Hi, is it supported to have a private in the tunnel node as a backend target of an AWS Application Load Balancer?
The ALB needs to be able to initiate connections from its VPC source IP to the web server’s IP (100.100.123.83) inside the tunnel via the subnet router. From the testing I’ve done so far, I can successfully initiate connections from the inside the tunnel resource 100.100.123.83 to VPC resources (though I see it’s SNATed), but I can’t successfully initiate connections from the VPC to the resource inside the tunnel. I suspect I could easily target the subnet router directly from the ALB and then have it proxy requests to 100.100.123.83, but I’d prefer the lowest latency solution possible.
I think the --snat-subnet-routes=false option will help. The first answer in Is Subnet Routers one way? - #2 by DGentry describes this option (the rest of the thread becomes fairly specific to IP cameras).
Thanks for the reply. I had already tried “–snat-subnet-routes=false” and also configuring “more specific routes” so that the ALB would know that in order to initiate connections to 100.x.x.x it’d have to go through the subnet router, but with no success. Then I was thinking it’s strange that I can find a reference in the docs for accessing the VPC from inside the tunnel, but not the other way around, and so maybe it’s just fundamentally not supported. Sounds like it is supported and I just need to do some more troubleshooting / tcpdumping to determine where the misconfig is. Thanks again.
The part I was missing was I needed to disable source/destination checks on the EC2 Tailscale router instance. Now it’s working great. This allows me put on-prem workloads behind ALB+WAF+Shield without any complicated VPN or having to expose additional ports/attack surface to the Internet. And preliminary tests show it only adds about 10ms of latency, which could probably be optimized a bit if I used a bigger instance for the Tailscale subnet router.
I know this is an old thread, but do you have any more details about how you got this to work?
I have successfully gotten a subnet router working the normal direction, in that I can connect to a private EC2 instance from a tailscale node at home.
But I can’t get the reverse to work, an EC2 instance on the same VPC as the subnet router can’t access an IP address on the tailscale network (100.*)
I have “stopped” source / destination checking on the subnet router instance, as well adding 100.0.0.0/8 to the VPC Route table with the subnet router instance as the target.
The reachability analyzer confirms that the private instance is routing the 100.* ip request back to the subnet router instance, so it seems the subnet router isn’t properly forwarding.
I’ve tried --snat-subnet-routes=false and --accept-dns=false and made sure ip forwarding is enabled.
Seems like it should be working, or I’m at least close, but I must be missing something. Not really sure what else to try or even how to troubleshoot from this point. Any advice would be much appreciated.