Verify that 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server

Framework Reference: A.8.24 Integration: Azure – MySQL Flexible Server

Why this matters
TLS (Transport Layer Security) provides encrypted communication between client applications and the MySQL server. Requiring TLS 1.2 or higher ensures that weak cryptographic protocols like TLS 1.0 and 1.1 are not used, reducing susceptibility to downgrade attacks and ensuring compliance with modern security standards for protecting sensitive data in transit.


What this check does
This Auto Check verifies that the MySQL flexible server's tls_version parameter is set to TLSv1.2 or higher.

Check Logic:
Passes if:

tls_version = TLSv1.2 or higher

Fails if:

tls_version = TLSv1 or TLSv1.1

Applies to:

Azure Database for MySQL – Flexible Server


How to fix it

  1. Azure Portal:
  2. Go to Azure Database for MySQL flexible servers
  3. Select the server
  4. Under Settings, click Server parameters
  5. Search for tls_version
  6. Set the value to TLSv1.2 or higher
  7. Click Save

Azure CLI:

az mysql flexible-server parameter set \  --name tls_version \  --resource-group <resourceGroupName> \  --server-name <serverName> \  --value TLSv1.2

PowerShell:

TLS version configuration for MySQL Flexible Servers is not supported via PowerShell. Use Azure Portal or CLI.


Exceptions
No standard exceptions. TLSv1.2 or higher should always be enforced unless legacy application compatibility requires downgrade β€” in which case compensating controls must be documented.


Was this article helpful?