Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Transport Encryption for MySQL Flexible Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the databases provisioned with Azure Database for MySQL have the Transport Encryption feature enabled in order to meet security and compliance requirements. Transport Encryption is the security feature that forces all connections to your database servers to use TLS/SSL. Once enabled, the data transport encryption and decryption is handled transparently and does not require any additional action from you or your application.

Security

According to PCI DSS requirements, all connections made to Azure Database for MySQL servers that process, store, and transmit cardholder data must use encryption provided by the Transport Encryption feature. In Azure cloud, Transport Encryption implements encryption in transit using the require_secure_transport server parameter for MySQL databases. Enforcing TLS/SSL connections between PostgreSQL database server and client applications also helps protect against Man-in-The-Middle (MITM) attacks by encrypting the data stream between the server and applications.

Audit

To determine if the Transport Encryption feature is enabled for your Azure MySQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Azure Database for MySQL flexible server, and choose Apply to list only the Azure MySQL flexible servers available in the selected subscription.

05 Click on the name (link) of the MySQL flexible server that you want to examine.

06 In the resource navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected MySQL server.

07 On the Server parameters page, select the All tab, and find the require_secure_transport configuration parameter using the Search to filter items in All Tab search box. Check the require_secure_transport parameter value, listed in the Value column to determine the encryption feature status. If the parameter value is set to OFF, the Transport Encryption feature is not enabled for the selected Azure MySQL flexible database server.

08 Repeat steps no. 5 - 7 for each MySQL flexible server deployed within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run mysql flexible-server list command (Windows/macOS/Linux) with custom output filters to list the name of each MySQL flexible server (and the name of the associated resource group) available in the selected Azure subscription: 

az mysql flexible-server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return a table with requested MySQL server information: 

Name                  ResourceGroup
--------------------  ------------------------------
cc-mysql-flexible-db  cloud-shell-storage-westeurope
cc-project9-mysql-db  cloud-shell-storage-westeurope

06 Run mysql flexible-server parameter show command (Windows/macOS/Linux) with the name of the Azure MySQL flexible server that you want to examine and its associated resource group as the identifier parameters, to get the require_secure_transport parameter value for the selected MySQL server in order to determine the encryption feature status: 

az mysql flexible-server parameter show
	--server-name "cc-mysql-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name require_secure_transport
	--query 'value'

07 The command output should return the requested configuration value ("ON" or "on" for enabled, "OFF" or "off" for disabled): 

"OFF"

If the mysql flexible-server parameter show command output returns "OFF", as shown in the example above, the Transport Encryption feature is not enabled for the selected Azure MySQL flexible database server.

08 Repeat steps no. 6 and 7 for each MySQL flexible server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Transport Encryption feature for your Azure MySQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Azure Database for MySQL flexible server, and choose Apply to list only the Azure MySQL flexible servers available in the selected subscription.

05 Click on the name (link) of the MySQL flexible server that you want to configure.

06 In the resource navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected MySQL server.

07 On the Server parameters page, perform the following actions:

  1. Select the All tab and find the require_secure_transport configuration parameter using the Search to filter items in All Tab search box.
  2. Once the require_secure_transport server parameter is found, enable the parameter by choosing ON from the configuration dropdown list available in the Value column.
  3. Choose Save to apply the configuration changes. This will enable Transport Encryption for the selected Azure MySQL flexible database server.

08 Repeat steps no. 5 - 7 for each MySQL flexible server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run mysql flexible-server parameter set command (Windows/macOS/Linux) with the name of the MySQL flexible server that you want to configure as the identifier parameter, to enable the require_secure_transport server parameter for the selected database server. This will enable Transport Encryption for the selected Azure MySQL flexible server: 

az mysql flexible-server parameter set
	--server-name "cc-mysql-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name require_secure_transport
	--value on

02 The command output should return the information available for the configured server parameter: 

{
	"allowedValues": "ON,OFF",
	"currentValue": "on",
	"dataType": "Enumeration",
	"defaultValue": "ON",
	"description": "Whether client connections to the server are required to use some form of secure transport. When this variable is enabled, the server permits only TCP/IP connections that use SSL, or connections that use a socket file (on Unix) or shared memory (on Windows). ",
	"documentationLink": "https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_require_secure_transport",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforMySQL/flexibleServers/cc-mysql-flexible-db/configurations/require_secure_transport",
	"isConfigPendingRestart": "False",
	"isDynamicConfig": "True",
	"isReadOnly": "False",
	"name": "require_secure_transport",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"source": "user-override",
	"systemData": null,
	"type": "Microsoft.DBforMySQL/flexibleServers/configurations",
	"value": "on"
}

03 Repeat steps no. 1 and 2 for each MySQL flexible server provisioned in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 12, 2025

Related Sql rules