This packages creates an AWS EC2 (Bastion) configured for Tailscale. This covers the Tailscale AWS VPC guide as well as most of the Tailscale RDS guide.
Using Tailscale to access your VPC permits high performance connectivity whilst avoiding SSH or the overhead & limitations of Session Manager.
JS/TS: npm i cdk-tailscale-bastion -D
C#: dotnet add package CDK.Tailscale.Bastion
The Tailscale Auth key should be passed in via secrets manager and NOT hardcoded in your application.
import { TailscaleBastion } from 'cdk-tailscale-bastion';
// Secrets Manager
const secret = Secret.fromSecretNameV2(stack, 'ApiSecrets', 'tailscale');
const bastion = new TailscaleBastion(stack, 'Sample-Bastion', {
vpc,
tailscaleCredentials: {
secretsManager: {
secret: secret,
key: 'AUTH_KEY',
},
},
});Whatever resource you intend to reach should permit connections from the bastion on the relevant port, naturally.
I recommend generating an Ephemeral key that includes the bastion as a tag for ease of teardown and tracking:
Once deployed, unless you have auto approval enabled, you'll need to manually enable the subnet routes in the tailscale console.
You'll also need to setup the nameserver. The bastion construct conveniently outputs the settings you require for Tailscale's DNS configuration:
Given your configuration is correct, a direct connection to your internal resources should now be possible.
If you wish to use 4via6 subnet routers, you can pass the IPv6 address via the advertiseRoute property:
new TailscaleBastion(stack, 'Cdk-Sample-Lib', {
vpc,
tailscaleCredentials: ...,
advertiseRoute: 'fd7a:115c:a1e0:b1a:0:7:a01:100/120',
});If you have other subnet routers configured in Tailscale, you can use the incomingRoutes property to configure VPC route table entries for all private subnets.
new TailscaleBastion(stack, 'Sample-Bastion', {
vpc,
tailscaleCredentials: ...,
incomingRoutes: [
'192.168.1.0/24',
],
});