Transport layer security in Azure HDInsight

Connections to the HDInsight cluster via the public cluster endpoint https://CLUSTERNAME.azurehdinsight.net are proxied through cluster gateway nodes. These connections are secured using a protocol called TLS. Enforcing higher versions of TLS on gateways improves the security for these connections. For more information on why you should use newer versions of TLS, see Solving the TLS 1.0 Problem.

By default, Azure HDInsight clusters accept TLS 1.2 connections on public HTTPS endpoints, and older versions for backward compatibility. You can control the minimum TLS version supported on the gateway nodes during cluster creation using either the Azure portal, or a Resource Manager template. For the portal, select the TLS version from the Security + networking tab during cluster creation. For a Resource Manager template at deployment time, use the minSupportedTlsVersion property. For a sample template, see HDInsight minimum TLS 1.2 Quickstart template. This property supports three values: "1.0", "1.1" and "1.2", which correspond to TLS 1.0+, TLS 1.1+ and TLS 1.2+ respectively.

Next steps