diff --git a/service/files/ca-cert.pem.j2 b/service/files/ca-cert.pem.j2
new file mode 100644
index 0000000..d52069b
--- /dev/null
+++ b/service/files/ca-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.ca_cert }}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index d5e6349..af04eb5 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -1,5 +1,7 @@
 configs:
   neutron:
+    tls:
+      enabled: true
     db:
       password: password
       name: neutron
diff --git a/service/files/neutron.conf.j2 b/service/files/neutron.conf.j2
index 8353c2c..318e1e0 100644
--- a/service/files/neutron.conf.j2
+++ b/service/files/neutron.conf.j2
@@ -4,8 +4,12 @@ debug = {{ neutron.debug }}
 
 use_stderr = true
 use_syslog = false
-
+{% if neutron.tls.enabled %}
+bind_host = 127.0.0.1
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
+{% endif %}
+
 bind_port = {{ neutron.server_port.cont }}
 
 api_paste_config = /usr/share/neutron/api-paste.ini
@@ -47,6 +51,9 @@ project_name = service
 username = {{ nova.db.username }}
 password = {{ nova.db.password }}
 endpoint_type = internal
+{% if nova.tls.enabled %}
+cafile = /opt/ccp/etc/tls/ca.pem
+{% endif %}
 
 [oslo_concurrency]
 lock_path = /var/lib/neutron/tmp
diff --git a/service/files/nginx-neutron-server.conf.j2 b/service/files/nginx-neutron-server.conf.j2
new file mode 100644
index 0000000..18ca7aa
--- /dev/null
+++ b/service/files/nginx-neutron-server.conf.j2
@@ -0,0 +1,9 @@
+server {
+       listen {{ network_topology["private"]["address"] }}:{{ neutron.server_port.cont }} ssl;
+       include common/ssl.conf;
+
+       location / {
+           proxy_pass http://neutron_server;
+           include common/proxy-headers.conf;
+       }
+}
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_key }}
diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2
new file mode 100644
index 0000000..dd851f0
--- /dev/null
+++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,3 @@
+upstream neutron_server {
+    server 127.0.0.1:{{ neutron.server_port.cont }};
+}
diff --git a/service/neutron-server.yaml b/service/neutron-server.yaml
index fd312ae..3c6e31a 100644
--- a/service/neutron-server.yaml
+++ b/service/neutron-server.yaml
@@ -67,10 +67,24 @@ service:
         files:
           - neutron.conf
           - ml2-conf.ini
+          # {% if neutron.tls.enabled %}
+          - ca-cert
+          # {% endif %}
         # {% if neutron.plugin_agent == "opendaylight" %}
         dependencies:
           - openvswitch-vswitchd
         # {% endif %}
+    # {% if neutron.tls.enabled %}
+    - name: nginx-neutron-server
+      image: nginx
+      daemon:
+        files:
+          - servers
+          - server-cert
+          - server-key
+          - upstreams
+        command: nginx
+    # {% endif %}
 
 files:
   neutron.conf:
@@ -81,3 +95,25 @@ files:
     path: /etc/neutron/plugins/ml2/ml2_conf.ini
     content: ml2_conf.ini.j2
     perm: "0600"
+  # {% if neutron.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-neutron-server.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  ca-cert:
+    path: /opt/ccp/etc/tls/ca.pem
+    content: ca-cert.pem.j2
+    perm: "0400"
+  # {% endif %}