Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Configure Update Channel

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Cache for Redis servers are using the "Stable" update channel for your production workloads. The "Stable" update channel minimizes the risk of unexpected behavior and downtime by providing thoroughly tested updates.

Security

For non-production environments, the "Preview" update channel offers early access to the latest Redis features and improvements, allowing for testing and experimentation. However, for your most critical, production workloads, selecting the "Stable" update channel is crucial. This ensures that your Redis cache benefits from updates that have undergone rigorous testing and are deemed production-ready, thereby minimizing the potential for disruptions and ensuring the reliability of your applications.

Audit

To determine whether public network access to your Azure Cache for Redis servers is disabled, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to examine.

06 In the resource navigation panel, under Settings, select Schedule updates.

07 In the Update Channel section, check the name of the update channel configured for the selected cache server. If the Update Channel is set to Preview, the selected Azure Cache for Redis server is not using the Stable update channel to receive system updates.

08 Repeat steps no. 5 - 7 for each Azure Cache for Redis server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis list command (Windows/macOS/Linux) with custom output filters to list the identifier (ID) of each Azure Cache for Redis server available in the selected subscription: 

az redis list
	--query '[*].id'

05 The command output should return the requested cache server IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-webapp-cache-server"
]

06 Run redis show command (Windows/macOS/Linux) with the ID of the Azure Cache for Redis server that you want to examine as the identifier parameter and custom output filters to describe the name of the update channel configured for the selected cache server: 

az redis show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"
	--query 'updateChannel'

07 The command output should return the state of the name of the update channel used for the selected server ("Preview" or "Stable"): 

"Preview"

If the redis show command output returns "Preview", as shown in the example above, the selected Azure Cache for Redis server is not using the Stable update channel to receive important system updates.

08 Repeat step no. 6 and 7 for each Azure Cache for Redis server available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your production Azure Cache for Redis servers are using the Stable update channel for system updates, perform the following operations:

Changing the update channel forces a patch event on your Redis cache server. To minimize disruption, it is highly recommended to perform this action during a maintenance window.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to configure.

06 In the resource navigation panel, under Settings, select Schedule updates.

07 For Update Channel select Stable, and choose Save to apply the configuration changes. This will enforce the Stable update channel for the selected Azure Cache for Redis server.

08 Repeat steps no. 5 – 7 for each Azure Cache for Redis server that you want to configure, available within the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis update command (Windows/macOS/Linux) to enforce the Stable update channel for the specified Microsoft Azure Cache for Redis server: 

az redis update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/Redis/cc-project5-redis-cache"
	--set "updateChannel=Preview"

05 The command output should return the configuration information available for the modified Redis cache server: 

{
	"accessKeys": null,
	"disableAccessKeyAuthentication": false,
	"enableNonSslPort": true,
	"hostName": "cc-project5-redis-cache.redis.cache.windows.net",
	"identity": null,
	"instances": [
		{
			"isMaster": true,
			"isPrimary": true,
			"nonSslPort": 13000,
			"shardId": null,
			"sslPort": 15000,
			"zone": null
		},
		{
			"isMaster": false,
			"isPrimary": false,
			"nonSslPort": 13001,
			"shardId": null,
			"sslPort": 15001,
			"zone": null
		}
	],
	"linkedServers": [],
	"location": "West Europe",
	"minimumTlsVersion": "1.2",
	"name": "cc-project5-redis-cache",
	"port": 6379,
	"privateEndpointConnections": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"redisConfiguration": {
		"aadEnabled": "False",
		"additionalProperties": null,
		"aofBackupEnabled": null,
		"aofStorageConnectionString0": null,
		"aofStorageConnectionString1": null,
		"authnotrequired": null,
		"maxclients": "7500",
		"maxfragmentationmemoryReserved": "642",
		"maxmemoryDelta": "642",
		"maxmemoryPolicy": null,
		"maxmemoryReserved": "642",
		"notifyKeyspaceEvents": null,
		"preferredDataArchiveAuthMethod": null,
		"preferredDataPersistenceAuthMethod": null,
		"rdbBackupEnabled": null,
		"rdbBackupFrequency": null,
		"rdbBackupMaxSnapshotCount": null,
		"rdbStorageConnectionString": null,
		"storageSubscriptionId": null,
		"zonalConfiguration": null
	},
	"redisVersion": "6.0",
	"replicasPerMaster": null,
	"replicasPerPrimary": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"shardCount": null,
	"sku": {
		"capacity": 1,
		"family": "P",
		"name": "Premium"
	},
	"sslPort": 6380,
	"staticIp": null,
	"subnetId": null,
	"tags": {},
	"tenantSettings": null,
	"type": "Microsoft.Cache/Redis",
	"updateChannel": "Stable",
	"zones": null
}

06 Repeat steps no. 4 and 5 for each Azure Cache for Redis server that you want to configure, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date May 12, 2025

Related RedisCache rules