Manage protocols and ciphers in Azure API Management

APPLIES TO: All API Management tiers

Azure API Management supports multiple versions of Transport Layer Security (TLS) protocol to secure API traffic for:

  • Client side
  • Backend side

API Management also supports multiple cipher suites used by the API gateway.

By default, API Management enables TLS 1.2 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.

Screenshot of managing protocols and ciphers in the Azure portal.

Note

  • If you're using the self-hosted gateway, see self-hosted gateway security to manage TLS protocols and cipher suites.
  • The following tiers don't support changes to the default cipher configuration: Consumption, Basic v2, Standard v2, Premium v2.
  • In workspaces, the managed gateway doesn't support changes to the default protocol and cipher configuration.

Prerequisites

Go to your API Management instance

  1. In the Azure portal, search for and select API Management services.

    Select API Management services

  2. On the API Management services page, select your API Management instance.

    Select your API Management instance

How to manage TLS protocols cipher suites

  1. In the left navigation of your API Management instance, under Security, select Protocols + ciphers.
  2. Enable or disable desired protocols or ciphers.
  3. Select Save.

Changes can take 1 hour or longer to apply. An instance in the Developer service tier has downtime during the process. Instances in the Basic and higher tiers don't have downtime during the process.

Note

Some protocols or cipher suites (such as backend-side TLS 1.2) can't be enabled or disabled from the Azure portal. Instead, you'll need to apply the REST API call. Use the properties.customProperties structure in the Create/Update API Management Service REST API.

Next steps