diff --git a/templates/service-redirect.j2 b/templates/service-redirect.j2
index 7a32c9c..b389989 100644
--- a/templates/service-redirect.j2
+++ b/templates/service-redirect.j2
@@ -1,93 +1,99 @@
-{% set haproxy_http_front_port = haproxy_backend_port + 10000 %}
-{% set haproxy_https_front_port = haproxy_backend_port + 20000 %}
+{% set haproxy_http_front_port = (haproxy_backend_port | int) + 10000 %}
+{% set haproxy_https_front_port = (haproxy_backend_port | int) + 20000 %}
 
-# Redirect to direct request to HTTP or HTTPS frontend
-frontend {{ item.service.haproxy_service_name }}-tcp-redirect-front-{{ loop.index }}
+# Redirect request to HTTP or HTTPS frontend based on used protocol
+frontend {{ service.haproxy_service_name }}-tcp-redirect-front-{{ loop.index }}
     mode tcp
-    bind {{ vip_bind }}:{{ item.service.haproxy_port }}
+    bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }}
     tcp-request inspect-delay 2s
     tcp-request content accept if HTTP
     tcp-request content accept if { req.ssl_hello_type 1 }
-    use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }} if HTTP
-    default_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
+    use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }} if HTTP
+    default_backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
 
-backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }}
+backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }}
     mode tcp
-    server  {{ value.backend_name | default(item.service.haproxy_service_name) }}-http {{ vip_bind }}:{{ haproxy_http_front_port }}
+    server  {{ value.backend_name | default(service.haproxy_service_name) }}-http {{ vip_address }}:{{ haproxy_http_front_port }}
 
-backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
+backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
     mode tcp
-    server  {{ value.backend_name | default(item.service.haproxy_service_name) }}-https {{ vip_bind }}:{{ haproxy_https_front_port }}
+    server  {{ value.backend_name | default(service.haproxy_service_name) }}-https {{ vip_address }}:{{ haproxy_https_front_port }}
 
-frontend {{ item.service.haproxy_service_name }}-http-front-{{ loop.index }}
-    bind {{ vip_bind }}:{{ haproxy_http_front_port }}
+frontend {{ service.haproxy_service_name }}-http-front-{{ loop.index }}
+    bind {{ vip_address }}:{{ haproxy_http_front_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }}
 {% if request_option == "http" %}
     option httplog
     option forwardfor except 127.0.0.0/8
-{% if item.service.haproxy_http_keepalive_mode is defined %}
-    option {{ item.service.haproxy_http_keepalive_mode }}
+{% if service.haproxy_http_keepalive_mode is defined %}
+    option {{ service.haproxy_http_keepalive_mode }}
 {% endif %}
 {% elif request_option == "tcp" %}
     option tcplog
 {% endif %}
-{% if item.service.haproxy_timeout_client is defined %}
-    timeout client {{ item.service.haproxy_timeout_client }}
+{% if service.haproxy_timeout_client is defined %}
+    timeout client {{ service.haproxy_timeout_client }}
 {% endif %}
-{% if item.service.haproxy_allowlist_networks is defined %}
-    acl allow_list src 127.0.0.1/8 {{ item.service.haproxy_allowlist_networks | join(' ') }}
+{% if service.haproxy_allowlist_networks is defined %}
+    acl allow_list src 127.0.0.1/8 {{ service.haproxy_allowlist_networks | join(' ') }}
     tcp-request content accept if allow_list
     tcp-request content reject
 {% endif %}
-{% if item.service.haproxy_acls is defined %}
-{%   for key, value in item.service.haproxy_acls.items() %}
+{% if service.haproxy_acls is defined %}
+{%   for key, value in service.haproxy_acls.items() %}
     acl {{ key }} {{ value.rule }}
-{%     if not item.service.haproxy_frontend_only | default(false) %}
-    use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-back if {{ key }}
+{%     if not service.haproxy_frontend_only | default(false) %}
+    use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-back if {{ key }}
 {%     endif %}
 {%   endfor %}
 {% endif %}
-    mode {{ item.service.haproxy_balance_type }}
-{% if not item.service.haproxy_frontend_only | default(false) %}
-    default_backend {{ item.service.haproxy_service_name }}-back
+{% for entry in service.haproxy_maps | default([])  %}
+    {{ entry }}
+{% endfor %}
+    mode {{ service.haproxy_balance_type }}
+{% if (not service.haproxy_frontend_only | default(false)) or ((service.haproxy_default_backend is defined) and (service.haproxy_default_backend | length > 0)) %}
+    default_backend {{ service.haproxy_default_backend | default(service.haproxy_service_name) }}-back
 {% endif %}
-{% for entry in item.service.haproxy_frontend_raw|default([]) %}
+{% for entry in (service.haproxy_frontend_raw|default([])) + haproxy_frontend_extra_raw %}
     {{ entry }}
 {% endfor %}
 
