TLS Endpoints

Most endpoints in the platform already support TLS or mTLS. Importantly and notably, all application traffic is now encrypted from the routing tier to the application container on Linux. As of TAS 2.5, these resources are currently sent unencrypted:

• Route registrations (HTTP and TCP)
• Various component load balancer health checks
• Compiled application droplets
• Container-to-container networking policies
• Viewed application logs
• Traffic to internal MySQL
• Application traffic to Windows applications
• Miscellaneous service traffic
• Miscellaneous partner tile traffic

We are actively working to remediate all of these endpoints and will update the list of unencrypted resources in this KB article with each minor TAS release (i.e. TAS 2.6). In the meantime, please let your account team know if you have any questions.

IPSec

Knowing that this rollout would take a significant amount of time and effort, our original answer to this concern was the IPSec add-on. We believe that we can provide a better experience by using TLS between all components and deprecating the IPSec add-on. Regrettably, IPSec needs to be deployed on all machines if it is to be used at all. This means that we’ll need to convert all platform components to use TLS before IPsec can be deprecated, including external service tiles and partner tiles.