Introduction
When Terraform Enterprise is deployed in a network that utilizes a load balancer, network traffic that would normally seem local to the Terraform Enterprise instance may actually do what is commonly referred to as hairpinning. In this configuration, the FQDN for the Terraform Enterprise will resolve to the IP address of the load balancer. This will cause traffic that would be internal to the Terraform Enterprise instance to leave the instance and come back into it by first passing through the load balancer.
Use Case
Network hairpinning is normal in network design, but can cause unintended side effects for some applications including Terraform Enterprise. Some commonly seen side effects of network hairpinning can include, but are not limited to, modules not receiving updates in a timely manner, workspaces failing or delaying runs after commits are pushed to connected repositories, and lost webhook updates from version control systems.
To overcome being deployed in this type of network environment, the Hairpin Addressing feature was added to Terraform Enterprise beginning with v202010-1. This feature is used to configure Terraform Enterprise services to redirect requests for the installation’s FQDN to the instance’s internal IP address.
Procedure
Before enabling the Hairpin Addressing feature, it is essential to determine where SSL connections are being terminated. When a load balancer is configured in the network, typically SSL connections are terminated there. So the signed SSL certificate for the Terraform Enterprise FQDN will be loaded into the load balancer and Terraform enterprise will use a self-signed certificate to communicate with the load balancer. This can be problematic when enabling Hairpin Addressing as Terraform Enterprise will require a certificate that is signed by a known certificate authority for internal API calls. This makes configuring the Terraform Enterprise instance with a signed certificate necessary before enabling Hairpin Addressing. When a private certificate authority is used to sign SSL certificates Terraform Enterprise will also need to be configured with the CA Bundle from the private certificate authority.
Once the Terraform Enterprise instance has been configured with signed SSL certificates, Hairpin Addressing can be enabled by navigating to the Terraform Enterprise console at https://$TFE_FQDN:8800 then going to Settings
The Hairpin Addressing setting can be seen by clicking on Advanced Configuration in the menu on the left hand side of the Settings page.
Simply check the box and click Save at the bottom of the page to enable the Hairpin Addressing. Please note that this will require a restart of the Terraform Enterprise application in order for Hairpin Addressing to take affect.