Deny all with IP exception to webapp admin console

I have a publicly hosted webapp on GCP with a deny all rule on the frontend Nginx config admin url (eg: www.webapp.com/admin) with a single static IP as an exception.

I was looking at a traditional VPN provider to allow other members of my team access the admin console by changing the current static IP to the static IP that the VPN provides. That way other members of my team would have access when connected to VPN.

How would i do the above solution but with tailscale?

You can install tailscale on the machine, and the machines that you want to be able to connect to the service. Then bind the service to the tailscale address on the server.

Then from the clients, you can use the tailscale ip or MagicDNS name to access the service, and everything will route over the tailscale tunnels.