• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHubTerraform Cloud
Download

    Terraform Enterprise Admin

  • Overview
    • Credentials
    • Hardware
      • Supported OS
      • RedHat Linux
      • CentOS Linux
      • Operational Mode
      • PostgreSQL
      • Minio Setup Guide
      • External Vault
    • Network
    • Docker Engine
  • Operational Modes
    • Overview
    • AWS Reference Architecture
    • Azure Reference Architecture
    • GCP Reference Architecture
    • VMware Reference Architecture
    • Pre-Install Checklist
      • 1. Run Installer
      • 2. Configure in Browser
      • Automated Installation
      • Active/Active
      • Initial User Automation
      • Encryption Password
    • Uninstall
    • Configuration
    • Team Membership
    • Attributes
    • Login
      • Sample Auth Request
      • ADFS
      • Azure Active Directory
      • Okta
      • OneLogin
    • Troubleshooting
    • Overview
      • Automated Recovery
      • Upgrades
      • Log Forwarding
      • Monitoring
      • Backups and Restores
      • Admin CLI Commands
      • Terraform Cloud Agents on TFE
      • Demo to Mounted Disk Migration
    • Terraform Cloud Agents on TFE
      • Accessing the Admin Interface
      • General Settings
      • Customization
      • Integration Settings
      • Managing Accounts & Resources
      • Module Sharing
      • Admin API
      • Updating Terraform Enterprise License
    • Terraform Enterprise Logs
    • Overview
    • Architecture Summary
    • Reliability & Availability
    • Capacity & Performance
    • Security Model
    • Overview
      • Overview
      • v202206-1
      • v202205-1
      • v202204-2
      • v202204-1
      • v202203-1
      • v202202-1
      • v202201-2
      • v202201-1
      • Overview
      • v202112-2
      • v202112-1
      • v202111-1
      • v202110-1
      • v202109-2
      • v202109-1
      • v202108-1
      • v202107-1
      • v202106-1
      • v202105-1
      • v202104-1
      • v202103-3
      • v202103-2
      • v202103-1
      • v202102-2
      • v202102-1
      • v202101-1
      • Overview
      • Overview
      • Overview
  • Support
  • Application Usage

  • Overview
  • Plans and Features
  • Getting Started
    • API Docs template
    • Overview
    • Account
    • Agent Pools
    • Agent Tokens
    • Applies
    • Audit Trails
    • Comments
    • Configuration Versions
    • Cost Estimates
    • Feature Sets
    • Invoices
    • IP Ranges
    • Notification Configurations
    • OAuth Clients
    • OAuth Tokens
    • Organizations
    • Organization Memberships
    • Organization Tags
    • Organization Tokens
    • Plan Exports
    • Plans
    • Policies
    • Policy Checks
    • Policy Sets
    • Policy Set Parameters
      • Modules
      • Providers
      • Private Provider Versions and Platforms
      • GPG Keys
    • Runs
      • Run Tasks
      • Stages and Results
      • Custom Integration
    • Run Triggers
    • SSH Keys
    • State Versions
    • State Version Outputs
    • Subscriptions
    • Team Access
    • Team Membership
    • Team Tokens
    • Teams
    • User Tokens
    • Users
    • Variables
    • VCS Events
    • Workspaces
    • Workspace-Specific Variables
    • Workspace Resources
    • Variable Sets
      • Overview
      • Module Sharing
      • Organizations
      • Runs
      • Settings
      • Terraform Versions
      • Users
      • Workspaces
    • Changelog
    • Stability Policy
    • Overview
    • Creating Workspaces
    • Naming
    • Terraform Configurations
      • Overview
      • Managing Variables
      • Overview
      • VCS Connections
      • Access
      • Drift Detection
      • Notifications
      • SSH Keys for Modules
      • Run Triggers
      • Run Tasks
    • Terraform State
    • JSON Filtering
    • Remote Operations
    • Viewing and Managing Runs
    • Run States and Stages
    • Run Modes and Options
    • UI/VCS-driven Runs
    • API-driven Runs
    • CLI-driven Runs
    • The Run Environment
    • Installing Software
    • Users
    • Teams
    • Organizations
    • Permissions
    • Two-factor Authentication
    • API Tokens
      • Overview
      • Microsoft Azure AD
      • Okta
      • SAML
      • Linking a User Account
      • Testing
    • Overview
    • GitHub.com
    • GitHub.com (OAuth)
    • GitHub Enterprise
    • GitLab.com
    • GitLab EE and CE
    • Bitbucket Cloud
    • Bitbucket Server and Data Center
    • Azure DevOps Services
    • Azure DevOps Server
    • Troubleshooting
    • Overview
    • Adding Public Providers and Modules
    • Publishing Private Providers
    • Publishing Private Modules
    • Using Providers and Modules
    • Configuration Designer
  • Migrating to Terraform Cloud
    • Overview
    • Using Sentinel with Terraform 0.12
    • Manage Policies
    • Enforce and Override Policies
    • Mocking Terraform Sentinel Data
    • Working With JSON Result Data
      • Overview
      • tfconfig
      • tfconfig/v2
      • tfplan
      • tfplan/v2
      • tfstate
      • tfstate/v2
      • tfrun
    • Example Policies
    • Overview
    • AWS
    • GCP
    • Azure
      • Overview
      • Service Catalog
      • Admin Guide
      • Developer Reference
      • Example Customizations
      • V1 Setup Instructions
    • Splunk Integration
    • Kubernetes Integration
    • Run Tasks Integration
    • Overview
    • IP Ranges
    • Data Security
    • Security Model
    • Overview
    • Part 1: Overview of Our Recommended Workflow
    • Part 2: Evaluating Your Current Provisioning Practices
    • Part 3: How to Evolve Your Provisioning Practices
    • Part 3.1: From Manual Changes to Semi-Automation
    • Part 3.2: From Semi-Automation to Infrastructure as Code
    • Part 3.3: From Infrastructure as Code to Collaborative Infrastructure as Code
    • Part 3.4: Advanced Workflow Improvements

  • Terraform Cloud Agents

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

»Network Requirements for Terraform Enterprise

The Linux instance that runs Terraform Enterprise must allow several kinds of incoming network access. Terraform Enterprise also needs to access several external services to handle updates and resource downloads.

