Manage protocols and ciphers in Azure API Management

APPLIES TO: All API Management tiers

Azure API Management supports multiple versions of Transport Layer Security (TLS) protocol to secure API traffic for:

• Client side
• Backend side

API Management also supports multiple cipher suites used by the API gateway.

By default, API Management enables TLS 1.2 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.

Note

• If you're using the self-hosted gateway, see self-hosted gateway security to manage TLS protocols and cipher suites.
• The following tiers don't support changes to the default cipher configuration: Consumption, Basic v2, Standard v2.

Prerequisites

• An API Management instance. Create one if you haven't already.

Go to your API Management instance

1. In the Azure portal, search for and select API Management services.

   

2. On the API Management services page, select your API Management instance.

   

How to manage TLS protocols cipher suites

1. In the left navigation of your API Management instance, under Security, select Protocols + ciphers.
2. Enable or disable desired protocols or ciphers.
3. Select Save.

Changes can take 1 hour or longer to apply. An instance in the Developer service tier has downtime during the process. Instances in the Basic and higher tiers don't have downtime during the process.

Note

Some protocols or cipher suites (such as backend-side TLS 1.2) can't be enabled or disabled from the Azure portal. Instead, you'll need to apply the REST API call. Use the properties.customProperties structure in the Create/Update API Management Service REST API.

Next steps

• For recommendations on securing your API Management instance, see Azure security baseline for API Management.
• Learn about security considerations in the API Management landing zone accelerator.
• Learn more about TLS.