AzInitiativeAdvertizer

last sync: 2025-Jul-18 17:22:56 UTC

[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-EncryptTransit
Display name[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
IdEnforce-EncryptTransit
Version2.1.0-deprecated
Details on versioning
CategoryEncryption
DescriptionChoose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html
Cloud environments AzureChinaCloud
AzureCloud
AzureUSGovernment
TypeCustom Azure Landing Zones (ALZ)
DeprecatedTrue
PreviewFalse
SupersededBy This ALZ PolicySet definition is superseded by [Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (Enforce-EncryptTransit_20240509) Custom Azure Landing Zones (ALZ)
More information on Azure Landing Zones deprecated Policy and PolicySet definitions
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 22
Builtin Policies: 4
Static Policies: 0
ALZ Policies: 18
Deprecated: 1
GA: 21
6 categories:
App Service: 7
Cache: 3
Container Apps: 1
Kubernetes: 1
SQL: 8
Storage: 2
Policy-used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type policy in AzUSGov
[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled Deny-Storage-minTLS Storage Default
Deny
Allowed
Audit, Deny, Disabled		 0 Deprecated ALZ
API App should only be accessible over HTTPS Deny-AppServiceApiApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny		 0 GA ALZ
App Service apps should use the latest TLS version f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA BuiltIn true
AppService append enable https only setting to enforce https setting. Append-AppService-httpsonly App Service Default
Append
Allowed
Append, Disabled		 0 GA ALZ
AppService append sites with minimum TLS version to enforce. Append-AppService-latestTLS App Service Default
Append
Allowed
Append, Disabled		 0 GA ALZ
Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append-Redis-sslEnforcement Cache Default
Append
Allowed
Append, Disabled		 0 GA ALZ
Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Append-Redis-disableNonSslPort Cache Default
Append
Allowed
Append, Disabled		 0 GA ALZ
Azure Cache for Redis only secure connections should be enabled Deny-Redis-http Cache Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA ALZ
Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy-MySQL-sslEnforcement SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Contributor GA ALZ
Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy-PostgreSQL-sslEnforcement SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Contributor GA ALZ
Azure SQL Database should have the minimal TLS version set to the highest version Deny-Sql-minTLS SQL Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA ALZ
Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy-Storage-sslEnforcement Storage Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Storage Account Contributor GA ALZ
Container Apps should only be accessible over HTTPS 0e80e269-43a4-4ae9-b5bc-178126b8a5cb Container Apps Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn unknown
Function App should only be accessible over HTTPS Deny-AppServiceFunctionApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny		 0 GA ALZ
Function apps should use the latest TLS version f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled		 0 GA BuiltIn true
Kubernetes clusters should be accessible only over HTTPS 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA BuiltIn true
MySQL database servers enforce SSL connections. Deny-MySql-http SQL Default
Deny
Allowed
Audit, Disabled, Deny		 0 GA ALZ
PostgreSQL database servers enforce SSL connection. Deny-PostgreSql-http SQL Default
Deny
Allowed
Audit, Disabled, Deny		 0 GA ALZ
SQL Managed Instance should have the minimal TLS version set to the highest version Deny-SqlMi-minTLS SQL Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA ALZ
SQL managed instances deploy a specific min TLS version requirement. Deploy-SqlMi-minTLS SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 SQL Managed Instance Contributor GA ALZ
SQL servers deploys a specific min TLS version requirement. Deploy-SQL-minTLS SQL Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 SQL Server Contributor GA ALZ
Web Application should only be accessible over HTTPS Deny-AppServiceWebApp-http App Service Default
Deny
Allowed
Audit, Disabled, Deny		 0 GA ALZ
Roles used
History none
JSON compare
compare mode: version left: version right:
JSON
EPAC