We should have a TLS layer available for inbound connections to the tier-1 varnish backend caches. The clients are other varnish instances (cross-tier between backends). We could possibly expand this to cover local frontend->backend within a single datacenter later as well, but that case isn't as critical and can be looked at afterwards. Since we already have an nginx tlsproxy running on these hosts for inbound frontend traffic, the easiest path here is probably to configure it to support an additional, separate listening port which proxies into the varnish backend instead of the frontend.
It would be best in terms of conflict with future/unknown other plans if we adopt per-cluster port numbers for this, and avoid conflicting with port-numbering plans in T107236.