An Azure service that provides a hybrid, multi-cloud management platform for APIs.
Hi @FunMum ,
Updating TLS certificates for an API Management “gateway” can mean a couple different things in APIM (the built-in gateway vs. a self-hosted gateway running your own containers). The “best practice with least disruption” depends on which one you’re using, but here are the APIM-specific angles we can cover from the provided docs.
If you’re using an APIM Self-hosted Gateway
With a self-hosted gateway, Microsoft’s guidance (from the self-hosted gateway overview/support guidance) is that the gateway continuously checks Azure for configuration updates:
- It sends heartbeat/status every minute.
- It checks for and applies configuration updates every 10 seconds (via its management plane connection).
- It requires outbound connectivity to Azure on TCP 443 so it can receive those updates and report status/metrics.
What this implies for “least disruption”:
- Keep the gateway’s outbound connectivity to Azure healthy (TCP 443), because the gateway relies on contacting Azure to pick up configuration changes.
- When you update the TLS material/certificates in the relevant APIM configuration, the self-hosted gateway should fetch/apply the change shortly after (on the order of seconds, per the 10-second config check).
Also note the operational boundary: you (the customer) are responsible for hosting, uptime, diagnostics, and infrastructure for the self-hosted gateway. Microsoft maintains the container image and provides patches, but you handle the runtime environment.
Automation/control plane update mechanism (why disruption can be minimized)
Since the gateway automatically checks for updates every 10 seconds and applies configuration updates whenever they’re available, the practical “best practice” is to:
- Update the certificate configuration in APIM (control plane).
- Ensure the self-hosted gateway still has outbound access to Azure (TCP 443), so it can pull the new config quickly.
If you’re using APIM behind an internal Application Gateway
If your TLS termination/proxy is happening at Application Gateway (common in VNet/internal patterns), the docs emphasize that Application Gateway is configured with:
- Certificates used to decrypt and re-encrypt traffic
- Trusted root configuration for backend certificates
- Backend settings and routing
In that setup, the “least disruption” approach is usually to treat certificate updates as part of the Application Gateway configuration workflow (since that’s what is terminating TLS on the path), rather than relying only on changes inside APIM.
References:
- APIM Self-Hosted Gateway Configuration and Troubleshooting Guidance (includes heartbeat + 10-second config update behavior, and outbound 443 connectivity requirement)
- Self-hosted gateway overview / FQDN dependencies
- Update-AzApiManagementGateway (PowerShell cmdlet reference)
- Integrate API Management in an internal virtual network with Application Gateway (certificate prerequisites and App Gateway TLS/certificate configuration context)
Hope this helps!
If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.