Alexliard , the way it works is that when e2e TLS is enabled traffic is encrypted whenever it's "on the wire" between VMs. To give you a high level, traditionally TLS is negotiated only between the client and App Service load balancers. Then the load balancers proxy plain-text traffic to the backend workers. With e2e TLS, the load balancer => worker traffic is encrypted with TLS. However, when the request arrives on your worker, it does not go directly to your app but rather to another reverse proxy which forwards to your app (hosted on the same VM). This final hop is still plain text because it is no longer going off the box. The benefit is you get all the benefits of e2e TLS but still do not need to manage certificates, etc. Makes sense?