Manage protocols and ciphers in Azure API Management

Azure API Management supports multiple versions of Transport Layer Security (TLS) protocol to secure API traffic for:

  • Client side
  • Backend side

API Management also supports multiple cipher suites used by the API gateway.

By default, API Management enables TLS 1.2 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.

Screenshot of managing protocols and ciphers in the Azure portal.

Note

  • If you're using the self-hosted gateway, see self-hosted gateway security to manage TLS protocols and cipher suites.
  • The Consumption tier doesn't support changes to the default cipher configuration.

Prerequisites

Go to your API Management instance

  1. In the Azure portal, search for and select API Management services.

    Select API Management services

  2. On the API Management services page, select your API Management instance.

    Select your API Management instance

How to manage TLS protocols cipher suites

  1. In the left navigation of your API Management instance, under Security, select Protocols + ciphers.
  2. Enable or disable desired protocols or ciphers.
  3. Select Save. Changes are applied within an hour.

Note

Some protocols or cipher suites (such as backend-side TLS 1.2) can't be enabled or disabled from the Azure portal. Instead, you'll need to apply the REST API call. Use the properties.customProperties structure in the Create/Update API Management Service REST API.

Next steps