TCP load balancers do support TLS termination but they don't forward on the existing SNI information

This means we have to create a loadbalancer and an origin pool pair per named endpoint

Our use case is kafka where we need to target the correct broker that hosts the topic

We currently use kong which supports SNI TCP routing. Using a load balancer without tls termination does allow the traffic through and does pass on the SNI information. As we have configured F5 with ownership of our certificates, we can't have properly signed certs if we have to terminate the connection. If F5 doesn't terminate the connection the traffic will be opaque and it won't see any potential attacks.

If we use F5 with TLS termination, it drops the SNI information and we must create both a loadbalancer and origin pool per name which all add to the complexity and cost.