Module 4 · Edge: DNS, CDN, Load BalancersDay 03825 min

TLS Termination and mTLS

Encrypt the wire, identify the parties.

← Previous Next →

Day 038

TLS Termination and mTLS

25m

focus

Client

client

Edge LB

edge

Service A

service

Service B

service

Signal path

Edge TLS, mesh mTLS

Client

client

TLS

Edge LB

edge

Edge LB

edge

mTLS

Service A

service

Service A

service

mTLS

Service B

service

Memory hook

TLS Termination and mTLS: encrypt the wire, identify the parties

Mental model

move the first decision closer to the user

Design lens

Cert rotation is the long-term operational task.

Recall anchors

TerminationmTLS

Why it matters

TLS encrypts traffic between client and server and authenticates the server (and optionally the client). Termination at the edge keeps backends simple; mTLS at internal hops authenticates services without sharing tokens.

1Understand TLS handshake at a high level.
2Decide where to terminate TLS.
3Use mTLS to authenticate services to each other.

Deep dive

TLS 1.3 handshake: 1-RTT typical, 0-RTT optional with replay caveats.

Cert management: ACME (Let's Encrypt) automates the public side; private CAs serve internal mTLS.

Service mesh (Envoy + sidecar) often handles mTLS so application code stays simple.

Demo / scenario

Adding mTLS between two internal services.

Stand up internal CA.
Issue per-service certs via SPIFFE/SPIRE.
Sidecars terminate mTLS; apps unchanged.
Audit identities in logs.

Tradeoffs

Cert rotation is the long-term operational task.
Mesh adds latency (~1ms/sidecar).
Strong identity foundation pays off for zero-trust.

Diagram

Edge TLS, mesh mTLS.

Mind map

Check yourself

Loading quiz…

Sources & further reading

TLS 1.3 — RFC 8446

← Previous Next →