To understand how Terraform's network flow goes

2
votes

If I understand correctly, when we run Terraform commands, it would send traffic to somewhere on the public Internet such as cloud-based terraform server, to cloud provider to make plan, deploy resource.

For management plan, is it possible for me to configure Terraform traffic to create resources within an Azure subnet directly without sending traffic through the Internet? I would like to restrict specific Terraform VM when deploying resource or force terraform deploying message through private path?

Thanks.

1
terraform
terraform talks to cloud APIs via HTTP over TLS. There are no "terraform servers". You can't avoid sending traffic through the Internet to do something on somebody else's machine. - l0b0
I also guessed so. Thanks a lot for your quick response. - Dark Night

1 Answers

0
votes

For Azure, terraform uses the azurerm provider, which talks to Azure via REST APIs at https://management.azure.com/.

To be sure traffic doesn't go though the internet, you could setup a HTTP proxy and ensure that terraform uses the proxy (see docs). Then you could host the proxy on a VM running in Azure, and connect to the VM via a VPN, or an ExpressRoute.