Skip to content

Commit eafe2c4

Browse files
clstokesclstokes
authored
Merge branch 'main' into clstokes/tsrecorder-stable
2 parents dbc49b8 + d5b4fb4 commit eafe2c4

File tree

15 files changed

+555
-555
lines changed

15 files changed

+555
-555
lines changed

terraform/aws/aws-ec2-autoscaling-dual-subnet/README.md

Lines changed: 0 additions & 43 deletions
This file was deleted.

terraform/aws/aws-ec2-autoscaling-dual-subnet/assets/diagram-aws-ec2-autoscaling-dual-subnet.png

-416 KB
Binary file not shown.

terraform/aws/aws-ec2-autoscaling-dual-subnet/outputs.tf

Lines changed: 0 additions & 25 deletions
This file was deleted.

terraform/aws/aws-ec2-autoscaling-relay-to-private-subnet/README.md

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
# aws-ec2-autoscaling-relay-to-private-subnet
2+
3+
> :information_source: This example is intended for users that have a AWS NAT Gateway that they need to route Internet-bound traffic through. A use case for this is if you have _static IP addresses_ (typically Elastic IPs) that need to use for Internet-bound traffic such as restricting access to GitHub or Snowflake to a custom allow-list of IP addrresses. AWS NAT Gateway is a Hard NAT which forces [DERP connections](https://tailscale.com/kb/1257/connection-types#derp-connections). This example deploys a [Peer Relay](https://tailscale.com/kb/1591/peer-relays) to a Public Subnet to relay traffic to an App Connector in a Private Subnet.
4+
5+
![diagram for aws-ec2-autoscaling-relay-to-private-subnet](./assets/aws-ec2-autoscaling-relay-to-private-subnet.png)
6+
7+
This module creates the following:
8+
9+
- a VPC and related resources including a NAT Gateway, a public subnet, and a private subnet
10+
- an EC2 Launch Template and Autoscaling Group for a Tailscale Peer Relay in the **_public_** subnet
11+
- an EC2 Launch Template and Autoscaling Group for a Tailscale App Connector in the **_private_** subnet
12+
13+
## Policy File Example
14+
15+
```json
16+
{
17+
"grants": [
18+
//////////////
19+
// Peer relays
20+
//////////////
21+
{
22+
"src": ["tag:example-infra"],
23+
"dst": ["tag:example-relay"],
24+
"app": {
25+
"tailscale.com/cap/relay": [],
26+
},
27+
},
28+
]
29+
}
30+
```
31+
32+
## Considerations
33+
34+
- Any advertised routes for the App Connector must still be approved in the Tailscale Admin Console. The code can be updated to use [Auto Approvers for routes](https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes) if this is configured in your ACLs.
35+
36+
## To use
37+
38+
Follow the documentation to configure the Terraform providers:
39+
40+
- [Tailscale](https://registry.terraform.io/providers/tailscale/tailscale/latest/docs)
41+
- [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
42+
43+
### Deploy
44+
45+
```shell
46+
terraform init
47+
terraform apply
48+
```
49+
50+
## To destroy
51+
52+
```shell
53+
terraform destroy
54+
```

0 commit comments

Comments
 (0)