|
| 1 | +--- |
| 2 | +title: Secure your Azure Managed Redis deployment |
| 3 | +description: Learn how to secure Azure Managed Redis, with best practices for protecting your data, authentication, and infrastructure. |
| 4 | +ms.author: danlep |
| 5 | +author: dlepow |
| 6 | +ms.service: azure-managed-redis |
| 7 | +ms.topic: concept-article |
| 8 | +ms.custom: horz-security |
| 9 | +ms.date: 03/30/2026 |
| 10 | +ai-usage: ai-assisted |
| 11 | +--- |
| 12 | + |
| 13 | +# Secure your Azure Managed Redis deployment |
| 14 | + |
| 15 | +Azure Managed Redis provides a fully managed in-memory data store based on Redis Enterprise software. When deploying this service, it's important to follow security best practices to protect your cached data, configurations, and infrastructure. |
| 16 | + |
| 17 | +[!INCLUDE [Security horizontal Zero Trust statement](~/reusable-content/ce-skilling/azure/includes/security/zero-trust-security-horizontal.md)] |
| 18 | + |
| 19 | +This article provides security recommendations to help protect your Azure Managed Redis deployment. |
| 20 | + |
| 21 | +## Data protection |
| 22 | + |
| 23 | +Protecting data at rest and in transit is crucial for maintaining the confidentiality and integrity of your cache. |
| 24 | + |
| 25 | +- **Keep non-TLS access disabled**: Azure Managed Redis requires TLS 1.2 or 1.3 for all connections by default, ensuring data in transit is encrypted. Keep non-TLS access disabled to prevent unencrypted communication. If you enable non-TLS access for legacy applications, plan to migrate those applications to TLS-enabled clients. See [TLS configuration for Azure Managed Redis](/azure/redis/tls-configuration). |
| 26 | + |
| 27 | +- **Use customer-managed keys for disk encryption**: Azure Managed Redis encrypts persistence data and OS disks using Microsoft-managed keys (MMK) by default. For additional control, configure customer-managed keys (CMK) to wrap the encryption keys using Azure Key Vault. CMK requires a user-assigned managed identity and an Azure Key Vault instance with purge protection and soft delete enabled. See [Configure disk encryption for Azure Managed Redis instances using customer managed keys](/azure/redis/how-to-encryption). |
| 28 | + |
| 29 | +- **Enable data persistence for recovery**: Configure RDB or AOF persistence to protect against data loss from unexpected failures. Persistence writes data to managed disks that are encrypted at rest. Data persistence isn't a backup or point-in-time recovery (PITR) feature—if corrupted data is written to Redis, it's also persisted. For true backups, use the export feature. See [Configure data persistence for an Azure Managed Redis instance](/azure/redis/how-to-persistence). |
| 30 | + |
| 31 | +- **Use export for data backups**: Create periodic backups of your Redis data using the Export feature to Azure Storage accounts. Export provides point-in-time data copies that can be imported to new cache instances for disaster recovery. See [Import and Export data in Azure Managed Redis](/azure/redis/how-to-import-export-data). |
| 32 | + |
| 33 | +## Network security |
| 34 | + |
| 35 | +Isolate your Azure Managed Redis instance from the public internet and control network access. |
| 36 | + |
| 37 | +- **Use private endpoints**: Deploy Azure Private Link to connect to your Azure Managed Redis instance through a private IP address in your virtual network. Private endpoints eliminate exposure to the public internet and keep traffic on the Microsoft backbone network. Private endpoints are the recommended solution for securing your Azure Managed Redis resource at the networking layer. See [Azure Managed Redis with Azure Private Link](/azure/redis/private-link). |
| 38 | + |
| 39 | +- **Disable public network access**: When using private endpoints, disable public network access using the `publicNetworkAccess` property to ensure all traffic flows through your virtual network. This configuration prevents unauthorized access from the internet. Disabling `publicNetworkAccess` and protecting your cache using a VNet along with Private Endpoint and Private Links is the most secure option. See [Enabling public network access](/azure/redis/private-link#enabling-public-network-access). |
| 40 | + |
| 41 | +## Identity and access management |
| 42 | + |
| 43 | +Properly configure authentication and authorization to control access to your Azure Managed Redis instance. |
| 44 | + |
