Introduction
This article outlines the required domains to allowlist for pulling Terraform Enterprise images from the HashiCorp Docker registry, particularly for environments with strict network egress policies.
Scenario
During a Terraform Enterprise installation using the Flexible Deployment Options (FDO), you must download the official Docker image. You can initiate the download with the following command.
$ docker pull images.releases.hashicorp.com/hashicorp/terraform-enterprise:<vYYYYMM-#>
While the initial request targets images.releases.hashicorp.com, the HashiCorp Docker registry uses a multi-region replication model for high availability. As a result, the actual image data may be served from various AWS S3 domains. Network monitoring tools like tcpdump may show traffic directed to domains such as s3-us-east-1-r-w.amazonaws.com.
## Example tcpdump output Out IP ip-x.x.x.x.ec2.internal.55556 > s3-us-east-1-r-w.amazonaws.com.https: Flags [.], ack 133212217, win 725, length 0
If your firewall or network security policies restrict outbound HTTPS traffic, these dynamic responses can be blocked, causing the installation to fail.
Recommendation
Because the HashiCorp image registry service is globally routable, a response may come from any of several AWS regions, with a preference for the region geographically nearest to the client.
If your environment uses strict network egress policies, you must add the following domains to your allowlist to ensure successful image downloads:
s3-r-w.us-east-1.amazonaws.coms3-r-w.us-west-2.amazonaws.coms3-r-w.eu-central-1.amazonaws.coms3-r-w.eu-west-1.amazonaws.comprod-us-east-1-starport-layer-bucket.s3.dualstack.us-east-1.amazonaws.comprod-us-west-1-starport-layer-bucket.s3.dualstack.us-west-1.amazonaws.com
Note: These domains are managed by AWS, and their underlying IP addresses or infrastructure may change without notice. It is recommended to allowlist the domains rather than specific IP addresses.