Required Network Endpoints for Terraform Enterprise Behind a Proxy

Avatar
Tarun Bansal
  • Updated

Overview

When running Terraform Enterprise (TFE) behind a corporate proxy in Flexible Deployment Option (FDO) with Docker Compose, outbound network requests may fail if required endpoints are not whitelisted. This can cause Terraform runs to hang or fail when downloading providers, modules, or verifying licenses.

 

This article lists the required network endpoints that must be accessible for Terraform Enterprise to function correctly behind a proxy.

 

Problem

  • Terraform runs remain in a stuck or failed state.
  • Provider or module downloads fail with errors like:
Error: Failed to install provider
could not query provider registry for registry.terraform.io

 

Cause

 

Terraform Enterprise relies on several external services to:

  • Download Terraform CLI binaries.
  • Download providers and modules.
  • Access VCS (GitHub, GitLab, Bitbucket, Azure DevOps).
  • Validate licenses and perform telemetry (if enabled).

If these endpoints are not whitelisted, TFE cannot complete Terraform runs.

 

 

Solution:

 

Whitelist Required Endpoints

Ensure the following domains are allowed through the proxy/firewall:

 

Purpose Endpoint(s)
Terraform CLI & Provider Downloads https://releases.hashicorp.com/
Terraform Provider Registry https://registry.terraform.io/
GitHub Release Assets (for community providers) https://github.com/ and https://objects.githubusercontent.com/
Terraform Cloud/Enterprise Communication https://app.terraform.io/
AWS Provider Dependencies https://sts.amazonaws.com/ and region-specific endpoints (e.g., https://sts.us-east-1.amazonaws.com/)
GCP Provider Dependencies https://www.googleapis.com/
Azure Provider Dependencies https://management.azure.com/ and https://login.microsoftonline.com/
VCS Integration (if applicable) Your org’s VCS provider endpoints (e.g., https://dev.azure.com/, https://gitlab.com/, https://bitbucket.org/)

 

Validate Connectivity

Run a test curl from inside a TFE container:

docker exec -it <tfe_worker_container> curl -I https://registry.terraform.io

 Expected: HTTP/2 200

 

Reference:

TFE Network Requirements

 

 

 

 

Articles in this section

Related articles