To secure communication between the source and destination containers on the overlay network, you can enable TLS encapsulation using either of the following options. This article shares an example on how to leverage Automatic way to enable TLS. Please be noted that this feature is only available since TAS v2.13, although the same descriptions can be found in the previous document.

• Automatic: Use the automatic option when you only care that traffic between the containers cannot be sniffed on the overlay network.
• Manual: Use the manual option when your app also needs to use TLS capabilities for its operation. For example, the destination app can examine the client certificate and reject service for those that are not permitted.

The following procedures can be used as a demo in TAS v2.13 or above.
1.) Assume we have two apps, david-index-front and david-index-backend. The usage is self-explanatory from their names.

2.) Create two internal routes for these two apps.


3.) Map these two routes to these two apps.


4.) Create network-policy to allow david-index-front to talk with david-index-backend through port 61443, which enables the Automatic TLS.


5.) We can "cf ssh" into the david-index-front to test TLS connection by accessing the david-index-backend.