»Ingress

»Source — User/Client/VCS

  • 80: Terraform Enterprise application access (HTTP; redirects to HTTPS)
  • 443: Terraform Enterprise application access (HTTPS)

Important: Integration with a SaaS VCS provider (GitHub.com, GitLab.com, Bitbucket Cloud, or Azure DevOps Services) requires ingress from the public internet. This lets the inbound web hooks reach Terraform Enterprise. You should also configure appropriate security controls, such as a Web Application Firewall (WAF).

»Source — Administrators

  • 22: SSH access (administration and debugging)
  • 8800: Replicated (TFE setup dashboard, HTTPS)

»Source — TFE Server(s)

  • 8201: Vault HA request forwarding (only necessary when operating in Active/Active mode)

Additionally, the following ports are used by various application components internally. This list serves as a point of reference; it is not necessary to expose these ports for accessibility in a firewall:

  • 2003: Graphite (Carbon) feeding port (monitoring, metrics)
  • 2004: Graphite (Carbon) feeding port (monitoring, metrics)
  • 3121: TFE private registry
  • 4150-4151, 4160-4161, 4170-4171: Replicated NSQD (messaging platform daemon for internal communication)
  • 5432: PostgreSQL
  • 5672: RabbitMQ TFE worker coordination
  • 6379: Redis (application-level caching and coordination)
  • 7586: TFE ingress (pulls in version control system data for application, stores it via Archivist)
  • 7588: TFE state parser
  • 7675: TFE Archivist (stores data in object storage, encrypts it via Vault)
  • 8086: InfluxDB default UDP Service (monitoring, metrics)
  • 8125: StatsD (monitoring, metrics)
  • 8200: Vault (encryption service)
  • 9292: Atlas engine (old name of TFE engine)
  • 9870-9880 (inclusive): host and subnet traffic only; not publicly accessible
    • 9873: Replicated Retraced engine API (Replicated audit subcomponent)
    • 9874-9879: Replicated entry point span
  • 23000-23100 (inclusive): host and subnet traffic only; not publicly accessible
    • 23005: TFE health check point
    • 23020: Nomad (scheduler for Sentinel runs)
  • 32774-32776: Replicated internal Graphite and StatsD ports (mapped to external ports 2003, 2004, and 8125)

»Egress

»Destination - Online Installations

If Terraform Enterprise is installed in online mode, it accesses the following hostnames to get software updates:

  • api.replicated.com
  • get.replicated.com
  • registry-data.replicated.com
  • registry.replicated.com
  • *.quay.io
  • cdn.quay.io
  • quay-registry.s3.amazonaws.com
  • *.cloudfront.net
  • hub.docker.com
  • index.docker.io
  • auth.docker.io
  • registry-1.docker.io
  • download.docker.com
  • production.cloudflare.docker.com
  • install.terraform.io

Additionally, the following hostnames are accessed unless a custom Terraform bundle is supplied:

  • registry.terraform.io (when using Terraform 0.12 and later)
  • releases.hashicorp.com
  • https://yy0ffni7mf-dsn.algolia.net/ (for public provider and module curation)

Note: Airgapped installs do not check for updates over the network.

»Destination - Additional Outbound Network Targets

Terraform Enterprise also needs egress access to:

  • any VCS servers/services that will be utilized
  • login/authentication servers if SAML will be configured (ADFS, Okta, etc)
  • the various cloud API endpoints that will be managed with Terraform
  • any other third party services that will either be integrated with the Terraform Enteprise server or managed with it.

»Destination - Cost Estimation APIs

When Cost Estimation is enabled, it uses the respective cloud provider's APIs to get up-to-date pricing info.

  • api.pricing.us-east-1.amazonaws.com
  • cloudbilling.googleapis.com
  • prices.azure.com

Note: Versions of Terraform Enterprise earlier than v202105-1 used management.azure.com and ratecard.azure-api.net rather than prices.azure.com.

»Other Configuration

  1. If a firewall is configured on the instance, run one of the following to allow traffic to flow out of the docker0 interface to the instance's primary address. We recommend doing this before you install Docker.

    • To use UFW, run: ufw allow in on docker0
    • To use firewalld, run: firewall-cmd --permanent --zone=trusted --change-interface=docker0
  2. Get a domain name for the instance. Using an IP address to access the product is not supported as many systems use TLS and need to verify that the certificate is correct, which can only be done with a hostname at present.

  3. For GCP only: Configure Docker to use an MTU (maximum transmission unit) of 1460, as required by Google (GCP Cloud VPN Documentation: MTU Considerations).

    To configure Docker's MTU, create an /etc/docker/daemon.json file with the following content:

    {
      "mtu": 1460
    }
    
    {
      "mtu": 1460
    }
    
  4. Ensure the Docker bridge network address is not in use elsewhere on the network. If it is, please refer to the Docker documentation for information on how to change it.

Note: Beginning in version v202004-1, non-default Docker networks named tfe_services and tfe_terraform_isolation were added for the Terraform Enterprise component Docker containers as part of a network segmentation update. Custom configuration may be required for MTU settings.

  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager