SSL and TLS termination

How the load balancer handles encrypted traffic depends on the layer and protocol you pick at creation. There are two TLS modes:

ModeWhere you get itBehavior
TerminateL7 with protocol HTTPSThe load balancer decrypts traffic with a managed certificate, then forwards to backends
PassthroughL4 with protocol tls_passthroughEncrypted traffic is forwarded as-is — your backend holds the certificate and terminates TLS

Terminate at the edge (L7 HTTPS)

Create an L7 load balancer with protocol HTTPS. The platform provisions and manages the certificate — there is nothing to upload or renew.

Traffic from the load balancer to your backends is plain HTTP by default. To re-encrypt the hop to a backend, enable the TLS checkbox on that backend row — the load balancer then connects to it over TLS.

Use termination when you want:

  • Managed certificates with no renewal work
  • L7 features that need to read the request — path/header rules, sticky sessions

Pass TLS through (L4)

Create an L4 load balancer with protocol tls_passthrough. The load balancer forwards encrypted bytes without decrypting, so:

  • Your backends present their own certificate and terminate TLS themselves
  • End-to-end encryption is preserved — the load balancer never sees plaintext
  • L7 features (path rules, header matches, sticky sessions) are not available, since the traffic can’t be inspected

Use a tcp or tls_passthrough health check style accordingly — with passthrough, prefer a tcp check or an https check if the backend exposes one.

Custom domains

The detail page shows the load balancer’s endpoint host. If a custom domain is configured, it also shows the CNAME target — create a CNAME record at your DNS provider pointing your domain to that target.