Securing data in transit with Azure
In our last post we covered the ins and outs of securing data at rest inside of Microsoft Azure. In this post we are going to talk through the different services and features available inside of Microsoft Azure that allow you to secure your data in transit.
Azure SQL Serve
Out of the box Azure SQL Servers are configured to support TLS 1.0, 1.1 and 1.2 secure connections. This means that you can configure your applications to communicate securely to your Azure SQL databases. The minimum version of TLS can be configure either through Azure CLI or PowerShell commands. We recommend that our customers set the minimum version of TLS to support only 1.2, this ensures that any applications that connect to your databases are not using using 1.0 or 1.1 both of which have known vulnerabilities and considered insecure.
One of the many benefits of using Azure App Services is how easy Microsoft make it to secure data in transit from and to your web applications.
Connections can be restricted to secure connections only by using the “HTTPS Only” option in Azure App Services which means that any client that connect to your App Services must communicate over https using TLS. Insecure connections are automatically upgraded to secure connections. We still recommend configuring HSTS headers on all responses on top of using Azure’s built in mechanisms, as this will tell any connecting browsers to remember to only connect via a secure connection in the future.
TLS version support
Azure App Services support TLS 1.0, 1.1 and 1.2. Unless you have a specific requirement to support older versions of TLS, we recommend always setting the minimum TLS version to TLS 1.2.
Azure App Services provide multiple options for installing and using TLS/SSL certificates.
- Free app service certificates can be created and managed through your app service configuration. This option does not support root domains i.e. example.com
- App Service Certificates, these are certificates that you have purchased through Microsoft Azure
- Key Vault managed PKCS12 certificates
- Private Certificates, allows you to use certificates generated by a different Certificate Authority (CA)
Microsoft Azure Storage accounts can be configured to enforce data to be secured in transit, and allows you to specify the version of TLS supported. Again we recommend that the minimum version of TLS is set to TLS 1.2 to ensure that clients don’t use older less secure versions of TLS.
Any connections to Microsoft Azure SQL servers are secured by default and servers can also be configured to specify the minimum version of TLS that it will support for securing data in transit.
Securing your data in transit, is a fundamental requirement to ensure that your application data is properly protected against unforeseen attacks, and ensuring your application users are properly protected from any outside threats that they may encounter. Microsoft Azure provides the ability to secure all of your data in transit in many ways, and in most cases with just a few small configuration changes.
This is part of our Azure series to guide you through how to best configure your Azure environments to get the best possible score, and ensure your assets are properly secured.
- Find out more about Azure, and the technology that underpins the applications we build.
- Read about our completed projects.