/cdk-tailscale-bastion

Deploys a AWS EC2 (Bastion Host) preconfigured for Tailscale access.

Primary LanguageTypeScriptApache License 2.0Apache-2.0

cdk-tailscale-bastion

GitHub Workflow Status npm Nuget

This packages creates an AWS EC2 (Bastion) configured for Tailscale. This covers the Tailscale AWS VPC guide as well as most of the Tailscale RDS guide.

Using Tailscale to access your VPC permits high performance connectivity whilst avoiding SSH or the overhead & limitations of Session Manager.

Installation

JS/TS: npm i cdk-tailscale-bastion -D

C#: dotnet add package CDK.Tailscale.Bastion

Instructions

The Tailscale Auth key should be passed in via secrets manager and NOT hardcoded in your application.

import { TailscaleBastion } from 'cdk-tailscale-bastion';

// Secrets Manager
const secret = Secret.fromSecretNameV2(stack, 'ApiSecrets', 'tailscale');

const bastion = new TailscaleBastion(stack, 'Sample-Bastion', {
  vpc,
  tailscaleCredentials: {
    secretsManager: {
      secret: secret,
      key: 'AUTH_KEY',
    },
  },
});

Whatever resource you intend to reach should permit connections from the bastion on the relevant port, naturally.

Tailscale Auth Key

I recommend generating an Ephemeral key that includes the bastion as a tag for ease of teardown and tracking:

Tailscale Configuration

Once deployed, unless you have auto approval enabled, you'll need to manually enable the subnet routes in the tailscale console.

You'll also need to setup the nameserver. The bastion construct conveniently outputs the settings you require for Tailscale's DNS configuration:

Given your configuration is correct, a direct connection to your internal resources should now be possible.

4via6 Support

If you wish to use 4via6 subnet routers, you can pass the IPv6 address via the advertiseRoute property:

new TailscaleBastion(stack, 'Cdk-Sample-Lib', {
  vpc,
  tailscaleCredentials: ...,
  advertiseRoute: 'fd7a:115c:a1e0:b1a:0:7:a01:100/120',
});

Incoming routes

If you have other subnet routers configured in Tailscale, you can use the incomingRoutes property to configure VPC route table entries for all private subnets.

new TailscaleBastion(stack, 'Sample-Bastion', {
  vpc,
  tailscaleCredentials: ...,
  incomingRoutes: [
    '192.168.1.0/24',
  ],
});