Security and reliability are at the core of modern cloud applications. To strengthen data protection and align with industry best practices, we encourage all Azure Cosmos DB customers to transition to TLS 1.2. This post explains why this change is important, how to make the transition, and the benefits it brings to your applications.

Why Move to TLS 1.2? 

Transport Layer Security (TLS) is a critical component in securing data transmitted over networks. TLS 1.2 offers enhanced security features compared to its predecessors, TLS 1.0 and 1.1. By moving to TLS 1.2 or later, you ensure that your data is protected with the latest encryption standards, including perfect forward secrecy and stronger cipher suites.  

Current Situation 

Currently, Azure Cosmos DB allows the use of TLS versions lower than 1.2. However, to enhance security, we recommend that all customers enforce TLS 1.2 on their Azure Cosmos DB accounts. This change is crucial as it aligns with industry best practices and ensures that your data remains secure.

Challenges

We understand that a significant number of Azure Cosmos DB customers still use TLS versions lower than 1.2. Sudden enforcement of TLS 1.2 could lead to disruptions in your applications. Therefore, we are implementing a phased approach to minimize any potential impact.

Proposed Solution

To address these challenges, you can use our self-serve feature. This allows you to set the minimum TLS version for your Azure Cosmos DB accounts through the Azure portal. By doing so, you can gradually transition to TLS 1.2 without disrupting your existing workflows.

Implementation 

Starting with the 2022-11-15 API version of the Azure Cosmos DB Resource Provider API, a new property called minimalTlsVersion is available for every Azure Cosmos DB database account.  

This property accepts values Tls12 and above, with the default value for new accounts set to Tls12. 

Important Dates 

Mark your calendars! Starting August 31, 2025, all Azure Cosmos DB database accounts must use TLS 1.2 or higher. Support for TLS 1.0 and 1.1 will be discontinued, ensuring that all data transmissions are secured with the latest encryption standards. 

Steps to Set Minimal TLS Protocol 

Setting the minimum TLS protocol for your Azure Cosmos DB accounts is straightforward: 

1. Navigate to the Azure portal: Go to your Azure Cosmos DB account settings 
2. Select Connectivity from the Networking 
3. Select the desired TLS version:  Choose 1.2 or higher.

   

4. Save your changes: Ensure that your settings are updated and applied. 

Conclusion

Transitioning to TLS 1.2 is a crucial step in securing your Azure Cosmos DB accounts. By following the steps outlined in this blog post, you can ensure that your data remains protected with the latest encryption standards. We are committed to supporting you through this transition and are here to help with any questions or concerns you may have. 

Leave a review

Tell us about your Azure Cosmos DB experience! Leave a review on PeerSpot and we’ll gift you $50. Get started here. 

About Azure Cosmos DB

Azure Cosmos DB is a fully managed and serverless NoSQL and vector database for modern app development, including AI applications. With its SLA-backed speed and availability as well as instant dynamic scalability, it is ideal for real-time NoSQL and MongoDB applications that require high performance and distributed computing over massive volumes of NoSQL and vector data. 

Try Azure Cosmos DB for free here. To stay in the loop on Azure Cosmos DB updates, follow us on X, YouTube, and LinkedIn