Introduction
When you deploy Terraform Enterprise behind a load balancer, network traffic that appears local to the instance may perform a "hairpin turn." In this configuration, the Fully Qualified Domain Name (FQDN) for Terraform Enterprise resolves to the load balancer's IP address. This causes traffic originating from the Terraform Enterprise instance to exit the instance, pass through the load balancer, and then return.
Problem
While network hairpinning is a common network design, it can cause unintended side effects for applications like Terraform Enterprise. These issues can include:
- Delays in module updates.
- Failed or delayed runs after you push commits to connected repositories.
- Lost webhook updates from version control systems.
The Hairpin Addressing feature, available in Terraform Enterprise v202010-1 and later, resolves these issues. It configures Terraform Enterprise services to redirect requests for the installation’s FQDN to the instance’s internal IP address.
Prerequisites
Before enabling Hairpin Addressing, you must determine where SSL/TLS connections terminate. In a load-balanced environment, TLS termination typically occurs at the load balancer. This means the load balancer holds the signed TLS certificate for the Terraform Enterprise FQDN, while Terraform Enterprise uses a self-signed certificate for internal communication.
Enabling Hairpin Addressing requires Terraform Enterprise to make internal API calls using a certificate signed by a known certificate authority. You must configure the instance with a signed certificate before enabling this feature.
If you use a private certificate authority (CA) to sign TLS certificates, you must also configure Terraform Enterprise with the CA Bundle from your private CA.
Procedure
After you configure the Terraform Enterprise instance with the required signed TLS certificates, you can enable Hairpin Addressing.
- Navigate to the Terraform Enterprise admin console at
https://$TFE_FQDN:8800and select Settings. - Select Advanced Configuration from the left-hand menu.
- Locate the Hairpin Addressing setting and select the checkbox to enable it.
- Select Save at the bottom of the page.
Outcome
A restart of the Terraform Enterprise application is required for the change to take effect. After the restart, internal traffic will be correctly routed within the instance, resolving issues related to network hairpinning.