The OpenConfig gRPC tunnel specification requires TLS encryption at the tunnel and gRPC server level.
TLS encryption at tunnel level is configured by assigning the TLS client profile at the destination group level. It operates similarly to dial-out telemetry, as described in Dial-out telemetry.
When an external gRPC client connects to an SR OS gRPC server through a tunnel (rather than through direct TCP connection), the source address of the tunnel is used as the IP address to generate certificates. The TLS server profile assigned to the gRPC server must point to certificates that were generated using this IP address.