| 45 | +- **Use Microsoft Entra ID authentication**: Configure Microsoft Entra ID for password-free authentication instead of access keys. Microsoft Entra authentication provides enhanced security, centralized identity management, and automatic token refresh. Azure Managed Redis enables managed identity by default when you create a new cache. Microsoft Entra groups aren't supported, so add individual users or service principals to the Redis users list. See [Use Microsoft Entra ID for cache authentication with Azure Managed Redis](/azure/redis/entra-for-authentication). |
| 46 | + |
| 47 | +- **Disable access key authentication**: After configuring Microsoft Entra ID authentication, disable access key authentication to eliminate the risk of credential exposure. Access keys are static credentials that can be compromised if leaked. When you change this setting, all existing client connections are terminated regardless of authentication method, so implement proper retry mechanisms for reconnecting. See [Disable access key authentication on your cache](/azure/redis/entra-for-authentication#disable-access-key-authentication-on-your-cache). |
| 48 | + |
| 49 | +- **Add authorized users or service principals**: Configure which Microsoft Entra users or service principals can access your cache by adding them to the Redis users list in the Azure portal. Follow the principle of least privilege by granting access only to identities that require it. See [Add users or service principal to your cache](/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache). |
| 50 | + |
| 51 | +- **Apply least privilege access with RBAC**: Use Azure role-based access control (RBAC) to manage who can administer your Azure Managed Redis resources in the Azure portal and through APIs. Assign roles at the appropriate scope to limit permissions to only what's necessary. See [Access control (IAM)](/azure/redis/configure#access-control-iam). |
| 52 | + |
| 53 | +- **Use managed identities for Azure resource access**: When your Azure Managed Redis instance needs to access other Azure resources such as Azure Key Vault for customer-managed keys, use managed identities. Managed identities eliminate the need to manage credentials. See [Configure disk encryption](/azure/redis/how-to-encryption#prerequisites-and-limitations). |
| 54 | + |
| 55 | +- **Regenerate access keys regularly**: If you must use access keys, regenerate them regularly to limit the impact of potential key exposure. Azure Managed Redis supports two access keys so you can rotate keys without downtime. See [Authentication](/azure/redis/configure#authentication). |
| 56 | + |
| 57 | +## Logging and monitoring |
| 58 | + |
| 59 | +Implement comprehensive logging and monitoring to detect security threats and troubleshoot issues. |
| 60 | + |
| 61 | +- **Enable connection logs**: Configure Azure diagnostic settings to log client connections to your cache. Connection logs record who is connecting and the timestamp of those connections, enabling you to identify the scope of security breaches and perform security auditing. See [Azure Monitor diagnostic settings](/azure/redis/monitor-diagnostic-settings). |
| 62 | + |
| 63 | +- **Monitor the Activity log**: Review the Azure Activity log to track management operations performed on your Azure Managed Redis resources. Activity logs help you determine what operations were performed, who initiated them, and when they occurred for security auditing purposes. See [Activity log](/azure/redis/configure#activity-log). |
| 64 | + |
| 65 | +- **Create security alerts**: Set up Azure Monitor alerts to notify you of abnormal usage patterns, connection anomalies, or potential security breaches affecting your cache. Configure alerts based on connection count spikes, authentication failures, or unusual data transfer patterns. See [Alerts](/azure/redis/configure#alerts). |
| 66 | + |
| 67 | +- **Integrate with Azure Monitor**: Configure Azure Monitor to collect and analyze logs and metrics from your Azure Managed Redis instance. Use Log Analytics workspaces to run queries on connection logs and identify security patterns. See [Monitoring](/azure/redis/configure#monitoring). |
| 68 | + |
| 69 | +## Compliance and governance |
| 70 | + |
| 71 | +Implement governance controls to ensure your Azure Managed Redis deployments meet organizational and regulatory requirements. |
| 72 | + |
| 73 | +- **Use Azure Policy for compliance**: Deploy Azure Policy to enforce organizational standards and assess compliance at scale. Use built-in policy definitions to audit and enforce security configurations. |
