recommend that you do not enable InternalEncryption on an App Service Environment while it is in use. If you need to enable InternalEncryption on an actively used App Service Environment, we highly recommend that you divert traffic to a backup environment until the operation completes. 
 
+Setting InternalEncryption to true encrypts internal network traffic in your App Service Environment between the front ends and workers, encrypts the pagefile and also encrypts the worker disks. After the InternalEncryption clusterSetting is enabled, there can be an impact to your system performance. When you make the change to enable InternalEncryption, your App Service Environment will be in an unstable state until the change is fully propagated. Complete propagation of the change can take a few hours to complete, depending on how many instances you have in your App Service Environment. We highly recommend that you do not enable InternalEncryption on an App Service Environment while it is in use. If you need to enable InternalEncryption on an actively used App Service Environment, we highly recommend that you divert traffic to a backup environment until the operation completes.
 
 ## Disable TLS 1.0 and TLS 1.1
 
-If you want to manage TLS settings on an app by app basis, then you can use the guidance provided with the [Enforce TLS settings](../configure-ssl-bindings.md#enforce-tls-versions) documentation. 
+If you want to manage TLS settings on an app by app basis, then you can use the guidance provided with the [Enforce TLS settings](../configure-ssl-bindings.md#enforce-tls-versions) documentation.
 
 If you want to disable all inbound TLS 1.0 and TLS 1.1 traffic for all of the apps in an App Service Environment, you can set the following **clusterSettings** entry:
 
@@ -92,19 +94,23 @@ If you want to disable all inbound TLS 1.0 and TLS 1.1 traffic for all of the ap
 The name of the setting says 1.0 but when configured, it disables both TLS 1.0 and TLS 1.1.
 
 ## Change TLS cipher suite order
-The App Service Environment supports changing the cipher suite from the default. The default set of ciphers is the same set that is used in the multi-tenant service. Changing the cipher suites affects an entire App Service deployment making this only possible in the single-tenant App Service Environment. There are two cipher suites required for an App Service Environment; TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. If you wish to operate your App Service Environment with the strongest and most minimal set of cipher suites, then use just the two required ciphers. To configure your App Service Environment to use just the ciphers that it requires, modify the **clusterSettings** as shown below. 
+
+App Service Environment supports changing the cipher suite from the default. The default set of ciphers is the same set that is used in the multi-tenant App Service. Changing the cipher suite is only possible with App Service Environment, the single-tenant offering, not the multi-tenant offering, because changing it affects the entire App Service deployment. There are two cipher suites that are required for an App Service Environment: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Additionally, you should include the following cipher suites, which are required for TLS 1.3: TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256.
+
+To configure your App Service Environment to use just the ciphers that it requires, modify the **clusterSettings** as shown in the following sample. **Ensure that the TLS 1.3 ciphers are included at the beginning of the list**.
 
 ```json
 "clusterSettings": [
     {
         "name": "FrontEndSSLCipherSuiteOrder",
-        "value": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+        "value": "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
     }
 ],
 ```
 
 > [!WARNING]
-> If incorrect values are set for the cipher suite that SChannel cannot understand, all TLS communication to your server might stop functioning. In such a case, you will need to remove the *FrontEndSSLCipherSuiteOrder* entry from **clusterSettings** and submit the updated Resource Manager template to revert back to the default cipher suite settings.  Please use this functionality with caution.
+> If incorrect values are set for the cipher suite that SChannel cannot understand, all TLS communication to your server might stop functioning. In such a case, you will need to remove the *FrontEndSSLCipherSuiteOrder* entry from **clusterSettings** and submit the updated Resource Manager template to revert back to the default cipher suite settings. Please use this functionality with caution.
 
 ## Get started
+
 The Azure Quickstart Resource Manager template site includes a template with the base definition for [creating an App Service Environment](https://azure.microsoft.com/resources/templates/web-app-asp-app-on-asev3-create/).