![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 66%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 82%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)
Hi Cam,
Microsoft does not support TLS 1.0 for Kubernetes in Azure Kubernetes Service (AKS).
In the context of Azure services, including AKS, Microsoft recommends using TLS version 1.2 or later for secure communication. Legacy versions like SSL 3.0 and TLS 1.0 are advised to be disabled to maintain security standards.
As for AKS encryption and what Azure offers:
Azure offers host-based encryption for Azure Kubernetes Service (AKS). This type of encryption ensures that the data stored on the VM host of AKS agent nodes' VMs is encrypted at rest and remains encrypted as it flows to the Storage service.
By default, AKS uses server-side encryption with platform-managed keys for operating system (OS) and data disks, and the caches for these disks are also encrypted at rest with platform-managed keys.
Customers have the option to use their own managed keys for encrypting the cache of OS and data disks.
Host-based encryption in AKS is distinct from server-side encryption (SSE) used by Azure Storage, as it involves encrypting data on the host of the VM before it flows through Azure Storage.
Also, Azure Kubernetes Service (AKS) does not enable data in-transit encryption by default. According to the Azure security baseline for Azure Kubernetes Service (AKS), while the service supports data in-transit encryption for the data plane, it is not enabled by default. It is the customer's responsibility to enable secure transfer in services where there is a native data in transit encryption feature built in. Customers are advised to enforce HTTPS on any web applications and services and ensure TLS v1.2 or later is used, while disabling legacy versions such as SSL 3.0 and TLS v1.0. For remote management of Virtual Machines, using SSH (for Linux) or RDP/TLS (for Windows) is recommended instead of unencrypted protocols.
Kindly review the following Microsoft Documentation:
https://learn.microsoft.com/en-us/azure/aks/enable-host-encryption
Kindly if you find the provided information helpful and it resolves your query, please consider accepting the answer. Your feedback is valuable and helps ensure the quality and relevance of the responses.