edits

Author: gitName

articles/api-management/api-management-howto-manage-protocols-ciphers.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 08/01/2025
+ms.date: 08/04/2025
 ms.author: danlep
 ---
 
@@ -15,12 +15,13 @@ ms.author: danlep
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
 Azure API Management supports multiple versions of Transport Layer Security (TLS) protocol to secure API traffic for:
+
 * Client side (client to API Management gateway)
 * Backend side (API Management gateway to backend)
 
 API Management also supports multiple cipher suites used by the API gateway.
 
-Depending on the service tier, API Management supports TLS 1.2 or TLS 1.3 by default for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.
+Depending on the service tier, API Management supports TLS versions up to 1.2 or TLS 1.3 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.
 
 :::image type="content" source="media/api-management-howto-manage-protocols-ciphers/api-management-protocols-ciphers.png" alt-text="Screenshot of managing protocols and ciphers in the Azure portal.":::
 
@@ -41,7 +42,7 @@ Depending on the service tier, API Management supports TLS 1.2 or TLS 1.3 by def
 1. Enable or disable desired protocols or ciphers.
 1. Select **Save**.
 
-Changes can take some time to apply. An instance in the Developer service tier has downtime during the process. Instances in the Basic and higher tiers don't have downtime during the process.  
+Changes can take 15 to 45 minutes or longer to apply. An instance in the Developer service tier has downtime during the process. Instances in the Basic and higher tiers don't have downtime during the process.  
 
 > [!NOTE]
 > Some protocols or cipher suites (such as backend-side TLS 1.2) can't be enabled or disabled from the Azure portal. Instead, you'll need to apply the REST API call. Use the `properties.customProperties` structure in the [Create/Update API Management Service](/rest/api/apimanagement/current-ga/api-management-service/create-or-update) REST API.
@@ -53,19 +54,20 @@ Changes can take some time to apply. An instance in the Developer service tier h
 
 1. In v1/Consumption tiers, is TLS 1.2 also enabled by default, or is it only TLS 1.3?
 2. Is TLS 1.3 supported in v2 tiers for client-side and backend-side connections?
-3. What ciphers are supported in TLS 1.3?
+3. What ciphers are supported in TLS 1.3? Any user configuration possible?
 4. Can TLS 1.3 be enabled/disabled via REST API 
-5. On backend side, is TLS 1.2 also enabled by default? -->
+5. On backend side, is TLS 1.2 also enabled by default? 
+6. Is TLS 1.3 also supported in workspace gateways?     -->
 
-TLS 1.3 support is available in the API Management **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** service tiers. TLS 1.3 is enabled by default for client-side connections in most instances created in these service tiers. Enabling backend-side TLS 1.3 is optional.
+TLS 1.3 support is available in the API Management **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** service tiers. In most instances created in those service tiers, TLS 1.3 is enabled by default for client-side connections. Enabling backend-side TLS 1.3 is optional.
 
 TLS 1.3 is a major revision of the TLS protocol that provides improved security and performance. It includes features such as reduced handshake latency and improved security against certain types of attacks.
 
 ### Optionally enable TLS 1.3 when clients require certificate renegotiation
 
-TLS-compliant clients that require certificate renegotiation are not compatible with TLS 1.3. If your API Management service is detected to have received TLS connections that require certificate renegotiation, enabling client-side TLS 1.3 in your instance is *optional*. 
+If your API Management service is detected to have received TLS connections that require certificate renegotiation, enabling client-side TLS 1.3 in your instance is *optional*. TLS-compliant clients that require certificate renegotiation are not compatible with TLS 1.3. 
 
-You can review the recent connections that required certificate renegotiation in the **Protocols + ciphers** page and decide whether to enable TLS 1.3 for client-side connections:
+You can review the recent connections that required certificate renegotiation page and choose whether to enable TLS 1.3 for client-side connections:
 
 1. On the **Protocols + ciphers** page, in the **Client protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
 1. Review the list of **Recent client certificate renegotiations**. The list shows API operations where clients recently used client certificate renegotiation.
@@ -74,8 +76,8 @@ You can review the recent connections that required certificate renegotiation in
 
 > [!WARNING]
 > * If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect. 
-> * We recommend carefully monitoring the **Recent client certificate renegotiations** list before enabling TLS 1.3 for client-side connections.
-> * After enabling TLS 1.3, review gateway request metrics or TLS-related exceptions in Application Insights. If necessary, you can disable TLS 1.3 for client-side connections and downgrade to TLS 1.2
+> * We recommend carefully monitoring the **Recent client certificate renegotiations** list both before and after enabling TLS 1.3 for client-side connections.
+> * After enabling TLS 1.3, review gateway request metrics or TLS-related exceptions in Application Insights that indicate TLS connection failures. If necessary, disable TLS 1.3 for client-side connections and downgrade to TLS 1.2.
 
 ### Optionally disable TLS 1.3