Skip to main content
Back to the Azure Footguns Database
SecurityMediumOccasionalAZF-0070

Redis non-SSL port 6379 enabled: cache traffic and the access key cross the network in cleartext

Plaintext port 6379 is open alongside the TLS port. Every GET and SET, session tokens included, crosses the network unencrypted, and so does the access key during AUTH.

Footgun ID
AZF-0070 (Azure Footgun No. 70)
Azure service
Azure Cache for Redis
Resource type
Microsoft.Cache/redis
Updated
July 9, 2026

What it is

An Azure Cache for Redis instance with enableNonSslPort set to true, which opens plaintext port 6379 alongside the TLS port 6380. Every command and every value sent over 6379 is unencrypted, and so is the access key a client presents during AUTH. One sniffed handshake hands over a credential with full read/write access to the entire cache.

Impact (security)
Every command, every cached value, and the cache access key itself readable by anyone positioned on the network path
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Unlike most footguns in this database, the dangerous setting is not the Azure default. The non-SSL port ships disabled; someone turned it on. The usual story is a legacy client: redis-cli had no TLS support before Redis 6, and plenty of older client libraries and tutorials assumed plain 6379, so enabling the port was the quick unblock during initial integration or a debugging session.

Once both ports are open nothing ever breaks, so nothing ever prompts anyone to close it. The clients that needed it get upgraded eventually, but the port setting outlives them, and each new connection string is one config typo (6379 instead of 6380) away from silently downgrading to plaintext.

What it costs / blast radius

The blast radius is everything that transits the cache plus the cache itself. Anyone positioned on the network path, a compromised host in the VNet, a peered network, an on-premises segment behind a VPN or ExpressRoute, can read session tokens and cached data as they fly by. Worse, capturing a single AUTH exchange yields the access key, which converts passive eavesdropping into durable full access that persists until the key is rotated.

Combined with public network access (see AZF-0069) the plaintext port is reachable from the internet as well. (Authored assessment of Azure behavior.)

See it

Footgun: plaintext 6379 open alongside the TLS port
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: 'app-cache'
  location: location
  properties: {
    sku: { name: 'Standard', family: 'C', capacity: 1 }
    enableNonSslPort: true   // opens cleartext port 6379
  }
}
Fix: TLS-only, and pin the minimum TLS version while you're there
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: 'app-cache'
  location: location
  properties: {
    sku: { name: 'Standard', family: 'C', capacity: 1 }
    enableNonSslPort: false   // clients connect only via TLS on 6380
    minimumTlsVersion: '1.2'
  }
}

// Then confirm every client connection string uses port 6380 with
// ssl=true before flipping the switch, so nothing breaks at cutover.

How StratoLens helps

StratoLens flags every cache with the non-SSL port enabled, continuously and across every subscription, so a port someone opened for a long-gone legacy client can't sit unnoticed for years. It runs inside your own tenant, and you don't have to remember the check exists.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.