This document provides a summarized overview of the network requirements for Terraform Enterprise (TFE) newer Flexible Deployment Option (FDO). It is based on the Terraform technical documentation.

1. Core Egress Requirements

Terraform Enterprise requires outbound network connectivity for a variety of purposes, including pulling container images, fetching providers and modules, interacting with version control systems (VCS), and reporting license/usage information. In Flexible Deployment Options (Docker Compose or Helm), the dependency on Replicated endpoints is removed, but additional egress requirements still apply.

The following core endpoints are typically required for outbound HTTPS (port 443):

Domain	Port	Comments
registry.terraform.io	443	Used by TFE to fetch providers and modules .
releases.hashicorp.com	443	For version metadata, binary releases Downloading Terraform CLI binaries.
images.releases.hashicorp.com	443	Pulling TFE Docker images from HashiCorp registry. This is backed by s3, https://developer.hashicorp.com/terraform/enterprise/deploy/configuration/network#domains-to-whitelist-for-airgapped-environments
helm.releases.hashicorp.com	443	Only if you’re using Helm / Kubernetes components
yy0ffni7mf-dsn.algolia.net	443	The Registry uses Algolia to power search and indexing
reporting.hashicorp.services	443	For usage / licensing use reporting to HashiCorp (unless disabled)

2. VCS Integrations

Terraform Enterprise integrates with SaaS and on-premises VCS providers. Outbound access is required to access a list of repositories, register webhooks with a VCS provider, get notified of a new commit, and download the contents of repository at specific commit.

The various VCS providers have egress port requirements. The common URL schemes for git repositories are: ssh:// - default port 22, git:// - default port 9418, http:// - default port 80, https:// - default port 443

VCS	URL (outbound access)
GitHub.com	github.com api.github.com codeload.github.com (used when fetching modules/providers via VCS) githubusercontent.com (general CDN) - sometimes pulled indirectly by module sources
GitHub Enterprise	Same pattern, but all traffic stays within your organization’s domain
GitLab.com	https://gitlab.com (Git clone, repos) https://gitlab.com/api/v4 (webhooks, Oauth, metadata) https://registry.gitlab.com (containers, if needed *)
GitLab EE and CE	Same pattern, but all traffic stays within your organization’s domain.
Bitbucket Cloud	https://bitbucket.org/
Bitbucket Data Center	Same pattern, but all traffic stays within your organization’s domain. https://<bitbucket-instance-hostname>/<context-path>
Azure DevOps Server	dev.azure.com *.visualstudio.com (older domain)
Azure DevOps Services (OAuth)	dev.azure.com
Azure DevOps Services (PAT)	dev.azure.com

Webhooks

Someone adds a new commit, corresponding TFE workspaces will begin a Terraform run
Someone submits a PR/Merge request to a branch, TFE workspaces will perform a speculative plan.

In Terraform Enterprise: integration with Saas VCS providers (Github.com, Gitlab.com, Bitbucket.com, BitBucket Cloud, or Azure DevOps) requires ingress from the public internet. This lets the inbound web hooks reach TFE.

Your TFE URL must be accessible by VCS Providers webhook service over port 443.

SSH

Terraform can do everything it needs with the provider's API and an OAuth token. The exceptions are Azure DevOps Server and Bitbucket Data Center, which require an SSH key for downloading repository contents.

SSH must be running on the standard port 22 on the VCS server.

3. Cloud Provider Endpoints

Cloud Provider Endpoints

AWS

<service>.<region>.amazonaws.com -OR- *.amazonaws.com

Global endpoints example:

https://ec2.amazonaws.com (EC2 API, global)
https://ec2.<region>.amazonaws.com (EC2 API, per-region)
https://sts.amazonaws.com (STS for assuming IAM roles)
https://iam.amazonaws.com (IAM API)
https://s3.amazonaws.com and https://s3.<region>.amazonaws.com (S3 storage, backends, remote state, module storage)
https://cloudwatch.<region>.amazonaws.com (monitoring/logging)
https://dynamodb.<region>.amazonaws.com (DynamoDB, often used for remote state locks)

See https://docs.aws.amazon.com/general/latest/gr/rande.html

Azure

Dev.azure.com

GCP

<resource>.googleapis.com -OR- *.googleapis.com.

