Azure API Management throwing error in connecting to backend which requires minimum TLS1.3

Question

Azure API Management throwing error in connecting to backend which requires minimum TLS1.3

ZQadir 195

We have a scenario where we need to connect to a third party service which requires minimum TLS 1.3. We are using Azure API Management (Developer SKU at the moment on v1 tier in West Europe Azure Region) to connect to that third party service.

As per this article: https://techcommunity.microsoft.com/blog/integrationsonazureblog/announcing-the-availability-of-tls-1-3-in-azure-api-management-in-preview/4047586 Azure API Management on v1 tiers should be able to support TLS1.3 for outbound traffic from API Gateway to API backend, however it puts a caveat that it needs to be enabled manually. I am not able to find any documentation on how to enable TLS1.3 for communication with backend in Azure API Management.

I have tried to set up a PoC for this i.e., Azure API Management (on Developer SKU on v1 tier in West Europe) on top of Http Triggered Azure Function which requires Minimum TLS 1.3. However, it throws an HTTP 500 Internal Server Error. The underlying trace shows:

forward-request (30.829 ms) { "messages": [ "Error occured while calling backend service.", "The request was aborted: Could not create SSL/TLS secure channel." ] }

To isolate the issue i.e., it is specifically due to Minimum TLS version configured as 1.3 on HTTP Triggered Azure Function, I tried configuring the HTTP Triggered Azure Function to use Minimum TLS version 1.2, and then Azure API Management is able to communicate with that http triggered Azure function without any issue. So, the issue is specifically when Azure API Management needs to communicate with a backend that requires Minimum TLS version 1.3

Any reference / how to article on any specific configuration(s) required in Azure API Management to be able to communicate with backends requiring minimum TLS version 1.3 is highly appreciated.

ZQadir 195 Reputation points

2024-12-03T23:31:31.8466667+00:00

Just found the latest response on a similar question (https://learn.microsoft.com/en-us/answers/questions/2124159/when-will-azure-api-management-support-tls-1-3-bot) that states that even though the functionality for TLS1.3 for communication between Azure API Management gateway and its backends is technically in GA; but it can not be enabled in a self service fashion i.e., at the moment, it requires a support ticket for Microsoft team to enable it for a specific instance of Azure API Management service.

1 answer

Your answer

ZQadir 195 Reputation points

2024-12-03T23:31:31.8466667+00:00

Just found the latest response on a similar question (https://learn.microsoft.com/en-us/answers/questions/2124159/when-will-azure-api-management-support-tls-1-3-bot) that states that even though the functionality for TLS1.3 for communication between Azure API Management gateway and its backends is technically in GA; but it can not be enabled in a self service fashion i.e., at the moment, it requires a support ticket for Microsoft team to enable it for a specific instance of Azure API Management service.

Answer 1

JananiRamesh-MSFT 29,236

@ZQadir Thanks for reaching out. APIM outbound TLS 1.3 is off by default. Only inbound has TLS 1.3 enabled. Outbound can only be enabled by Product group team by raising support ticket but we don't recommend it for production scenarios as it is in preview currently. Plan is to make it available for customers around March-April 2025

do let me know incase of further queries, I would be happy to assist you.

Please accept as Yes if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

ZQadir 195 Reputation points

2024-12-04T09:22:12.7433333+00:00
@JananiRamesh-MSFT thanks for the response.

However, as per your latest comment on the above referenced Q&A i.e., https://learn.microsoft.com/en-us/answers/questions/2124159/when-will-azure-api-management-support-tls-1-3-bot, you have mentioned that this functionality is technically already GA, but your answer above is reiterating the earlier position i.e., not to use it for production scenarios as it is in preview? Can you kindly clarify the situation i.e.,

If this functionality is in preview and must not be used for production scenarios OR

Its technically already GA and its just the self service enablement part of it which requires a support case for Microsoft Product Team to enable it for our specific instances of API Management service, and even that enablement will become self service around March-April 2025 timeline.

Please note that we are currently in design and development stage and our go live is expected around March-April 2025 timeframe.
JananiRamesh-MSFT 29,236 Reputation points

2024-12-05T15:21:36.8666667+00:00

ZQadir Thanks for getting back, (2) is correct Its technically already GA and it's just the self-service enablement part of it which requires a support case for Microsoft Product Team to enable it for customers specific instances of API Management service, and even that enablement will become self-service around March-April 2025 timeline. I had a discussion internally and confirmed that its ok to use in production.

Please accept as Yes if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.
Karlsen, David Johan Macdonald 0 Reputation points

2025-03-18T09:00:27.2533333+00:00

It's really odd. If you have minimum tls 1.2 on your webapps apim will actually handshake a 1.3 connection, but if you set min 1.3 in backends, the apim handshake will fail with:

{"elapsed":35,"source":"forward-request","path":"forward-request\forward-request","reason":"BackendConnectionFailure","message":"The request was aborted: Could not create SSL/TLS secure channel.","section":"backend"} elapsed 35 message The request was aborted: Could not create SSL/TLS secure channel. path forward-request\forward-request reason BackendConnectionFailure section backend source forward-request

Share via

Azure API Management throwing error in connecting to backend which requires minimum TLS1.3

1 answer

Your answer