Ensure Azure Cache for Redis disables non-SSL port and enforces TLS 1.2+

Azure Remediation

Service-wide fix (recommended): make encrypted transport mandatory for all Redis deployments and treat non-TLS access as an exception-only compatibility setting.

When to use service-wide remediation

Use the service-wide path when multiple caches still allow plaintext access or when application teams are unsure whether their clients are already TLS-capable.

Azure portal

1. Open the Redis cache.
2. Go to Advanced settings.
3. Ensure Allow access only via SSL is enabled so the non-SSL port is disabled.
4. Set Minimum TLS version to 1.2 or higher.
5. Save and test the client connection path.

Azure CLI / API

For existing caches, use the Azure management API through az rest to disable the non-SSL port and require TLS 1.2:

az rest \
  --method patch \
  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Cache/Redis/<redis-name>?api-version=2024-11-01" \
  --body '{"properties":{"enableNonSslPort":false,"minimumTlsVersion":"1.2"}}'

PowerShell is also supported for setting the minimum TLS version:

Set-AzRedisCache -Name <redis-name> -MinimumTlsVersion "1.2"

Validate the live settings:

az redis show \
  --name <redis-name> \
  --resource-group <resource-group> \
  --query '{enableNonSslPort:enableNonSslPort,minimumTlsVersion:minimumTlsVersion}'

Operational notes

• Microsoft retired TLS 1.0 and 1.1 for Azure Cache for Redis on April 1, 2025. If your applications still need those versions, fix the client libraries instead of preserving weak transport.
• New long-term deployments should be planned with Azure Managed Redis in mind because Azure Cache for Redis is being retired.

References

• https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-tls-configuration
• https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-remove-tls-10-11
• https://learn.microsoft.com/en-us/rest/api/redis/redis/update?view=rest-redis-2024-11-01