How to disable TLS 1.0 on an Azure App Service Web App


Short answer is that you can’t. (see alternative solution below) The reason is that when you deploy an Azure App Service it goes into a multi-tenant scale unit.  A scale unit looks something like Figure 1, which I stole from here.  Also, have a look at this forums discussion here.

image

Figure 1, Azure App Service scale unit, image taken from here

This scale unit has multiple customers running on it (i.e. multi-tenant).  As SSL communication is offloaded on the Front Ends the only way to disable TLS 1.0 or TLS 1.1 (not supported) would be to make that configuration on the Front End, but then that would disable it for all other App Services running in that scale unit.  Some customer may want it enabled for legacy reasons.  NOTE:  When you run in Basic, Standard or Premium mode the Web Worker in Figure 1 represents a virtual machine which is dedicated to the App Services running in your App Service Plan see here for more.

Solution

The solution is to get a scale unit all for yourself which is called an App Service Environment (ASE), see here.  This gives you a scale unit and you can disable TLS 1.0, you cannot disable TLS 1.1 at the moment.  The ASE also allows you to setup NSG and have more control over the feature.

You will need to access the resource explorer here and modifying the clusterSettings entry for the ASE, similar to the following and also discussed here.

"clusterSettings": [
        {
            "name": "DisableTls1.0",
            "value": "1"
        }
    ],

UPDATE #1:  If you happen to get something like ” ‘Code’: ‘BadRequest’, ‘Message’: ‘An error occurred when updating the entry :” when trying disable TLS 1.0 on and App Service Environment, in resource explorer, in the same context as you where in when you received the error, look for an item named “dnsSuffix: <ASEName>.p.azurewebsites.net” and delete it.  Then retry.

UPDATE #2: Apparently you can also try to put an Application Gateway in front of the App Service, but what I know is this only possible in front of an ILB ASE, but if you are going to deploy an ASE you wouldn’t need the AG to disable TLS 1.0.  See more about that here.  Set-AzureRmApplicationGatewaySslPolicy -DisabledSslProtocols TLSv1_0, TLSv1_1 -ApplicationGateway $gw

UPDATE #3: I am not a PCI compliance officer and I am not clear on the date when the having TLS 1.0 enabled voids PCI compliance.  However, it is my understanding that Azure App Services is PCI compliance and the removal or the ability to remove TLS 1.0 will happen before the compliance is voided.  See here and here for some more information.

Comments (3)

  1. scott says:

    A service like Trustwave is failing you for having TLS 1.0 enabled. You can download a document on their website to request a waiver until 2018, the official deadline for compliance.

  2. DubaStep says:

    WAF is another option, which used in this case would be a fancy way of saying reverse proxy with SSL termination at the proxy, which is what the application gateway is doing as well. There are a few options available in Azure, not just from Microsoft, virtual LTMs from F5 for example.

  3. Shawn says:

    Having done this I found limitations and may not be for everyone. Some of the issues I ran into were Web Deploy did not work due to .net and had to create a group policy to modify some regkeys, also had to make sure that my Web App was set for .Net 4.6 when making out going connection or it would also try using TLS 1.0. Those I was able to fix. The one that I was not able to fix was that the Log Monitor, and Process Monitor require TLS 1.0 to be enabled or do not work, You can work around it by using Kudo, and maybe App Insights but If you are working on a new Branch/Slot you may not have(or want/need) App Insights enabled. In the end I felt that it there is still some kinks to work around before I could suggest using it, unless of course your compliance officer requires it.

Skip to main content