TLS Termination: Where and Why

TLS termination is a security + performance choice. The right answer depends on threat model and operational maturity.

Three termination points

TLS terminates exactly once on the request path. Where you put it dictates the threat model and the operational load.

• Edge. CDN or LB terminates; backend traffic is plain HTTP inside a trusted VPC.
• App. Load balancer passes through; the application terminates TLS itself.
• Re-encrypt. Edge terminates and the LB re-encrypts to the app over a separate TLS hop.
• End-to-end. mTLS from client to service all the way; zero-trust posture, no implicit network trust.

Four-criteria split

• 1. Performance budget.
• 2. Threat model.
• 3. Compliance regime.
• 4. Operational team capability.

Security implications

Each termination point implies a trust boundary. The boundary you accept is the one you have to defend with other controls.

• Edge. Simplest; relies on the assumption that the VPC is a trusted boundary.
• App. Stronger; TLS protects traffic from LB to app even within the VPC.
• End-to-end. Zero-trust; no implicit trust at any hop, but cert ops and identity must scale to every service.
• Insider risk. Edge termination concedes that an attacker on the internal network can read traffic; size your other controls accordingly.

Operational reality

Most teams ship the simplest model that meets their threat model. Operational maturity, not paranoia, decides the upgrade path.

• Default. Edge termination plus private VPC; works for the majority of customer-facing apps.
• Higher stakes. Edge plus re-encrypt to the app; the cost of one extra TLS hop is small compared to the audit benefit.
• Zero-trust. End-to-end mTLS via a service mesh (Istio, Linkerd); operationalised cert rotation is mandatory.
• Cert automation. ACME, cert-manager, or AWS ACM; manual cert rotation does not survive past a handful of services.

Antipatterns

• Edge termination + untrusted internal network. Wrong combo.
• End-to-end without operational ability. Cert ops eat the team.
• App termination without HSM. Key sprawl.

What to do this week

Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.