Network security for the on-premises Livepatch server encompasses various topics.
Connection between the on-prem server and the hosted server
The connection between the on-prem server and the hosted server allows TLS to ensure that communication is secure and the host is, in fact, Canonical’s server.
Method of patch download when a sync is triggered.
Patches are not downloaded with TLS. Instead when a sync is triggered, the on-premises server makes a request to the hosted server (over TLS) for any new patches, receiving patch locations and checksums for each patch.
The on-premise server proceeds to download all new patches (from a separate location without TLS) and verifies their contents using the aforementioned checksum, before inserting the patch into the patch store. This process is similar to how clients download patches and reduces load on the Livepatch file server.
Connection between clients and the on-prem server.
Connections between clients and the on-prem server can be secured with TLS, but this is up to the administrator managing the deployment and the network requirements. A how-to on this topic is available.