New Web App SSL Settings (Government and Commercial)

It is well known that NIST recommends disabling TLS 1.0 and for many Government organizations it is a requirement to do so. In the past, it was not easy to disable TLS 1.0 in Azure Web Apps, and I have spent some considerable effort describing how one could control the TLS settings using an App Gateway. Very recently, a new feature in Azure Web Apps let's you control the minimum TLS version directly in the portal. The feature is rolling out across both Azure Commercial and Azure Government. You can read more about it in this blog post.

I don't normally spend time on reporting every new feature of various services, but since I have suggested other solutions in the past I wanted to make sure that it is clear that if the main goal is to control the TLS version, you can simply use the settings in the portal. I will be demonstrating it here with a web app in usgovarizona. Make sure you validate in your region. If the update has not been rolled out yet, it will be soon.

If you create a new Azure Web App and scan it with SSLLabs excellent tool. You will see that TLS 1.0 is enabled:

In the portal you can change the minimum TLS version for your app:

And if you repeat the SSLLabs test (give it a few minutes before you try and remember to clear the cache):

Notice that only TLS 1.2 is on.

And that's it. If you have been using app gateways in front of your web apps with the sole purpose of turning off TLS 1.0, you can remove them and use the feature built into web apps. There of course many other uses of app gateway that you may be utilizing. You may for instance be using the WAF version of the app gateway, in which case you should keep the gateway and you can continue leveraging those features.

Let me know if you have questions/comments/suggestions.