Azure Database for MariaDB
An Azure managed MariaDB database service for app development and deployment.
48 questions
Azure Policy to validate if TLS field is not selected
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 46%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Aadil Karolia
1
Reputation point
I am trying to implement a Deny Policy for "Azure Database for MySQL" -> "Connection Security" in Azure Portal which validates that once the "Enforce SSL Connection" is set to "Enabled" (handled in a separate policy), only a minimum of TLS 1.2 will be allowed.
The challenge I have is a non-selection of a TLS version should not be allowed. However when "Enabled" is selected, there is no default TLS selected, so the default version is blank if a user does not select it. My policy will only allow TLS 1.2, so that portion is working correctly, but I am having challenges dealing with a non-selection. "Save" should not be allowed if this is the case, however based on my current definition "Save" is still allowed. A snippet from my existing definition:
`
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
{
"anyOf": [
{
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
"notEquals": "TLS1_2"
},
{
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
"Equals": "TLSEnforcementDisabled"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
`
Please advise as to what I would need to change in my policy definition? Thank you
A similar policy would be implemented for Azure MariaDB and PostgreSQL after I get this right.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 97%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Anurag Sharma 17,571 Reputation points2021-09-29T07:41:44.09+00:00 Hi @Aadil Karolia , welcome to Microsoft Q&A forum.
I tried using the same policy mentioned by you and below are my findings:
- If we try to Disable 'Enforce SSL connection', deny policy kicks in and would not allow us to change it
- If we try to enable 'Enforce SSL connection' and do not select anything in Minimum TLS Version or select anything apart from 1.2, then also deny policy kicks in. Below is the screenshot:
However when we enable 'Enforce SSL connection' and select 1.2 TLS version, deny policy does not kick in and we are able to make the changes,
Could you please let us know if this is the requirement and you are experiencing some different situation?
-
Aadil Karolia 1 Reputation point
2021-09-29T09:17:28.28+00:00 Hi @AnuragSharma-MSFT , thank you.
So for example if I make a change to "Allow Access to Azure Resources" and then click Save, even without a TLS version selected below, it still allows me to save.
Please see below:
-
Anurag Sharma 17,571 Reputation points
2021-09-30T08:24:56.513+00:00 Thanks for responding back. I am checking on this and will get back at the earliest.
Sign in to comment