I’m a lazy dude. When developing cloud solutions for cheap in AWS clouds, it’s very easy to obtain Let’s Encrypt free ACME certificates.
In AWS GovCloud, it can be a little harder when building to scale. For my use case, a customer requires internal TLS connections at all endpoints, free, and use a wildcard. With AWS ACM certificates, the private key data cannot be exposed to services.
Apps should probably terminate TLS a the LB