AWS CloudFormation template for Tailscale VPC Subnet Router Demo.
This is an AWS CloudFormation template to deploy Tailscale subnet router architecture for AWS VPC.
With this architecture, you can access any resources behind the router.
This template is based on the following template
- VPC(10.0.0.0/16)
- NAT Gateway
- 2 AZ * 2 Subnets(public, private)
- EC2(Amazon Linux 2)
- subnet router(Tailscale client installed)
- behind router
Upload the template when you create a new Stack.
Be warned that you have to specify the EC2 key pair for SSH.
For the subnet router EC2, Tailscale is installed and IP forwarding enabled, but you have to make it join the Tailscale network.
To spin up a subnet router, run the following command.
$ sudo tailscale up \
--advertise-routes=10.0.0.0/16 \
--hostname=vpc-subnet-router
To authenticate, visit:
https://login.tailscale.com/a/abcde
This command advertises subnet 10.0.0.0/16(=VPC CIDR) to the Tailscale network.
You can confirm the IP address assigned by Tailscale:
Subnet-Router-Node $ tailscale ip -4
100.91.173.79
Use this IP to SSH.
$ ssh /path/to/private.pem ec2-user@100.91.173.79
Now the fun part.
You can traceroute and SSH instances(10.0.2.20) behind the subnet route(100.91.173.79).
$ traceroute 10.0.2.20
traceroute to 10.0.2.20 (10.0.2.20), 64 hops max, 52 byte packets
1 100.91.173.79 (100.91.173.79) 27.135 ms 17.935 ms 18.342 ms
2 10.0.2.20 (10.0.2.20) 19.396 ms 18.852 ms 18.364 ms
$ ssh /path/to/private.pem ec2-user@10.0.2.20
If RDS instances are created without public accessibility, the hostname is resolved with a private IP address outside the VPC. This IP address belongs to the advertised routes.
You can access RDB instances from the Tailscale network in the same way.
$ dig +short database.xxx.eu-central-1.rds.amazonaws.com
10.0.3.176
$ mysqlsh --uri=admin@database.xxx.eu-central-1.rds.amazonaws.com:3306
...
MySQL database-1.c75dvgjlkohb.eu-central-1.rds.amazonaws.com:3306 ssl JS >