Explain TLS Termination vs Passthrough.

TLS termination vs passthrough describes whether encrypted TLS traffic is decrypted at a proxy/load balancer (termination) or forwarded still encrypted directly to backend servers (passthrough).

When to Use

Use TLS termination when you want the proxy to inspect, route, or log traffic, or to offload CPU-intensive decryption from backend servers. Use TLS passthrough when you require true end-to-end encryption and don’t need the proxy to read traffic.

Example

If a load balancer sits before your app servers, with termination it decrypts traffic and forwards plain HTTP internally; with passthrough, it simply forwards encrypted traffic, and each server decrypts on its own.

Want to master these concepts for interviews?

Explore Grokking System Design Fundamentals, Grokking the System Design Interview, Grokking Database Fundamentals for Tech Interviews, or practice Mock Interviews with ex-FAANG engineers.

Why Is It Important

The choice impacts security and performance: termination simplifies operations but breaks pure end-to-end encryption, while passthrough ensures stronger security but limits proxy features.

Interview Tips

In interviews, clearly define both terms, highlight when to use each, and explain the trade-off between control vs. end-to-end security. Use simple diagrams in whiteboard rounds if asked.

Trade-offs

Termination offers central control and reduces server load but sacrifices full encryption. Passthrough preserves strict encryption but prevents advanced routing, caching, or inspection at the proxy.

Pitfalls

Common mistakes include assuming a passthrough proxy can inspect packets (it cannot), or forgetting that termination exposes plaintext internally — so internal network security is critical.