Manage protocols and ciphers in Azure API Management

Azure API Management supports multiple versions of Transport Layer Security (TLS) protocol to secure API traffic for:

  • Client side
  • Backend side

API Management also supports multiple cipher suites used by the API gateway.

By default, API Management enables TLS 1.2 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.

Screenshot of managing protocols and ciphers in the Azure portal.


This article applies to API Management instances created in the Consumption, Developer, Basic, Standard, and Premium tiers. It hasn't been updated to include information about instances created in the v2 pricing tiers (preview).


  • If you're using the self-hosted gateway, see self-hosted gateway security to manage TLS protocols and cipher suites.
  • Currently, API Management doesn't support TLS 1.3.
  • The Consumption tier doesn't support changes to the default cipher configuration.


Go to your API Management instance

  1. In the Azure portal, search for and select API Management services.

    Select API Management services

  2. On the API Management services page, select your API Management instance.

    Select your API Management instance

How to manage TLS protocols cipher suites

  1. In the left navigation of your API Management instance, under Security, select Protocols + ciphers.
  2. Enable or disable desired protocols or ciphers.
  3. Select Save.

Changes can take 1 hour or longer to apply. An instance in the Developer service tier has downtime during the process. Instances in the Basic and higher tiers don't have downtime during the process.


Some protocols or cipher suites (such as backend-side TLS 1.2) can't be enabled or disabled from the Azure portal. Instead, you'll need to apply the REST API call. Use the properties.customProperties structure in the Create/Update API Management Service REST API.

Next steps