The "network is unreachable" error in Terraform occurs when the system cannot reach a network destination, typically due to missing network routes, incorrect IP configuration, firewall blocking, or VPC/network connectivity issues. This error prevents Terraform from communicating with cloud providers or remote resources.
The "network is unreachable" error is a system-level network error that means the operating system cannot find a valid network route to reach the destination. This commonly happens during Terraform operations when: 1. **Provider communication fails**: Terraform cannot reach cloud provider API endpoints 2. **Resource provisioning blocked**: Cannot connect to instances being provisioned 3. **Module dependencies fail**: Cannot reach remote Terraform modules or artifacts 4. **SSH/RDP connections fail**: Cannot establish provisioner connections to instances Unlike "connection refused" (which means the network is reachable but the service isn't listening), "network is unreachable" means the entire network path is broken or blocked.
First, confirm that your system has basic network connectivity and can reach external networks:
# Test ping to public IP (may be blocked, but tests routing)
ping 8.8.8.8
# Test HTTP connectivity
curl -v https://google.com
# Check if you have a default route
ip route show # Linux
netstat -rn # macOS
route print # WindowsIf even basic internet connectivity fails, the issue is system-wide network configuration, not Terraform-specific.
Ensure your system has a default route configured:
On Linux:
# View current routes
ip route show
# Add default gateway if missing
sudo ip route add default via 192.168.1.1
# Make persistent (edit /etc/netplan config or /etc/network/interfaces)
# Example netplan:
echo "network:
version: 2
ethernets:
eth0:
dhcp4: true
gateway4: 192.168.1.1" | sudo tee /etc/netplan/01-netcfg.yaml
sudo netplan applyOn macOS:
# View current routes
netstat -rn
# Add default route if missing
sudo route add default 192.168.1.1On Windows:
# View current routes
route print
# Add default route if missing
route add 0.0.0.0 mask 0.0.0.0 192.168.1.1Check that your IP address is correctly configured:
# Linux - check IP configuration
ip addr show
ifconfig # Alternative
# macOS
ifconfig
# Windows
ipconfig /allLook for:
- Valid IP address in correct subnet range
- Netmask/prefix length matching your network
- Gateway address reachable from your subnet
If IP is statically set, verify:
- IP is not in a different subnet than gateway
- Subnet mask allows communication to gateway
- IP is not a broadcast or network address
Example correct configuration:
IP: 192.168.1.100
Netmask: 255.255.255.0 (/24)
Gateway: 192.168.1.1
(All in same /24 network - 192.168.1.0/24)Example broken configuration:
IP: 192.168.1.100
Gateway: 10.0.0.1
(Different subnets - route impossible without extra routing)If Terraform is running on a cloud instance, ensure proper VPC routing:
AWS EC2:
1. Go to EC2 console > Instances > Select your instance
2. Note the VPC and Subnet
3. Go to VPC > Route Tables > Select the subnet's route table
4. Verify it has:
- Destination: 0.0.0.0/0
- Target: Internet Gateway (igw-xxx)
If missing, add the route:
aws ec2 create-route \
--route-table-id rtb-12345 \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id igw-12345Azure VMs:
1. Go to Virtual Machines > Select instance > Networking
2. Check Network interfaces > Network security group
3. Verify outbound rules allow traffic:
- Destination: Any or specific required IP
- Action: Allow
GCP Compute Engine:
1. Go to Compute Engine > VM instances > Select instance
2. Click on Network interface
3. Go to VPC network > Firewall rules
4. Verify egress rules allow required traffic
Verify firewall rules are not blocking all outbound traffic:
AWS Security Groups (stateful - if outbound allowed, inbound to established connections allowed):
# View current egress rules
aws ec2 describe-security-groups \
--group-ids sg-12345 \
--query 'SecurityGroups[0].IpPermissionsEgress'
# Add explicit allow rule if missing
aws ec2 authorize-security-group-egress \
--group-id sg-12345 \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0Linux iptables/firewalld:
# Check if firewall blocks outbound
sudo iptables -L OUTPUT -v
# Allow all outbound traffic (temporary)
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
# Or allow specific ports
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPTWindows Defender Firewall:
- Settings > Privacy & Security > Windows Defender Firewall
- Click "Allow an app through firewall"
- Verify terraform.exe is allowed for outbound connections
Enable debug logging to see which network path Terraform is trying to reach:
# Enable Terraform debug logging
export TF_LOG=DEBUG
export TF_LOG_PATH=terraform-debug.log
# Run your command
terraform init
# Search for network errors in the log
grep -i "network|unreachable|route|dial" terraform-debug.log
# Also check system network logs
sudo journalctl -u systemd-networkd -n 50 # Linux
log stream --predicate 'eventMessage contains[c] network' # macOSDebug logs will reveal:
- Exact destination IP and port being contacted
- Which provider/component triggered the error
- Network interfaces being used
- Any routing information from the OS
Network Namespaces in Containers: If running Terraform in Docker or Kubernetes, the container's network namespace may be isolated. Verify:
- Container has correct network mode (bridge, host, custom)
- DNS is configured for the container network
- Network policies aren't blocking egress
# Docker: check network mode
docker inspect <container> | grep -A 5 NetworkMode
# Kubernetes: check pod network
kubectl exec <pod> -- ip route showIPv6 vs IPv4 Issues: If your system has IPv6 configured but the network doesn't support it, routing may fail:
- Check if IPv6 addresses are present but unreachable
- Try disabling IPv6 temporarily: sysctl -w net.ipv6.conf.all.disable_ipv6=1
- Or explicitly use IPv4 in Terraform configuration
CI/CD Pipeline Specific: If running Terraform in CI/CD (GitHub Actions, GitLab CI, Jenkins):
- Check runner/agent network connectivity to cloud provider APIs
- Self-hosted runners may have network restrictions
- Add explicit outbound firewall rules for runner IP addresses
- Some CI services block outbound connections by default
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: Error rendering template: template not found
How to fix "template not found" error in Terraform