ℹ️ This example is intended for users that have a AWS NAT Gateway that they need to route Internet-bound traffic through. A use case for this is if you have static IP addresses (typically Elastic IPs) that need to use for Internet-bound traffic such as restricting access to GitHub or Snowflake to a custom allow-list of IP addrresses. AWS NAT Gateway is a Hard NAT which forces DERP connections. This example deploys a Peer Relay to a Public Subnet to relay traffic to an App Connector in a Private Subnet.
This module creates the following:
- a VPC and related resources including a NAT Gateway, a public subnet, and a private subnet
- an EC2 Launch Template and Autoscaling Group for a Tailscale Peer Relay in the public subnet
- an EC2 Launch Template and Autoscaling Group for a Tailscale App Connector in the private subnet
{
"grants": [
//////////////
// Peer relays
//////////////
{
"src": ["tag:example-infra"],
"dst": ["tag:example-relay"],
"app": {
"tailscale.com/cap/relay": [],
},
},
]
}- Any advertised routes for the App Connector must still be approved in the Tailscale Admin Console. The code can be updated to use Auto Approvers for routes if this is configured in your ACLs.
Follow the documentation to configure the Terraform providers:
terraform init
terraform applyterraform destroy