Before any data is exchanged, the client and the server perform a handshake: they agree on the protocol version and the cipher suite, the server presents its certificate, and the two sides settle on a shared key. In its very first message the client states which domain it needs — that is the job of the SNI extension, which makes it possible to host many sites on a single IP address.
The protocol solves three security problems at once:
Together with a reverse proxy, TLS is often "terminated" at the edge, offloading the encryption work from the application.