Share via

Does Azure App Service TLS/SSL settings Protocol Settings Minimum TLS Version apply to outbound requests made by the app?

Randall Breneman 41 Reputation points
2021-12-02T16:50:32.453+00:00

I have an Azure App Service web app that still allows inbound requests to use minimum TLS Version 1.0 because it's not sensitive data and it supports our windows app on older systems. The app makes outbound requests to third party vendor API in response to inbound requests. The third party vendor requires minimum TLS 1.2. My Azure web app is using ASP.Net 4.8. In Global.asax.cs, Application_Start, it calls:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13;

My assumption has been that setting SecurityProtocol this way assures a minimum TLS 1.2 is used for making outbound requests, even when initiated by an inbound request using TLS 1.0.

Is this assumption correct? Or does the Protocol Settings Minimum TLS Version in Azure console override the SecurityProtocol setting in code? Or does the inbound request TLS version determine the TLS version used with outbound requests while handling the inbound request?

Clarification: what I meant by "The app makes outbound requests to third party vendor API in response to inbound requests."

  1. Client X makes a request to my web app.
  2. Web app code handling the request makes a separate request to the third party vendor API.
  3. After receiving a response from the third party vendor, web app code handling the request from Client X now returns a response to Client X.

So my question is what protocol is used in item 2? The TLS version used by Client X or the SecurityProtocol value? That's what my assumption was meant to imply. I hope this clarification helps.

Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
230 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,775 questions
Accepted answer
  1. ajkuma 26,136 Reputation points Microsoft Employee
    2021-12-03T20:37:45.277+00:00

    @Randall Breneman , Adding more info:

    The setting in the Azure portal affects incoming requests. The response to those incoming requests will use the same version, as it’s the same connection.

    Outbound requests (ServicePointManager.SecurityProtocol), is actually referring to outbound connections made independently (not in response to an incoming request).

    I'm afraid that assumption is not correct. The initial request decides the version, the only question is whether that request is considered incoming or outgoing from your service’s perspective.

    The SecurityProtocol setting chooses the TLS version for requests you initiate. Because you can’t override the version on the response to an incoming request, your only choice is to block incoming requests not using TLS 1.2. That’s what the Azure portal setting is for, and why this has to be specified in two places to begin with.

    If all of your requests start as inbound, only the Azure portal setting matters. If you’re calling out to a third-party service, from your service, then SecurityProtocol may matter.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.