-frontend {{ item.service.haproxy_service_name }}-https-front-{{ loop.index }}
-    bind {{ vip_bind }}:{{ haproxy_https_front_port }} ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem
+frontend {{ service.haproxy_service_name }}-https-front-{{ loop.index }}
+    bind {{ vip_address }}:{{ haproxy_https_front_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }} ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_address }}.pem
 {% if request_option == "http" %}
     option httplog
     option forwardfor except 127.0.0.0/8
-{% if item.service.haproxy_http_keepalive_mode is defined %}
-    option {{ item.service.haproxy_http_keepalive_mode }}
+{% if service.haproxy_http_keepalive_mode is defined %}
+    option {{ service.haproxy_http_keepalive_mode }}
 {% endif %}
 {% elif request_option == "tcp" %}
     option tcplog
 {% endif %}
-{% if item.service.haproxy_timeout_client is defined %}
-    timeout client {{ item.service.haproxy_timeout_client }}
+{% if service.haproxy_timeout_client is defined %}
+    timeout client {{ service.haproxy_timeout_client }}
 {% endif %}
-{% if item.service.haproxy_allowlist_networks is defined %}
-    acl allow_list src 127.0.0.1/8 {{ item.service.haproxy_allowlist_networks | join(' ') }}
+{% if service.haproxy_allowlist_networks is defined %}
+    acl allow_list src 127.0.0.1/8 {{ service.haproxy_allowlist_networks | join(' ') }}
     tcp-request content accept if allow_list
     tcp-request content reject
 {% endif %}
-{% if item.service.haproxy_acls is defined %}
-{%   for key, value in item.service.haproxy_acls.items() %}
+{% if service.haproxy_acls is defined %}
+{%   for key, value in service.haproxy_acls.items() %}
     acl {{ key }} {{ value.rule }}
-{%     if not item.service.haproxy_frontend_only | default(false) %}
-    use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-back if {{ key }}
+{%     if not service.haproxy_frontend_only | default(false) %}
+    use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-back if {{ key }}
 {%     endif %}
 {%   endfor %}
 {% endif %}
-{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}
+{% for entry in service.haproxy_maps | default([])  %}
+    {{ entry }}
+{% endfor %}
+{% if (service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}
     http-request add-header X-Forwarded-Proto https
 {% endif %}
-    mode {{ item.service.haproxy_balance_type }}
-{% if not item.service.haproxy_frontend_only | default(false) %}
-    default_backend {{ item.service.haproxy_service_name }}-back
+    mode {{ service.haproxy_balance_type }}
+{% if (not service.haproxy_frontend_only | default(false)) or ((service.haproxy_default_backend is defined) and (service.haproxy_default_backend | length > 0)) %}
+    default_backend {{ service.haproxy_default_backend | default(service.haproxy_service_name) }}-back
 {% endif %}
-{% for entry in item.service.haproxy_frontend_raw|default([]) %}
+{% for entry in (service.haproxy_frontend_raw|default([])) + haproxy_frontend_extra_raw %}
     {{ entry }}
 {% endfor %}
diff --git a/templates/service.j2 b/templates/service.j2
index 441e97b..aa43f00 100644
--- a/templates/service.j2
+++ b/templates/service.j2
@@ -46,9 +46,9 @@ bind {{ vip_address }}:{{ service.haproxy_redirect_http_port }}{{ (vip_interface
 {% endif %}
 {% endif %}
 
-{# TODO: remove if and section inside if after HTTPS upgrade #}
-{# During an upgrade of internal frontends from HTTP to HTTPS, need to accept both HTTP and HTTPS until client config has been changed #}
-{% if (service.haproxy_tcp_upgrade_frontend | default(false)) and (service.haproxy_ssl_all_vips | default(false)) %}
+{# service-redirect.j2 allows frontend to handle both HTTP and HTTPS connections. #}
+{# This is especially useful during HTTP->HTTPS service endpoint transition. #}
+{% if service.haproxy_accept_both_protocols | default(false) %}
 {% include 'service-redirect.j2' %}
 {% else %}
 frontend {{ service.haproxy_service_name }}-front-{{ loop.index }}
@@ -165,32 +165,6 @@ backend {{ service.haproxy_service_name }}-back
 {%  set _ = entry.append(option) %}
 {% endfor %}
     {{ entry | join(' ') }}
-{# TODO: remove if and section inside if after HTTPS upgrade #}
-{# During an upgrade of backends from HTTP to HTTPS, need to uses both HTTP and HTTPS backends until backends have been changed #}
-{% if service.haproxy_tcp_upgrade_backend | default(false) and service.haproxy_backend_ssl | default(false) %}
-{% set entry = [] %}
-{% set _ = entry.append("server") %}
-{% set _ = entry.append((host_name.name | default(host_name)) + "-http" | string) %}
-{% set _ = entry.append((host_name.ip_addr | default(ip_addr)) + ":" + haproxy_backend_port | string) %}
-{% set _ = entry.append("check") %}
-{% set _ = entry.append("port") %}
-{% set _ = entry.append(haproxy_check_port | string) %}
-{% set _ = entry.append("inter") %}
-{% set _ = entry.append(service.interval|default(haproxy_interval) | string) %}
-{% set _ = entry.append("rise") %}
-{% set _ = entry.append(service.backend_rise|default(haproxy_rise | string)) %}
-{% set _ = entry.append("fall") %}
-{% set _ = entry.append(service.backend_fall|default(haproxy_fall | string)) %}
-{% set backend_server_options = service.haproxy_backend_server_options|default([]) %}
-{% for option in backend_server_options %}
-{%  set _ = entry.append(option) %}
-{% endfor %}
-{% set backend_per_server_options = host_name.backend_server_options|default([]) %}
-{% for option in backend_per_server_options %}
-{%  set _ = entry.append(option) %}
-{% endfor %}
-    {{ entry | join(' ') }}
-{% endif %}
 {% endfor %}
 
 {% for host_name in service.haproxy_backup_nodes|default([]) %}