| 74 | + |
| 75 | +- **Enable resource locks**: Apply resource locks to prevent accidental deletion or modification of critical Azure Managed Redis resources. Use CanNotDelete locks to prevent deletion while allowing modifications, or ReadOnly locks for complete protection. See [Locks](/azure/redis/configure#locks). |
| 76 | + |
| 77 | +- **Use tags for resource organization**: Apply tags to your Azure Managed Redis resources to support security governance, cost tracking, and compliance reporting. Tags help you organize resources by security classification, environment, or compliance requirements. See [Tags](/azure/redis/configure#tags). |
| 78 | + |
| 79 | +## Backup and recovery |
| 80 | + |
| 81 | +Implement backup and recovery mechanisms to ensure business continuity and data protection. |
| 82 | + |
| 83 | +- **Configure data persistence**: Enable RDB or AOF persistence to automatically recover data after unexpected failures. RDB persistence saves periodic snapshots with minimal performance impact and is suitable for most scenarios. AOF persistence logs every write operation for minimal data loss but can affect throughput. See [Configure data persistence for an Azure Managed Redis instance](/azure/redis/how-to-persistence). |
| 84 | + |
| 85 | +- **Use active geo-replication for disaster recovery**: For critical workloads, enable active geo-replication to replicate data across multiple Azure regions. Geo-replication provides business continuity if an entire region becomes unavailable. Active geo-replication isn't compatible with data persistence, so choose geo-replication for cross-region resiliency or persistence for single-region durability. See [Set up active geo-replication](/azure/redis/how-to-active-geo-replication). |
| 86 | + |
| 87 | +- **Implement export-based backup strategy**: Create automated scripts using PowerShell or Azure CLI to periodically export data for backup purposes. Exported data can be imported to a new cache instance for disaster recovery. See [Import and Export data in Azure Managed Redis](/azure/redis/how-to-import-export-data). |
| 88 | + |
| 89 | +## Service-specific security |
| 90 | + |
| 91 | +Azure Managed Redis has unique security considerations based on its in-memory architecture. |
| 92 | + |
| 93 | +### Azure Managed Redis architecture |
| 94 | + |
| 95 | +- **Select the appropriate tier for security requirements**: Different Azure Managed Redis tiers offer different capabilities. All tiers support private endpoints, TLS encryption, and Microsoft Entra authentication. Flash Optimized tier stores some data on NVMe disks encrypted with Microsoft-managed keys. Azure Managed Redis provides built-in high availability with primary and replica shards across two nodes; in regions with multiple availability zones, the service is zone redundant. See [Feature comparison](/azure/redis/overview#feature-comparison). |
| 96 | + |
| 97 | +### Appropriate use of Azure Managed Redis |
| 98 | + |
| 99 | +- **Do not store sensitive data without proper encryption**: While Azure Managed Redis encrypts data at rest on persistence disks, data in memory isn't encrypted by the service. Implement application-level encryption for highly sensitive data before writing it to the cache, or use the service only for non-sensitive cached data. See [Data protection](/azure/redis/how-to-encryption#encryption-coverage). |
| 100 | + |
| 101 | +- **Do not expose access keys in application code**: Store access keys in Azure Key Vault or use Microsoft Entra authentication instead of embedding access keys in application code or configuration files. Exposed access keys can lead to unauthorized cache access. See [Use Microsoft Entra ID for cache authentication](/azure/redis/entra-for-authentication). |
| 102 | + |
| 103 | +- **Do not use Azure Managed Redis as a primary data store**: Azure Managed Redis is designed as a cache and temporary data store, not a persistent primary database. Always maintain authoritative data in a persistent data store like Azure SQL Database or Azure Cosmos DB. See [Key scenarios](/azure/redis/overview#key-scenarios). |
| 104 | + |
| 105 | +## Next steps |
| 106 | + |
| 107 | +- [Reliability in Azure Managed Redis](/azure/reliability/reliability-managed-redis) |
| 108 | +- [Azure Managed Redis documentation](/azure/redis/) |
| 109 | +- [Zero Trust guidance center](/security/zero-trust/zero-trust-overview) |
| 110 | +- [Microsoft Cloud Security Benchmark v2 overview](/security/benchmark/azure/overview) |
0 commit comments