Introduction
Tailscale is a great mesh vpn with minimal setup to be able to join a private network on top of internet.
One of the great feature is to use a relay[1] to forward your traffic from your laptop to your Cloud infrastructure and only using private IP addresses.
One of the drawback of this feature is that anyone on the mesh can access your infrastructure.
Good news is that we can setup ACL[2] to restrict access to people.
Setup ACL’s for user account
Use case
Let’s start with 3 teams:
- Developers folks
- Data Analysis guys
- Platform guys
The Platform guys need to have access all part of the infrastructure. The Developers folks need only to check the web application. The Data Analysis folks need only to read some data on staging Databases.
Let’s assume that Staging Databases are located on a dedicated subnet :
10.0.42.0/24Use tags and acl
There is a file defining the global access policy to Tailscale, it’s a big JSON file.
The simplest way to implement our scope policy is to define 3 groups:
- platform
- developer
- datanalyst
"groups": {
"group:platform": [
"jean@corp.com",
"paulette@corp.com",
],
"group:developer": [
"pierre@corp.com",
"rachel@corp.com",
],
"group:datanalyst": [
"quentin@corp.com",
"david@corp.com",
],
},Define the proper ACL
At this stage, we have 3 user groups then we need to define acl’s blocks to restrict access.
"acls": [
{"action": "accept", "src": ["group:platform"], "dst": ["*:*"]},
{"action": "accept", "src": ["group:developer"], "dst": ["*:80"]},
{"action": "accept", "src": ["group:datanalyst"], "dst": ["*:5432"]},
],Setup ACL’s for machine account
Use case
In a cloud world, it can be very useful to run an external CI/CD platform on our platform infrastructure.
Most of them have runners managed by the CI/CD platform or self hosted runners managed by in house operators.
One of the benefit of using self hosted runners is they can run on the infrastructure without any public access.
One of the drawback is that self hosted agents needs to be managed by someone.
Why just not using runners from CI/CD platform but reach the infrastructure on a private network ?
Apply a tag on a runner
One cool feature of Tailscale, we can apply a tag base on a specific key used to connect on the Tailnet.
So during the process of the CI/CD(github action in this example) the runner reach the Tailnet
- name: Connect Tailnet
uses: tailscale/github-action@main
with:
authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
version: ${{ env.TAILSCALE_VERSION }}At this stage the runner reach the Tailnet and is tagged.
Define the proper ACL for a tag
The last step is to apply an ACL to the specific tag.
"acls": [
{"action": "accept", "src": ["tag:gh-runners"], "dst":["*:ANY_CONTROL_PLANE_PORT"]},
],