Recent versions of Tailscale work fine even when nodes are placed behind an Amazon Managed NAT Gateway. However, because of the way the Managed NAT Gateway works, it blocks Tailscale’s direct UDP connections, which slows it down and adds latency.
To avoid this issue, you can install one Tailscale node on your AWS network and have it route traffic on behalf of your whole VPC (Virtual Private Cloud) subnet. This maximizes performance and minimizes bandwidth costs.
In the steps below, we’ll set up a fresh Amazon EC2 VPC with Amazon Managed NAT Gateway, then configure a Tailscale relay to offer secure access to that VPC. We’ll create a new VPC from scratch, but once you’re comfortable, you can adapt these instructions to set up Tailscale on an existing VPC too.