SSL and TLS termination
How the load balancer handles encrypted traffic depends on the layer and protocol you pick at creation. There are two TLS modes:
Terminate at the edge (L7 HTTPS)
Create an L7 load balancer with protocol HTTPS. The platform provisions and manages the certificate — there is nothing to upload or renew.
Traffic from the load balancer to your backends is plain HTTP by default. To re-encrypt the hop to a backend, enable the TLS checkbox on that backend row — the load balancer then connects to it over TLS.
Use termination when you want:
- Managed certificates with no renewal work
- L7 features that need to read the request — path/header rules, sticky sessions
Pass TLS through (L4)
Create an L4 load balancer with protocol tls_passthrough. The load balancer forwards encrypted bytes without decrypting, so:
- Your backends present their own certificate and terminate TLS themselves
- End-to-end encryption is preserved — the load balancer never sees plaintext
- L7 features (path rules, header matches, sticky sessions) are not available, since the traffic can’t be inspected
Use a tcp or tls_passthrough health check style accordingly — with passthrough, prefer a tcp check or an https check if the backend exposes one.
Custom domains
The detail page shows the load balancer’s endpoint host. If a custom domain is configured, it also shows the CNAME target — create a CNAME record at your DNS provider pointing your domain to that target.
