Plan and implement Transport Layer Security (TLS) to applications, including Azure App Service and API Management

  • 7 minutes

Transport Layer Security (TLS) is a cryptographic protocol designed to secure communications over networks by providing encryption, authentication, and data integrity. It works by establishing a secure handshake between a client and a server, negotiating cipher suites, and validating certificates issued by trusted Certificate Authorities. This process ensures that sensitive information, such as credentials and application data, is transmitted in an encrypted form, protecting it from interception or tampering during transit. TLS evolved through multiple versions, with TLS 1.2 and TLS 1.3 offering stronger encryption, faster handshakes, and enhanced privacy compared to earlier iterations.

In the context of Azure, TLS plays a critical role in safeguarding data across services like App Service, API Management, Azure Storage, and SQL Database. Azure enforces TLS for all connections to ensure encryption in transit, mitigating risks such as man-in-the-middle attacks. Modern TLS versions (1.2 or higher) are required, Azure aligns with industry security standards and provides features like Perfect Forward Secrecy and authenticated encryption, which enhance resilience against evolving threats. Newer versions of TLS not only protect customer data but also ensures compliance with regulatory requirements, making TLS a foundational component of Azure’s security posture.

What Transport Layer Security does for your applications

Transport Layer Security (TLS) encrypts data traveling between clients and servers, preventing eavesdropping and tampering. When a user connects to your web application or API, TLS creates an encrypted tunnel that protects sensitive information—like authentication tokens, personal data, and business transactions—from interception.

Modern organizations rely on TLS to:

  • Meet regulatory requirements: Standards like PCI DSS, HIPAA, and other stadandars mandate encryption for data in transit.
  • Build customer trust: Browser security indicators and certificate warnings directly change user confidence.
  • Prevent data breaches: Unencrypted connections expose credentials, session tokens, and business data to network attackers.

TLS replaces the deprecated Secure Sockets Layer (SSL) protocol. Always configure services to use TLS 1.2 or TLS 1.3—older versions contain known vulnerabilities.

Why TLS matters in Azure

Azure services handle millions of customer requests daily across global regions. TLS provides three critical protections:

  • Authentication: Certificates prove your service identity, preventing man-in-the-middle attacks where attackers impersonate your endpoints.
  • Confidentiality: Encryption ensures only authorized parties can read transmitted data, even when traffic crosses untrusted networks.
  • Integrity: Cryptographic signatures detect any tampering with data during transmission.

Without TLS, an attacker on the same network as your users could capture sign in credentials, API keys, or customer records. Azure includes built-in TLS support across platform services, but you must configure minimum versions and certificate policies to align with your security requirements.

Important

TLS only protects data in transit. You must separately encrypt data at rest using Azure Storage encryption, database transparent data encryption, or Azure Disk Encryption.

Configure TLS for Azure App Service

In your application code, you can access the public or private certificates that you add to Azure App Service. Your app code might act as a client and access an external service that requires certificate authentication. It might also need to perform cryptographic tasks.

This approach to using certificates in your code makes use of the Transport Layer Security (TLS) functionality in App Service, which requires your app to be in the Basic tier or higher. If your app is in the Free or Shared tier, you can include the certificate file in your app repository.

When you let App Service manage your TLS/Secure Sockets Layer (SSL) certificates, you can maintain the certificates and your application code separately and safeguard your sensitive data.

Azure App Service provides managed TLS termination with automatic certificate renewal. You control the minimum TLS version and can enforce HTTPS for all connections.

Enforce minimum TLS version

  1. In the Azure portal, navigate to your App Service resource.
  2. Under Settings, select Configuration.
  3. Select the General settings tab.
  4. Set Minimum TLS version to 1.2 or 1.3.
  5. Select Save to apply the change.

Clients attempting to connect with older TLS versions receive a connection error, preventing legacy systems from using weak cryptography.

Require HTTPS connections

  1. In your App Service resource, select Configuration under Settings.
  2. Select the General settings tab.
  3. Set HTTPS Only to On.
  4. Select Save.

Azure automatically redirects HTTP requests to HTTPS, ensuring all traffic uses encrypted connections. Encrypted connections eliminate mixed-content warnings in browsers and simplify compliance audits.

Add a custom domain certificate

App Service apps receive a free *.azurewebsites.net certificate. For production workloads using custom domains:

  1. Purchase or import a certificate that matches your domain name.
  2. In your App Service, select Certificates under Settings.
  3. Select Add certificate and follow the wizard to upload your certificate or create an App Service managed certificate.
  4. Bind the certificate to your custom domain under Custom domains.

Managed certificates automatically renew before expiration. Private certificates require manual renewal and reupload.

Configure TLS for Azure API Management

Azure API Management sits between clients and backend APIs, handling authentication, rate limiting, and transformation. You configure TLS at both the gateway (client-facing) and backend (service-to-service) layers.

Set minimum TLS version for the gateway

  1. In the Azure portal, open your API Management instance.
  2. Under Security, select Protocols + ciphers.
  3. Clear the checkboxes for SSL 3.0, TLS 1.0, and TLS 1.1.
  4. Ensure TLS 1.2 is enabled (TLS 1.3 support depends on your service tier).
  5. Select Save.

Preventing clients from negotiating weak protocol versions. Test with your API consumers before disabling TLS 1.1 if you support older mobile apps or legacy systems.

Enforce HTTPS for API endpoints

  1. Navigate to APIs in your API Management instance.
  2. Select the API you want to secure.
  3. Under Settings, locate the URL scheme option.
  4. Select HTTPS only.
  5. Select Save.

API Management rejects HTTP requests with a 403 Forbidden response, protecting against accidental exposure of unencrypted endpoints.

Configure backend TLS validation

When API Management calls backend services, verify those connections also use TLS:

  1. In your API, select Design and choose an operation.
  2. In the Backend section, select the pencil icon to edit.
  3. Enable Validate certificate chain and Validate certificate name.
  4. Upload trusted root certificates if your backend uses private or self-signed certificates.

Verify backed connections to prevent API Management from accepting invalid or expired certificates from backend services, maintaining end-to-end encryption.

Tip

Use Azure Key Vault to store and rotate certificates for both App Service and API Management. You build centralized certificate lifecycle management and simplify compliance reporting.

Plan your TLS configuration

Before deploying TLS changes to production:

  • Audit existing clients: Identify any systems using TLS 1.0 or 1.1 and plan their upgrades.
  • Test certificate renewals: Verify automated renewal works for managed certificates and document manual renewal procedures for private certificates.
  • Configure monitoring: Set up Azure Monitor alerts for TLS handshake failures and certificate expiration warnings.
  • Document compliance mappings: Record which TLS settings satisfy specific regulatory requirements for audit trails.

Disabling older TLS versions can break compatibility with legacy clients. Coordinate with application owners and plan a phased rollout with clear communication to API consumers.

Key Takeaways

  • Configure minimum TLS version to 1.2 or higher on all Azure services to prevent weak cryptography vulnerabilities.
  • Enforce HTTPS-only connections on App Service and API Management to eliminate unencrypted traffic.
  • Enable backend certificate validation in API Management to maintain end-to-end encryption across service boundaries.
  • Use Azure Key Vault for centralized certificate management and automated renewal workflows.
  • Test TLS configuration changes in staging environments before production rollout to identify client compatibility issues.
  • Audit your existing Azure App Service and API Management instances to identify services still allowing TLS 1.0 or 1.1.
  • Create an Azure Key Vault and migrate certificate storage from manual uploads to centralized vault-based management.
  • Configure Azure Monitor alerts for certificate expiration (30 days before expiry) and TLS handshake failures to prevent service disruptions.