Skip to content

Commit a7dcca7

Browse files
author
gitName
committed
draft complete
1 parent a7a0803 commit a7dcca7

File tree

1 file changed

+19
-21
lines changed

1 file changed

+19
-21
lines changed

articles/api-management/api-management-howto-manage-protocols-ciphers.md

Lines changed: 19 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ author: dlepow
66

77
ms.service: azure-api-management
88
ms.topic: how-to
9-
ms.date: 08/04/2025
9+
ms.date: 08/05/2025
1010
ms.author: danlep
1111
---
1212

@@ -30,6 +30,10 @@ Depending on the service tier, API Management supports TLS versions up to 1.2 or
3030
> * The following tiers don't support changes to the default cipher configuration: **Consumption**, **Basic v2**, **Standard v2**, **Premium v2**.
3131
> * In [workspaces](workspaces-overview.md), the managed gateway doesn't support changes to the default protocol and cipher configuration.
3232
33+
> [!NOTE]
34+
> Depending on the API Management service tier, changes can take 15 to 45 minutes or longer to apply. An instance in the Developer service tier has downtime during the process. Instances in the Basic and higher tiers don't have downtime during the process.
35+
36+
3337
## Prerequisites
3438

3539
* An API Management instance. [Create one if you haven't already](get-started-create-service-instance.md).
@@ -42,42 +46,33 @@ Depending on the service tier, API Management supports TLS versions up to 1.2 or
4246
1. Enable or disable desired protocols or ciphers.
4347
1. Select **Save**.
4448

45-
Changes can take 15 to 45 minutes or longer to apply. An instance in the Developer service tier has downtime during the process. Instances in the Basic and higher tiers don't have downtime during the process.
46-
4749
> [!NOTE]
4850
> Some protocols or cipher suites (such as backend-side TLS 1.2) can't be enabled or disabled from the Azure portal. Instead, you'll need to apply the REST API call. Use the `properties.customProperties` structure in the [Create/Update API Management Service](/rest/api/apimanagement/current-ga/api-management-service/create-or-update) REST API.
4951
50-
## TLS 1.3 support
51-
52-
53-
<!-- Questions:
52+
## TLS 1.3 support in Consumption and classic tiers
5453

55-
1. In v1/Consumption tiers, is TLS 1.2 also enabled by default, or is it only TLS 1.3?
56-
2. Is TLS 1.3 supported in v2 tiers for client-side and backend-side connections?
57-
3. What ciphers are supported in TLS 1.3? Any user configuration possible?
58-
4. Can TLS 1.3 be enabled/disabled via REST API
59-
5. On backend side, is TLS 1.2 also enabled by default?
60-
6. Is TLS 1.3 also supported in workspace gateways? -->
61-
62-
TLS 1.3 support is available in the API Management **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** service tiers. In most instances created in those service tiers, TLS 1.3 is enabled by default for client-side connections. Enabling backend-side TLS 1.3 is optional.
54+
TLS 1.3 support is available in the API Management **Consumption** and classic **Developer**, **Basic**, **Standard**, and **Premium** service tiers. In most instances created in those service tiers, TLS 1.3 is enabled by default for client-side connections. Enabling backend-side TLS 1.3 is optional. TLS 1.2 is also enabled by default on both client and backend sides.
6355

6456
TLS 1.3 is a major revision of the TLS protocol that provides improved security and performance. It includes features such as reduced handshake latency and improved security against certain types of attacks.
6557

58+
> [!NOTE]
59+
> The [v2 tiers](v2-service-tiers-overview.md) of API Management and [workspace gateways](workspaces-overview.md) support TLS 1.2 by default for client-side and backend-side connections. They don't currently support TLS 1.3.
60+
6661
### Optionally enable TLS 1.3 when clients require certificate renegotiation
6762

68-
If your API Management service is detected to have received TLS connections that require certificate renegotiation, enabling client-side TLS 1.3 in your instance is *optional*. TLS-compliant clients that require certificate renegotiation are not compatible with TLS 1.3.
63+
Client-side TLS 1.3 is disabled by default in **Consumption** and classic tier instances that recently received TLS connections that require certificate renegotiation. Certificate renegotiation in TLS allows client and server to renegotiate connection parameters mid-session for authentication without terminating the connection. TLS-compliant clients that rely on certificate renegotiation are not compatible with TLS 1.3.
6964

70-
You can review the recent connections that required certificate renegotiation page and choose whether to enable TLS 1.3 for client-side connections:
65+
After reviewing recent client connections that used certificate renegotiation, you can choose whether to enable TLS 1.3 for client-side connections:
7166

7267
1. On the **Protocols + ciphers** page, in the **Client protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
7368
1. Review the list of **Recent client certificate renegotiations**. The list shows API operations where clients recently used client certificate renegotiation.
7469
1. If you choose to enable TLS 1.3 for client-side connections, select **Enable**.
7570
1. Select **Close**.
7671

72+
After enabling TLS 1.3, review gateway request metrics or TLS-related exceptions in Application Insights that indicate TLS connection failures. If necessary, disable TLS 1.3 for client-side connections and downgrade to TLS 1.2.
73+
7774
> [!WARNING]
78-
> * If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect.
79-
> * We recommend carefully monitoring the **Recent client certificate renegotiations** list both before and after enabling TLS 1.3 for client-side connections.
80-
> * After enabling TLS 1.3, review gateway request metrics or TLS-related exceptions in Application Insights that indicate TLS connection failures. If necessary, disable TLS 1.3 for client-side connections and downgrade to TLS 1.2.
75+
> If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect.
8176
8277
### Optionally disable TLS 1.3
8378

@@ -89,7 +84,10 @@ If you need to disable TLS 1.3 for client-side connections, you can do so from t
8984

9085
### Backend-side TLS 1.3
9186

92-
Enabling backend-side TLS 1.3 is optional. If you enable it, API Management will use TLS 1.3 for connections to your backend services that support it.
87+
Enabling backend-side TLS 1.3 is optional. If you enable it, API Management uses TLS 1.3 for connections to your backend services.
88+
89+
> [!WARNING]
90+
> Enabling TLS 1.3 for backend-side connections will cause connection failures with backend services that rely on client certificate renegotiation between API Management and the backends.
9391
9492
You can enable backend-side TLS 1.3 from the **Protocols + ciphers** page:
9593

0 commit comments

Comments
 (0)