Been trying to use subnet routers to connect to a bunch of private instances that are sat behind a load balancer in GCP. These load balancers I cannot install the tailscale agent on to.
I have instead created an instance called ‘subnet-router’, installed the agent on to that box (which sits in the same network as the load balanced boxes), advertised the routes to the network and enabled the DNS which is meant to route any “.internal” domain through 169.254.169.254 however it is just not working, i still can’t go to any .internal domain and I can’t access the boxes behind the load balancer from my local machine.
I don’t really understand how the subnet router box I have created helps this as it just advertises routes on a private network… any box machine could do that, how would it know which one to use?
Creating a GCE instance behind the load balancer in the same VPC as the private instances you’re trying to reach should be able to work.
169.254.169.254 is the DNS server Google uses within GCE. That Tailscale node can offer a route to 169.254.169.254, allowing DNS to be set up for *.internal
There is a Knowledge Base article which walks through how to do this:
Yeah but that load balancer is balancing over lets say 5 machines, this means you would need the tailscale agent installed on 5 machines right? The subnet router (by looks of it) seems to remove that requirement. I might be wrong here. ??
The problem, one of the services only permits traffic from the load balancer, so if you are going directly to the machine as it has the agent installed on it, its not coming from load balancer and the ssl cert will be rejected.
Tailscale works by establishing direct Wireguard sessions between peers whenever possible, which use UDP frames on port 41641. If direct connections are not possible the communication will be via DERP relay instead. Both nodes make an outgoing HTTPS connection to the DERP relay, so the incoming HTTPS rules wouldn’t block it.
It likely would be better to install Tailscale on the 5 backend servers if possible. I imagine it would just work, using DERP as needed if it can’t get Wireguard packets through directly.