Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Non-TLS Access for Redis Enterprise Cache Servers

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Enterprise Redis cache clusters are configured to accept TLS connections only in order to meet Microsoft Azure cloud security and compliance requirements. Enforcing TLS-only communication helps prevent unauthorized users from reading sensitive data that is intercepted as it travels through the network, between clients and cache clusters, known as data in transit.

Security

The use of secure TLS connections ensures authentication between the client and the Redis cache cluster and protects data in transit against network layer attacks such as Man-In-The-Middle (MITM) attacks, eavesdropping, and session hijacking. When working with production data, it is strongly recommended to implement encryption to protect it from unauthorized access and to fulfill compliance requirements for data encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual, such as Personally Identifiable Information (PII), which is commonly used in the Financial Services, Healthcare, and Telecommunications sectors."

Audit

To determine if your Enterprise Redis cache clusters are configured to allow non-TLS access, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Redis Enterprise cluster for Value, then choose Apply to list the Enterprise Redis cache clusters available in the selected subscription.

05 Click on the name (link) of the Redis cache cluster that you want to examine.

06 In the resource navigation panel, under Settings, select Advanced settings to access the advanced configuration settings available for the selected cluster.

07 Verify the Non-TLS access only setting checkbox to determine if your cache cluster is configured to allow non-TLS access. If the Non-TLS access only setting checkbox is checked next to Enable, the selected Enterprise Redis cache cluster is configured to accept non-TLS connections. As a result, the communication between the client and the Redis cache cluster is not encrypted.

08 Repeat steps no. 5 - 7 for each Enterprise Redis cache cluster deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redisenterprise list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Enterprise Redis cache cluster available in the selected Azure subscription: 

az redisenterprise list
	--query '[*].id'

05 The command output should return the requested cache cluster IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/redisEnterprise/cc-project5-redis-enterprise",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/redisEnterprise/cc-redis-cluster-enterprise"
]

06 Run redisenterprise show command (Windows/macOS/Linux) with the ID of the Enterprise Redis cache cluster that you want to examine as the identifier parameter and custom output filters to determine if the selected cache cluster is configured to allow non-TLS access: 

az redisenterprise show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/redisEnterprise/cc-project5-redis-enterprise"
	--query 'databases[].clientProtocol'

07 The command output should return the type of the client protocol configured for the selected cluster ("Plaintext" for non-TLS, "Encrypted" for TLS-only): 

[
	"Plaintext"
]

If the redisenterprise show command output returns "Plaintext", as shown in the example above, the selected Enterprise Redis cache cluster is configured to accept non-TLS connections. As a result, the communication between the client and the Redis cache cluster is not encrypted.

08 Repeat step no. 6 and 7 for each Enterprise Redis cache cluster available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable non-TLS, non-encrypted communication and enable TLS-only access for your Enterprise Redis cache clusters, perform the following operations:

Modifying existing TLS protocol configuration for Enterprise Redis cache clusters using Azure Command Line Interface (Azure CLI) is not currently supported.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Redis Enterprise cluster for Value, then choose Apply to list the Enterprise Redis cache clusters available in the selected subscription.

05 Click on the name (link) of the Redis cache cluster that you want to configure.

06 In the resource navigation panel, under Settings, select Advanced settings to access the advanced configuration settings available for the selected cluster.

07 Uncheck the Non-TLS access only setting checkbox next to Enable and choose Save to apply the configuration changes. This configuration enforces the selected cluster to accept only TLS connections and encrypts the communication between the client and the cache cluster.

08 Repeat steps no. 5 – 7 for each Enterprise Redis cache cluster available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date May 12, 2025

Related RedisCache rules