[revertts]

The problem isn't with terminating SSL, it's with keeping your keys safe on exposed infrastructure.

A single domain name and DNS to route is uncommon because it doesn't give you fine-grained control of load - you need to be mindful of the rack's capacity, and you also need to make sure that most of that ISP's customers go to the rack/people who aren't that ISP's customers don't go to it.

Anycasting isn't going to be great for traffic management or long-lived TCP conns, and if you can avoid the complexity of each rack needing a bgp session into the ISP's network you're going to be much better off.

Typically this is going to be directly routed to the rack via a unique DNS name after some form of service call.