AWS ALB -> EC2 Subnet Router -> 100.100.123.83 Supported?

Hi, is it supported to have a private in the tunnel node as a backend target of an AWS Application Load Balancer?

The ALB needs to be able to initiate connections from its VPC source IP to the web server’s IP (100.100.123.83) inside the tunnel via the subnet router. From the testing I’ve done so far, I can successfully initiate connections from the inside the tunnel resource 100.100.123.83 to VPC resources (though I see it’s SNATed), but I can’t successfully initiate connections from the VPC to the resource inside the tunnel. I suspect I could easily target the subnet router directly from the ALB and then have it proxy requests to 100.100.123.83, but I’d prefer the lowest latency solution possible.

Thank you.

I think the --snat-subnet-routes=false option will help. The first answer in Is Subnet Routers one way? - #2 by DGentry describes this option (the rest of the thread becomes fairly specific to IP cameras).

Thanks for the reply. I had already tried “–snat-subnet-routes=false” and also configuring “more specific routes” so that the ALB would know that in order to initiate connections to 100.x.x.x it’d have to go through the subnet router, but with no success. Then I was thinking it’s strange that I can find a reference in the docs for accessing the VPC from inside the tunnel, but not the other way around, and so maybe it’s just fundamentally not supported. Sounds like it is supported and I just need to do some more troubleshooting / tcpdumping to determine where the misconfig is. Thanks again.

The part I was missing was I needed to disable source/destination checks on the EC2 Tailscale router instance. Now it’s working great. This allows me put on-prem workloads behind ALB+WAF+Shield without any complicated VPN or having to expose additional ports/attack surface to the Internet. And preliminary tests show it only adds about 10ms of latency, which could probably be optimized a bit if I used a bigger instance for the Tailscale subnet router.

1 Like