Example:

https://www.googleapis.com/oauth2/v3/token (OAuth / IAM authentication)
https://iam.googleapis.com/ (IAM API)
https://compute.googleapis.com/ (Compute Engine)
https://storage.googleapis.com/ (Cloud Storage, backend state, artifacts)
https://bigquery.googleapis.com/ (BigQuery)
https://dns.googleapis.com/ (Cloud DNS)

4. Cost Estimate

AWS: https://api.pricing.us-east-1.amazonaws.com

It’s region-specific, but us-east-1 is the canonical region AWS uses for pricing queries.

Azure: https://prices.azure.com

GCP: https://cloudbilling.googleapis.com

5. Identity Providers/SSO (SAML)

For SAML-based single sign-on, outbound access may be required to fetch IdP metadata if a metadata URL is used. Manual metadata configuration eliminates this requirement.

IdP	Metadata Endpoint Example	Purpose/Notes
Okta	https://{your-okta-subdomain}.okta.com/app/{app-id}/sso/saml/metadata	Fetches SAML config XML. {your-okta-subdomain} is like dev-123456 or custom domain (e.g., idp.example.com). App ID from Okta app integration.
Microsoft Entra ID (Azure AD)	https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml	Tenant ID from Azure portal (e.g., 12345678-1234-1234-1234-1234567890ab). Use for enterprise apps.
Active Directory Federation Services (ADFS)	https://{adfs-server-domain}/FederationMetadata/2007-06/FederationMetadata.xml https://adfs.company.com/adfs/ls/ https://adfs.company.com/FederationMetadata/2007-06/FederationMetadata.xml	{adfs-server-domain} is your ADFS server FQDN (e.g., adfs.contoso.com). Common for on-premises.
PingFederate / PingOne	https://{your-ping-domain}/idp/{connection-id}/metadata or dynamically generated from admin console	Varies by setup; download from Ping summary or use /sso/sp/metadata for SP-side, but IdP metadata is provided as XML URL in connection config. Check Ping docs for exact path.
Other (Generic SAML IdP)	https://{idp-domain}/saml/metadata or https://{idp-domain}/idp/metadata.xml	Custom IdPs (e.g., Keycloak, Auth0) follow SAML 2.0 standards. Provide the exact URL from IdP admin.

6. Notifications

Terraform Enterprise can send outbound notifications to external services (Slack, Teams, generic webhooks, etc.).

Notification

Example:

https://hooks.slack.com/

https://slack.com/api/

Microsoft Teams:

https://*.office.com/

https://*.office365.com/

https://outlook.office.com/webhook/*

(https://webhooks.company.com/tfe)

SMTP

Emails are sent via the configured SMTP relay.

Your SMTP server: smtp.gmail.com, smtp.office365.com:587

Port 587 (SMTPS), 465 (SMTPS)

7. Other Integrations

ServiceNow	Each ServiceNow instance has a unique subdomain like https://<instance>.service-now.com Example: https://dev12345.service-now.com https://companyname.service-now.com Optionally, if ServiceNow instance is not directly accessible then the customer would have an MID server https://www.servicenow.com/docs/bundle/zurich-servicenow-platform/page/product/mid-server/concept/mid-server-landing.html	ServiceNow -> TFE
Service Graph Connector	Same as above, but TFE contacts ServiceNow to import resources to the ServiceNow instance.	TFE-> ServiceNow Discovering and mapping relationships between the organization's infra, and the ServiceNow CI, then automatically updating the CMBDB
AWS Service catalog	See AWS inCloud Provider
RUN Tasks	You can view the most up-to-date list of run tasks in the Terraform Registry. Checkov (Bridgecrew by Prisma Cloud): https://www.bridgecrew.cloud/ Snyk: https://api.snyk.io/ TFSec / Aquasec Trivy integrations Infracost: https://dashboard.infracost.io/ Kubecost (for Kubernetes infra cost checks) Jira Run Task (via third-party integration): https://<company>.atlassian.net HCP Packer	When a run reaches the point in its lifecycle (usually post-plan, before apply), TFE makes an outbound HTTPS request to the external Run Task service you’ve registered.

Terraform Enterprise Ingress/Egress Requirements