Azure API Management

Inside scoop from the API Management team

Upcoming changes to TLS defaults in API Management required to maintain compliance

We would like to let you know about upcoming security improvements we’re making for PCI compliance.

The PCI Security Standards Council announced that PCI-compliant web applications must transition from TLS version 1.0 to TLS 1.1 or higher by June 30, 2018.

At present:

  • API Management service instances are created with TLS 1.0/1.1/1.2 enabled by default
  • 3DES cipher is enabled by default
  • Customers have an option of disabling TLS 1.0/1.1 and 3DES cipher either in the Azure Portal or programmatically

Starting on April 1, 2018:

  • All new API Management service instances will be created with TLS 1.0/1.1 and 3DES cipher disabled by default. TLS 1.2 will be the only TLS version enabled by default.
  • TLS configuration of API Management service instances created before April 1, 2018, will remain unchanged
  • Customers will have an option to enable TLS 1.0/1.1 and 3DES cipher either in the Azure Portal or programmatically

We encourage all existing customers, if possible, to discontinue using TLS 1.0/1.1.

Questions or concerns? Please contact us on the API Management forum or Stack Overflow.