Skip to content

TLS Inspection

TLS Inspection lets you inspect encrypted TLS/HTTPS traffic entering cloud resources.

Overview

When TLS Inspection is enabled, the system decrypts incoming TLS/HTTPS traffic, applies security inspection using Intrusion Prevention System (IPS) policies, then re-encrypts traffic before forwarding it to the destination.

This helps detect threats hidden in encrypted traffic while maintaining encrypted forwarding to the workload.

How TLS Inspection Works

  1. Incoming TLS/HTTPS traffic reaches the firewall rule.
  2. Traffic is temporarily decrypted using the certificate you provide.
  3. IPS policies inspect the traffic.
  4. Traffic is re-encrypted.
  5. Traffic is forwarded to the VM or load balancer.

Inspection Method

TLS Inspection uses Intrusion Prevention System (IPS) policies to detect and prevent malicious traffic before it reaches the workload.

When TLS Inspection Can Be Enabled

TLS Inspection is available only for:

  • Incoming firewall rules.
  • Traffic originating from the internet or shared area.

Configuring TLS Inspection

Prerequisites

  • A valid certificate must exist in Certificate Manager.
  • The firewall rule must be an incoming rule from internet or shared.
  • You must have permission to modify firewall rules.

Enable TLS Inspection

TLS Inspection can be enabled from:

  • Virtual Machine > Firewall Rules
  • Load Balancer > Firewall Rules

Steps:

  1. Navigate to the firewall rules page.
  2. Locate the incoming rule to modify.
  3. Enable TLS Inspection.
  4. Select a certificate from Certificate Manager.
  5. Click Submit.

The certificate is associated with the firewall rule, and inspection becomes active immediately.

Certificate Associations

Certificate Manager shows where a certificate is used. The Associated To column displays usage such as:

  • 1 firewall rule in VM: <vm_name>
  • 8 firewall rules in LB: <lb_name>

Clicking the association redirects to the corresponding resource. The certificate overview also lists all associated firewall rules.

Logging and Visibility

Traffic inspected through TLS Inspection appears in Firewall Logs. No additional configuration is required.