Trouble with AWS subnet routes

We’re trying to create Tailscale relays in multiple aws accounts, sharing the same configuration (ie. terraform deployed) and the routing doesn’t seem to work.

  • our VPCs all are in the range , and tailscale advertises the same cidr block.

  • I can verify that my local machine can ping the tailscale node

  • ssh’ing into the tailscale node, I can verify that the node can route to another EC2 instance without a public IP in a private subnet, using ping BUT using tailscale ping it returns no matching peer

  • And, obviously, ssh’ing from my local machine to the EC2 instance in a private subnet consistently yield a timeout.

ubuntu@ip:~$ ping

PING ( 56(84) bytes of data.

64 bytes from icmp_seq=1 ttl=64 time=0.671 ms

64 bytes from icmp_seq=2 ttl=64 time=1.04 ms

64 bytes from icmp_seq=3 ttl=64 time=0.643 ms

64 bytes from icmp_seq=4 ttl=64 time=0.665 ms

64 bytes from icmp_seq=5 ttl=64 time=0.678 ms


--- ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4000ms

rtt min/avg/max/mdev = 0.643/0.739/1.041/0.154 ms

ubuntu@ip-10-0-11-30:~$ tailscale ping

no matching peer

Tailscale is started with the following flags:

sudo tailscale up --advertise-routes= --authkey=tskey-xxxxxxxxxxxx-xxxxxxxxxxxxx

Any help would be greatly appreciated!

PS. For completeness, we contacted support about 2 weeks ago to have the domain attached to our tailscale network changed

After a bit of digging, I suspect that for a given private IP range ie for example, only one relay can exist otherwise tailscale is confused about where the traffic should be routed to, is that correct?

If that’s the case should be fairly simple to fix by using different cidrs for each account.

Would appreciate confirmation that this is the way Tailscale operates, thank you (and sorry for the silly question, really)

Yes. If multiple subnet routers advertise the same route, they are treated as a high availability group and only one of them will be active at a time. If the active router drops out of contact with the coordination server, one of the secondaries will be activated to replace it.

To reach multiple independent VPCs, the subnet router for each needs to offer a unique CIDR route for it.

Thank you for your help that makes total sense.