01 Run apim list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure API Management service instance available in the current subscription:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az apim list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
02 The command output should return the requested Azure API Management service names:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Name ResourceGroup
---------------------- ------------------------------
cc-main-api-service-instance cloud-shell-storage-westeurope
cc-project5-service-instance cloud-shell-storage-westeurope
03 Run apim show command (Windows/macOS/Linux) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the protocol and cipher configuration for the API gateway associated with the selected service:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az apim show
--name cc-main-api-service-instance
--resource-group cloud-shell-storage-westeurope
--output yaml
--query 'customProperties'
04 The command output should return the requested configuration details:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11: 'true'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls13: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2: 'false'
Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168: 'false'
Check the configuration information returned by the
apim show command output and identity the outdated SSL/TLS protocols. The outdated protocols have the following termination:
*.Ssl30,
*.Tls10, and
*.Tls11. If one or more of these protocols are enabled, i.e. their attribute value is set to
'true', as shown in the example above, the API gateway associated with the selected Azure API Management service is configured to use weak and deprecated SSL/TLS protocols.
05 Repeat steps no. 3 and 4 for each Azure API Management service available within the current Azure subscription.
06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.