Sure! You can use
https:// and it will just work assuming that the subgraphs themselves have valid TLS certificates! If you’re self-signing certificates for subgraphs, you’ll need to provide those to your Gateway via standard Node.js mechanisms (e.g., via the
NODE_EXTRA_CA_CERTS env variable).
Of course, depending on your configuration, you might also employ sidecar infrastructure that handles this for you (e.g., often times service meshes will handle the TLS encryption for you) which can offer a performance benefit since it’s handled out of process by a dedicated process. You’ll see functionality like this offered by Linkerd, Envoy Proxy, etc.
I would recommend using whatever your infrastructure’s equivalent of an appropriate load balancer (round-robin, even!) in front of the subgraphs rather than expecting the gateway to handle this on its own. This wouldn’t be unlike a Kubernetes service configuration where the K8s controller takes care of monitoring the member pods within a service and routing accordingly (and rescheduling as necessary).
Tools like ELB and Kubernetes do a very good job with and are purpose built for this job; replicating the functionality they offer would be somewhat futile. I wouldn’t necessarily be concerned about the “hop” this introduces when transposing that against the flexibility and reliability that load balancers (and their features) offer in this regard.
Hope this helps!