Manage protocols and ciphers in Azure API Management

Azure API Management supports multiple versions of Transport Layer Security (TLS) protocol to secure API traffic for:

• Client side
• Backend side

API Management also supports multiple cipher suites used by the API gateway.

By default, API Management enables TLS 1.2 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.

Note

• If you're using the self-hosted gateway, see self-hosted gateway security to manage TLS protocols and cipher suites.
• Currently, API Management doesn't support TLS 1.3.
• The Consumption tier doesn't support changes to the default cipher configuration.

Prerequisites

• An API Management instance. Create one if you haven't already.

Go to your API Management instance

1. In the Azure portal, search for and select API Management services.

   

2. On the API Management services page, select your API Management instance.

   

How to manage TLS protocols cipher suites

1. In the left navigation of your API Management instance, under Security, select Protocols + ciphers.
2. Enable or disable desired protocols or ciphers.
3. Select Save. Changes are applied within an hour.

Note

Some protocols or cipher suites (such as backend-side TLS 1.2) can't be enabled or disabled from the Azure portal. Instead, you'll need to apply the REST API call. Use the properties.customProperties structure in the Create/Update API Management Service REST API.

Next steps

• For recommendations on securing your API Management instance, see Azure security baseline for API Management.
• Learn about security considerations in the API Management landing zone accelerator.
• Learn more about TLS.