Skip to content

terraform/aws: update dual-subnet example to use peer relay #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
clstokes merged 3 commits into from
Nov 16, 2025
Merged

terraform/aws: update dual-subnet example to use peer relay #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
43e9d49
terraform/aws: update dual-subnet example to use peer relay
clstokes Nov 16, 2025
11f3d70
update aws-ec2-autoscaling example for updated asg internal module
clstokes Nov 16, 2025
db486b5
update aws-ec2-autoscaling-sessoin-recorder example for updated asg i…
clstokes Nov 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 0 additions & 43 deletions terraform/aws/aws-ec2-autoscaling-dual-subnet/README.md
View file
Open in desktop

This file was deleted.

Binary file removed ...-ec2-autoscaling-dual-subnet/assets/diagram-aws-ec2-autoscaling-dual-subnet.png
View file
Open in desktop
Binary file not shown.
25 changes: 0 additions & 25 deletions terraform/aws/aws-ec2-autoscaling-dual-subnet/outputs.tf
View file
Open in desktop

This file was deleted.

54 changes: 54 additions & 0 deletions terraform/aws/aws-ec2-autoscaling-relay-to-private-subnet/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# aws-ec2-autoscaling-relay-to-private-subnet

> :information_source: This example is intended for users that have a AWS NAT Gateway that they need to route Internet-bound traffic through. A use case for this is if you have _static IP addresses_ (typically Elastic IPs) that need to use for Internet-bound traffic such as restricting access to GitHub or Snowflake to a custom allow-list of IP addrresses. AWS NAT Gateway is a Hard NAT which forces [DERP connections](https://tailscale.com/kb/1257/connection-types#derp-connections). This example deploys a [Peer Relay](https://tailscale.com/kb/1591/peer-relays) to a Public Subnet to relay traffic to an App Connector in a Private Subnet.

![diagram for aws-ec2-autoscaling-relay-to-private-subnet](./assets/aws-ec2-autoscaling-relay-to-private-subnet.png)

This module creates the following:

- a VPC and related resources including a NAT Gateway, a public subnet, and a private subnet
- an EC2 Launch Template and Autoscaling Group for a Tailscale Peer Relay in the **_public_** subnet
- an EC2 Launch Template and Autoscaling Group for a Tailscale App Connector in the **_private_** subnet

## Policy File Example

```json
{
"grants": [
//////////////
// Peer relays
//////////////
{
"src": ["tag:example-infra"],
"dst": ["tag:example-relay"],
"app": {
"tailscale.com/cap/relay": [],
},
},
]
}
```

## Considerations

- Any advertised routes for the App Connector must still be approved in the Tailscale Admin Console. The code can be updated to use [Auto Approvers for routes](https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes) if this is configured in your ACLs.

## To use

Follow the documentation to configure the Terraform providers:

- [Tailscale](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs)
- [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)

### Deploy

```shell
terraform init
terraform apply
```

## To destroy

```shell
terraform destroy
```
Loading