Cloud Connections
Cloud Connections link your cloud accounts and on-premises infrastructure to Realm9. Once connected, you can create Terraform projects that deploy infrastructure into those accounts, and pull cost data into FinOps.
Path: /connections
Supported Providers
| Provider | Authentication |
|---|---|
| AWS | Cross-account IAM role with External ID |
| Azure | Federated identity via Service Principal |
| GCP | Service Account (basic support) |
| On-Premises (Proxmox) | API token + Site-to-Site VPN |
| On-Premises (VMware vCenter) | API credentials + Site-to-Site VPN |
Licence notes: A second provider type (multi-cloud) requires the Starter tier or above. On-premises connections and VMware vCenter support require the Enterprise tier.
Connections List
The connections page shows all configured connections as cards. Each card displays:
- Provider icon and name
- Connection name and status (Active, Inactive, Error)
- For AWS: Account ID and region
- For Azure: Subscription ID
- For On-Premises: subnet CIDR, hypervisor endpoint, and VPN status badge
- Number of connection roles and linked Terraform projects
Filters: Search by name, filter by provider, filter by status.
Creating a Connection
AWS
- Click Add Connection → AWS
- Enter a Connection Name
- Enter your AWS Account ID (12-digit)
- Select a Region (default: us-east-1)
- Copy the External ID that Realm9 generates — you'll need this when creating the IAM role in AWS
- In your AWS account, create an IAM role with a trust policy that allows Realm9's account to assume it, using the provided External ID to prevent confused deputy attacks
- Save the connection, then add the role ARN in the Connection Roles section
- Click Test Connection to verify
Azure
- Click Add Connection → Azure
- Enter a Connection Name
- Select an Azure Region
- Realm9 uses federated identity — no client secrets are stored. Create a Service Principal in your Azure AD tenant and grant it the necessary permissions on your subscription
- Enter the Tenant ID and Subscription ID
- Save and test
GCP
- Click Add Connection → GCP
- Enter a Connection Name and your GCP Project ID
- Save and test
On-Premises (Proxmox or VMware vCenter)
On-premises connections provision a Site-to-Site VPN between Realm9's AWS infrastructure and your network, allowing Terraform to reach your hypervisors securely.
Required fields:
| Field | Description |
|---|---|
| Hypervisor Type | Proxmox or VMware vCenter |
| On-Prem Subnet | Your internal network CIDR (e.g. 192.168.50.0/24) |
| Public IP | Your router's WAN IP — must be publicly routable, not an RFC1918 address |
| Router Vendor | pfSense, OPNsense, OpenWrt, Mikrotik, Ubiquiti, Linux strongSwan, or Other |
Proxmox-specific:
- Proxmox API endpoint (e.g.
https://192.168.50.10:8006) - Node name (e.g.
pve) - SSH username and password for file operations
VMware vCenter-specific:
- vCenter hostname or IP
- Datacenter and cluster names
- Port (e.g.
443)
Multiple hypervisors sharing the same subnet and public IP (e.g. multiple Proxmox nodes on the same network) can reuse an existing VPN connection.
Connection Roles
Each connection has one or more Connection Roles — the IAM identities that Terraform assumes when executing runs.
- AWS: IAM role ARN with session duration (15 minutes to 12 hours)
- Azure: Service Principal client ID and object ID (no secrets stored)
Role Validation
Realm9 validates each role to check whether it can be assumed and whether its permissions match what your Terraform code requires:
| Status | Meaning |
|---|---|
| Pending | Not yet validated |
| Validating | Validation check in progress |
| Valid | Role can be assumed and permissions are correct |
| Invalid | AssumeRole failed — check trust policy |
| Drift | Role is assumable but permissions have changed since last validation |
| Expired | Role has been deleted in the cloud provider |
| Error | Validation error — check the error details |
Realm9 tracks:
- Granted permissions — what the role currently has
- Detected permissions — what your Terraform code actually needs
- Denied permissions — permissions explicitly denied to the role
Click Validate on any role to run a fresh check. Roles are also re-validated automatically before each Terraform run.
Testing a Connection
Click Test Connection on any connection to verify:
- AWS: Attempts to assume the linked IAM role via STS using the External ID
- Azure: Acquires an access token via federated identity
- GCP: Validates the project configuration
- On-Premises: Checks VPN tunnel status and hypervisor API reachability
The test result (success or failure with error details) is saved and displayed on the connection card.
On-Premises VPN
For on-premises connections, Realm9 provisions an AWS Site-to-Site VPN to create an encrypted tunnel between Realm9's infrastructure and your network.
Provisioning the VPN
From the connection detail page, click Provision VPN. Realm9 creates the AWS VPN Gateway, Customer Gateway, and tunnel configuration automatically.
VPN Statuses
| Status | Meaning |
|---|---|
| Provisioning | AWS resources being created |
| Active | Tunnels are up and operational |
| Tunnel Down | One or both tunnels are not passing traffic |
| Error | Configuration error |
| Destroying | VPN teardown in progress |
| Destroyed | VPN has been removed |
The VPN costs approximately $36 USD/month (AWS Site-to-Site VPN pricing).
Router Configuration
Once the VPN is provisioned, download the Router Configuration file for your specific router vendor (pfSense, Mikrotik, etc.). The file contains:
- Tunnel endpoint IP addresses
- Pre-shared keys (PSKs) for both tunnels
- IPSec phase 1 and phase 2 settings in vendor-specific syntax
- Step-by-step deployment instructions
VPN Health Check
Click Health Check to verify the current state of:
- AWS tunnel 1 and tunnel 2 status
- On-premises hypervisor reachability
- API credentials validity
Deleting a Connection
Before deleting, Realm9 shows a deletion preview that lists:
- Terraform projects using this connection (deletion is blocked if any exist — remove or reassign them first)
- Connection roles that will be deleted
- FinOps cost records and sync jobs that will be removed
Confirm the preview to proceed.
Relationship to Terraform Projects
Every Terraform project requires a cloud connection and a connection role:
- The connection determines which cloud account Terraform targets
- The role provides the credentials Terraform assumes during runs
One connection can serve multiple Terraform projects — for example, one AWS account connection with separate IAM roles for networking, compute, and database projects.
Role-Based Access
| Action | Viewer | User | Provisioner | Admin |
|---|---|---|---|---|
| View connections | — | — | ✓ | ✓ |
| Add / edit / delete connections | — | — | ✓ | ✓ |
| Add / validate connection roles | — | — | ✓ | ✓ |
| Test connections | — | — | ✓ | ✓ |
| Provision / destroy VPN | — | — | ✓ | ✓ |
| Download router configuration | — | — | ✓ | ✓ |