diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index 6f55216..395c89e 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -1,5 +1,7 @@
 configs:
   heat:
+    tls:
+      enabled: true
     api_port:
       cont: 8004
       ingress: orchestration
diff --git a/service/files/heat.conf.j2 b/service/files/heat.conf.j2
index 6ee7543..6eead48 100644
--- a/service/files/heat.conf.j2
+++ b/service/files/heat.conf.j2
@@ -30,18 +30,42 @@ auth_url = {{ address('keystone', keystone.admin_port, with_scheme=True) }}
 auth_plugin = password
 auth_type = password
 
+{% if heat.tls.enabled %}
+[oslo_middleware]
+enable_proxy_headers_parsing = true
+
+[ec2authtoken]
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
+
 [clients_keystone]
 auth_uri = {{ address('keystone', keystone.public_port, with_scheme=True) }}
+{% if security.tls.create_certificates %}
+# Add this option independently from all services components, because
+# Heat uses certificates only from Keystone section and then passes this
+# session as argument for other clients. So it's not possible to have separate
+# certificates for each client. There is a corresponding bug in upstream:
+# https://bugs.launchpad.net/heat/+bug/1669367
+ca_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
 
 [clients_heat]
 endpoint_type = {{ heat.heat_endpoint_type }}
 
 [heat_api]
+{% if heat.tls.enabled %}
+bind_host = 127.0.0.1
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
+{% endif %}
 bind_port = {{ heat.api_port.cont }}
 
 [heat_api_cfn]
+{% if heat.tls.enabled %}
+bind_host = 127.0.0.1
+{% else %}
 bind_host = {{ network_topology["private"]["address"] }}
+{% endif %}
 bind_port = {{ heat.api_cfn_port.cont }}
 
 [cache]
diff --git a/service/files/nginx-api-cfn.conf.j2 b/service/files/nginx-api-cfn.conf.j2
new file mode 100644
index 0000000..5a4fbb6
--- /dev/null
+++ b/service/files/nginx-api-cfn.conf.j2
@@ -0,0 +1,9 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ heat.api_cfn_port.cont }} ssl;
+    include common/ssl.conf;
+
+    location / {
+        proxy_pass http://heat_api_cfn;
+        include common/proxy-headers.conf;
+    }
+}
diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2
new file mode 100644
index 0000000..d3f8578
--- /dev/null
+++ b/service/files/nginx-api.conf.j2
@@ -0,0 +1,9 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ heat.api_port.cont }} ssl;
+    include common/ssl.conf;
+
+    location / {
+        proxy_pass http://heat_api;
+        include common/proxy-headers.conf;
+    }
+}
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_key }}
diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2
new file mode 100644
index 0000000..1fb274b
--- /dev/null
+++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,6 @@
+upstream heat_api {
+    server 127.0.0.1:{{ heat.api_port.cont }};
+}
+upstream heat_api_cfn {
+    server 127.0.0.1:{{ heat.api_cfn_port.cont }};
+}
diff --git a/service/heat-api-cfn.yaml b/service/heat-api-cfn.yaml
index 37d1542..0d03a8d 100644
--- a/service/heat-api-cfn.yaml
+++ b/service/heat-api-cfn.yaml
@@ -39,8 +39,37 @@ service:
         files:
           - heat-conf
         command: heat-api-cfn --config-file /etc/heat/heat.conf
+    # {% if heat.tls.enabled %}
+    - name: nginx-heat-api-cfn
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 
 files:
   heat-conf:
     path: /etc/heat/heat.conf
     content: heat.conf.j2
+  # {% if heat.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-api-cfn.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}
diff --git a/service/heat-api.yaml b/service/heat-api.yaml
index f30c309..b891a52 100644
--- a/service/heat-api.yaml
+++ b/service/heat-api.yaml
@@ -100,8 +100,37 @@ service:
         files:
           - heat-conf
         command: heat-api --config-file /etc/heat/heat.conf
+    # {% if heat.tls.enabled %}
+    - name: nginx-heat-api
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 
 files:
   heat-conf:
     path: /etc/heat/heat.conf
     content: heat.conf.j2
+  # {% if heat.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-api.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}