Search code examples
azuretls1.2azure-log-analyticsazureportalazure-webapps

How to see TLS version with incoming API request in Azure portal?

In the Microsoft Azure portal, is there a way to see request URLs along with the TLS version negotiated?

Background

I have a web app that includes an API that used by several third parties. I would like to set the minimum TLS version to TLS 1.2 in my web app settings.

Before I update the minimum TLS version, I want to see what requests are being made using old TLS versions.

I know with my storage account I also have, I can include logs in the log analytics to detect TLS versions, so I was hoping there was something similar I could use for my web app.

So far, all I can find for my web app is the Minimum TLS Version Checker under Diagnose & Solve Problems. This isn't very helpful since it only gives me the number of requests with no further detail. Surely the detail has to be available somewhere? I am not an expert in the Azure portal, so I am hoping there is an easy way to find the request URL + TLS version. enter image description here

Solution

  • We can check TLS version with the incoming requests either in Application Insights or by using Diagnostic Setting.

    Using Application Insights:

    • I have configured Application Insights in my API Web App and deployed the app to Azure App service.

    enter image description here

    • Enable Application Insights for the deployed App service.

    enter image description here

    • We can send custom logs to Application Insights by retrieving the TLS version and URL of the app.
    • Logs can be seen in transaction search.

    enter image description here

    I know with my storage account I also have, I can include logs in the log analytics to detect TLS versions

    Another option is from Diagnostic Setting.

    • Using Diagnostic Setting we can send the logs to Storage Account or Log Analytics Workspace for the Azure App Service.

    enter image description here

    • As you have already mentioned that you know how to check logs in Log Analytics Workspace, same way you can send the WebApp logs to the selected workspace.

    enter image description here

    Update:

    The TLS Version which is set in the Configuration section can be seen in KUDU Console => Environment => HTTP headers and Server variables

    enter image description here

    enter image description here

    • Use the below code to retrieve the value in the controller.
    string ?tlsVersion= HttpContext.Request.Headers["X-Forwarded-TlsVersion"];
_logger.LogInformation($"TLS : {tlsVersion}" );