question

AadilKarolia-0724 avatar image
0 Votes"
AadilKarolia-0724 asked AnuragSharma-MSFT commented

Azure Policy to validate if TLS field is not selected

I am trying to implement a Deny Policy for "Azure Database for MySQL" -> "Connection Security" in Azure Portal which validates that once the "Enforce SSL Connection" is set to "Enabled" (handled in a separate policy), only a minimum of TLS 1.2 will be allowed.

135973-image.png



The challenge I have is a non-selection of a TLS version should not be allowed. However when "Enabled" is selected, there is no default TLS selected, so the default version is blank if a user does not select it. My policy will only allow TLS 1.2, so that portion is working correctly, but I am having challenges dealing with a non-selection. "Save" should not be allowed if this is the case, however based on my current definition "Save" is still allowed. A snippet from my existing definition:

`
"policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DBforMySQL/servers"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
                "notEquals": "TLS1_2"
              },
              {
                "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
                "Equals": "TLSEnforcementDisabled"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }

`

Please advise as to what I would need to change in my policy definition? Thank you
A similar policy would be implemented for Azure MariaDB and PostgreSQL after I get this right.

azure-database-mysqlazure-database-postgresqlazure-policyazure-database-mariadb
image.png (36.5 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AadilKarolia-0724, welcome to Microsoft Q&A forum.

I tried using the same policy mentioned by you and below are my findings:

  1. If we try to Disable 'Enforce SSL connection', deny policy kicks in and would not allow us to change it

  2. If we try to enable 'Enforce SSL connection' and do not select anything in Minimum TLS Version or select anything apart from 1.2, then also deny policy kicks in. Below is the screenshot:

136205-image.png

However when we enable 'Enforce SSL connection' and select 1.2 TLS version, deny policy does not kick in and we are able to make the changes,

Could you please let us know if this is the requirement and you are experiencing some different situation?

0 Votes 0 ·
image.png (202.4 KiB)

Hi @AnuragSharma-MSFT , thank you.

So for example if I make a change to "Allow Access to Azure Resources" and then click Save, even without a TLS version selected below, it still allows me to save.
Please see below:

136227-image.png


0 Votes 0 ·
image.png (46.1 KiB)

Thanks for responding back. I am checking on this and will get back at the earliest.

1 Vote 1 ·

0 Answers