I feel like this is a weird question that might not even be an issue with my Tailscale setup but here goes. We have 2 RDS databases, a primary and a replica. The primary is not publicly accessible and is access controlled via security groups within our VPC. The replica is publicly available and that is controlled via IP restrictions in a security group. They are both in the same VPC but on different subnets. The private subnet that the primary is in has a route table with a local and a NAT gateway entry. The public subnet that the replica is in has a local and an internet gateway entry.

I’ve set up tailscale with a subnet router according to the docs. I can access the private primary RDS instance but I cannot access the read only replica. The connection times out as if it can’t resolve the host name or as if a security group is preventing access. I’ve triple checked everything (CAVEAT: I’m a networking neophyte) and the only difference I can see is the NAT Gateway versus internet gateway in the route tables.

My main question is just to confirm that I should be able to set up access via tailscale to the replica in the public subnet. I don’t see why it should matter whether it’s publicly accessible or not.

I’d welcome any tips for debugging why connections timeout to the replica.

Having slept on this and had nightmares about it, I think the issue is the public accessibility. I think the traffic to this RDS instance from my machine is never going through the tailscale network. I think it’s trying to go out through the public internet because that’s how the URL resolves. Wondering if I could do some trickery in SplitDNS to force particular URLs through the tailscale network?

Yep, totally just added the full URL to the publicly accessible RDS instance in SplitDNS and pointed it at the VPC nameserver. It all works. This can be closed if there is a concept for closed issue.