TLS Termination: Where and Why
TLS termination is a security + performance choice. The right answer depends on threat model and operational maturity.
Three termination points
Edge: CDN/LB terminates; backend traffic plain HTTP.
App: LB passes through; app does TLS.
End-to-end: mTLS all the way.
Four-criteria split
- 1. Performance budget.
- 2. Threat model.
- 3. Compliance regime.
- 4. Operational team capability.
Security implications
Edge: simplest; trusted internal network assumption.
App: more secure; TLS between LB and app.
End-to-end: zero-trust; complex.
Operational reality
Most: edge termination + private VPC.
Higher-stakes: edge + re-encrypt to app.
Zero-trust: end-to-end mTLS.
Antipatterns
- Edge termination + untrusted internal network. Wrong combo.
- End-to-end without operational ability. Cert ops eat the team.
- App termination without HSM. Key sprawl.
What to do this week
Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.