Public IPv4 Address + Subnet Forwarding

Tailscale user:
Our customer support uses Postman to hit internal APIs, and we typically facilitate this through IP whitelisting at the Security Group level. One of our members has a satellite connection that reallocates her IP frequently, so I was hoping to Tailscale her in - seems like a great solution.

We have hundreds of these endpoints hardcoded to the public IP address of our API server. I followed the subnet routes guide, configuring it to use the instance’s public IP with a /32 CIDR range, but I can’t ping or resolve HTTP requests from my laptop. (The internal Tailscale-assigned IP does work).

Do you think this feature can work with the public IP?

Tailscale support:
If I understand correctly, you’ve installed Tailscale on your member’s device (the one using a satellite connection). Have you also installed it on your API server (or some server or virtual machine on the same subnet)?
Essentially, you’ll want to configure the IP whitelist to contain the (non-Tailscale) IP address of the endpoint where Tailscale traffic is emerging. If that’s the API server itself then that’s ideal, but it could be any device that has a public IP address that is in your whitelist.

This article is relevant: