What it is
An Azure Cache for Redis instance with enableNonSslPort set to true, which opens plaintext port 6379 alongside the TLS port 6380. Every command and every value sent over 6379 is unencrypted, and so is the access key a client presents during AUTH. One sniffed handshake hands over a credential with full read/write access to the entire cache.
Why it happens
Unlike most footguns in this database, the dangerous setting is not the Azure default. The non-SSL port ships disabled; someone turned it on. The usual story is a legacy client: redis-cli had no TLS support before Redis 6, and plenty of older client libraries and tutorials assumed plain 6379, so enabling the port was the quick unblock during initial integration or a debugging session.
Once both ports are open nothing ever breaks, so nothing ever prompts anyone to close it. The clients that needed it get upgraded eventually, but the port setting outlives them, and each new connection string is one config typo (6379 instead of 6380) away from silently downgrading to plaintext.
What it costs / blast radius
The blast radius is everything that transits the cache plus the cache itself. Anyone positioned on the network path, a compromised host in the VNet, a peered network, an on-premises segment behind a VPN or ExpressRoute, can read session tokens and cached data as they fly by. Worse, capturing a single AUTH exchange yields the access key, which converts passive eavesdropping into durable full access that persists until the key is rotated.
Combined with public network access (see AZF-0069) the plaintext port is reachable from the internet as well. (Authored assessment of Azure behavior.)
See it
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
name: 'app-cache'
location: location
properties: {
sku: { name: 'Standard', family: 'C', capacity: 1 }
enableNonSslPort: true // opens cleartext port 6379
}
}resource cache 'Microsoft.Cache/redis@2024-03-01' = {
name: 'app-cache'
location: location
properties: {
sku: { name: 'Standard', family: 'C', capacity: 1 }
enableNonSslPort: false // clients connect only via TLS on 6380
minimumTlsVersion: '1.2'
}
}
// Then confirm every client connection string uses port 6380 with
// ssl=true before flipping the switch, so nothing breaks at cutover.How StratoLens helps
StratoLens flags every cache with the non-SSL port enabled, continuously and across every subscription, so a port someone opened for a long-gone legacy client can't sit unnoticed for years. It runs inside your own tenant, and you don't have to remember the check exists.