Azure
Security
Tutorials
How to Find Azure Resources Affected by TLS 1.0/1.1 Deprecation
Azure is ending support for TLS 1.0 and TLS 1.1 and requiring TLS 1.2 and above for all HTTPS connections. This is a good move to ensure the security of the data. However, this represents a large operational lift to identify all resources that will be impacted.
Using CloudQuery, you can quickly identify all resources that have a minimum TLS property set to 1.0 or 1.1 in order to prioritize upgrading these resources.
How to Sync Your AWS Cloud Data with CloudQuery #
Follow these simple steps to set up CloudQuery and sync your Azure data:
Sign Up for CloudQuery #
Start by creating a CloudQuery account to get started.
Set Up Your Data Sync #
Configure a new sync using the Azure Source Integration. You will need to make sure that you have synced the following tables:
azure_appservice_web_app_configurationsazure_cosmos_database_accountsazure_eventhub_namespacesazure_hdinsight_clustersazure_mariadb_serversazure_mysql_serversazure_postgresql_serversazure_redis_cachesazure_sql_managed_instancesazure_sql_serversazure_storage_accounts
You can find the full list of Azure tables in the CloudQuery Azure Source Integration documentation.
Run Your Data Sync #
Click the “Run Sync” button to pull your AWS data into CloudQuery.
Querying Azure Resources for Deprecated TLS Versions #
This query provides a list of Azure resources that are currently using outdated TLS versions (below 1.2):
SELECT *
FROM (
-- Extract and normalize the minimum TLS version from various Azure services
SELECT
'azure_appservice_web_app_configurations' AS table, -- Label the source table
JSONExtractString(properties, 'minTlsVersion') AS properties__min_tls_version, -- Extract min TLS version
id -- Preserve the ID for reference
FROM azure_appservice_web_app_configurations
UNION ALL -- Use UNION ALL for performance (avoids deduplication)
SELECT 'azure_cosmos_database_accounts', JSONExtractString(properties, 'minimalTlsVersion'), id
FROM azure_cosmos_database_accounts
UNION ALL
SELECT 'azure_eventhub_namespaces', JSONExtractString(properties, 'minimumTlsVersion'), id
FROM azure_eventhub_namespaces
UNION ALL
SELECT 'azure_hdinsight_clusters', JSONExtractString(properties, 'minSupportedTlsVersion'), id
FROM azure_hdinsight_clusters
UNION ALL
SELECT 'azure_mariadb_servers', JSONExtractString(properties, 'minimalTlsVersion'), id
FROM azure_mariadb_servers
UNION ALL
SELECT 'azure_mysql_servers', JSONExtractString(properties, 'minimalTlsVersion'), id
FROM azure_mysql_servers
UNION ALL
SELECT 'azure_postgresql_servers', JSONExtractString(properties, 'minimalTlsVersion'), id
FROM azure_postgresql_servers
UNION ALL
SELECT 'azure_redis_caches', JSONExtractString(properties, 'minimumTlsVersion'), id
FROM azure_redis_caches
UNION ALL
SELECT 'azure_sql_managed_instances', JSONExtractString(properties, 'minimalTlsVersion'), id
FROM azure_sql_managed_instances
UNION ALL
SELECT 'azure_sql_servers', JSONExtractString(properties, 'minimalTlsVersion'), id
FROM azure_sql_servers
UNION ALL
SELECT 'azure_storage_accounts', JSONExtractString(properties, 'minimumTlsVersion'), id
FROM azure_storage_accounts
) AS min_tls -- Alias the subquery for readability
WHERE
-- Convert the extracted TLS version string into a numeric value for comparison
(
toFloat32(
replaceAll(
regexpReplace(
replaceAll(properties__min_tls_version, '_', '.'),
'^tls', '', 'i'
),
'-', '.'
)
) < 1.2
OR properties__min_tls_version = 'TLSEnforcementDisabled' -- Explicitly filter out disabled TLS enforcement
OR NOT regexpLike(properties__min_tls_version, '.*1.*') -- Exclude values without '1'
);When you run the query, you’ll get a list of Azure services along with their current minimum TLS version. The key columns to focus on are:
- table: The type of Azure resource (SQL Server, Redis, Storage Account, etc.).
properties__min_tls_version: The TLS version currently enforced.- id: The unique identifier of the resource.
For example:
For each affected resource, be sure that you update its minimum TLS version to 1.2 or higher. Each Azure service has a similar update method via Azure CLI, API, or the Azure Portal. If you’re managing multiple subscriptions, consider using Azure Policy to enforce TLS 1.2 across your environment.
This problem isn’t a one-time fix. New resources could be created with outdated TLS settings, or configurations could be accidentally changed. To continuously monitor for non-compliant resources, you can:
- Schedule CloudQuery scans to catch issues before they become critical.
- Set up Azure Policy to enforce TLS 1.2 across all services.
- Use Azure Security Center to get alerts for insecure configurations.
Wrap Up #
We walked through how to identify Azure resources impacted by the upcoming deprecation of TLS 1.0 and 1.1 using CloudQuery. By syncing your Azure cloud data, running simple SQL queries, and leveraging CloudQuery’s flexible data transformation capabilities, you can quickly pinpoint resources that require upgrades before the deprecation deadline.
CloudQuery simplifies cloud asset discovery and governance, making it easy to audit, monitor, and manage cloud environments at scale. If you haven’t already, get started with CloudQuery today to enhance your cloud visibility.
Have questions or need help? Join the CloudQuery Developer Community to connect with other users, share insights, and get support. Let us know how your team is tackling cloud security by engaging with us on LinkedIn, X, or in our Community Forum.
Written by Ben Bernays
Ben is a Senior Software Engineer at CloudQuery with experience in Go, AWS, C++ and data analytics among many other things.
