Use secure TLS versions for API Management#
Security · API Management · Rule · 2020_06 · Critical
API Management should only accept a minimum of TLS 1.2 for client and backend communication.
Description#
API Management provides support for older TLS/ SSL protocols, which are disabled by default. These older versions are provided for compatibility but are not consider secure.
The following protocols are considered weak or deprecated:
SSL 3.0TLS 1.0TLS 1.1
Recommendation#
Consider configuring the minimum supported TLS version to be 1.2. Also consider disabling weak or deprecated ciphers.
Examples#
Configure with Azure template#
To deploy API Management Services that pass this rule:
- Set the following keys to
"False"(as a string) within theproperties.customPropertiesproperty:Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30
For example:
Azure Template snippet
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2021-08-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium",
"capacity": 1
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"publisherEmail": "[parameters('publisherEmail')]",
"publisherName": "[parameters('publisherName')]",
"customProperties": {
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "True",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": "False",
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256": "False"
},
"apiVersionConstraint": {
"minApiVersion": "2021-08-01"
}
}
}
Configure with Bicep#
To deploy API Management Services that pass this rule:
- Set the following keys to
'False'(as a string) within theproperties.customPropertiesproperty:Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30
For example:
Azure Bicep snippet
resource service 'Microsoft.ApiManagement/service@2021-08-01' = {
name: name
location: location
sku: {
name: 'Premium'
capacity: 1
}
identity: {
type: 'SystemAssigned'
}
properties: {
publisherEmail: publisherEmail
publisherName: publisherName
customProperties: {
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'True'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'False'
'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'False'
}
apiVersionConstraint: {
minApiVersion: '2021-08-01'
}
}
}
Configure with Azure Verified Modules
A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:
To use the latest version:
Links#
- Data encryption in Azure
- Manage protocols and ciphers in Azure API Management
- Cryptographic Recommendations
- Azure deployment reference