Manage permissions (ACLs)

Access rules let you precisely define what a particular user or device is permitted to access on your Tailscale network (known as a tailnet). Tailscale manages access rules for your network in the tailnet policy file using ACL syntax. Edit your tailnet’s access rules from the Access Controls page of the admin console.

ACLs are available on all plans, but certain functionality may be restricted on certain plans.

Introduction

Network access control lists (ACLs) define which devices can connect to which other devices on the tailnet. ACLs are:

  • Default deny, so that Tailscale will prevent communication between devices where there is no explicitly defined access rule in the tailnet policy file.
  • Directional, so that a source can connect to a destination, but not vice versa (unless also specified).
  • Locally enforced, so that a device enforces incoming connections based on the set of access rules distributed to all devices in your network. That means that enforcement of the rules happens on each device directly, without further involvement from Tailscale’s coordination server.

ACLs control what connections can be made on the Tailscale network. They do not affect what a device can or cannot access on its own local network.

To learn more about Tailscale’s approach to access control in general, read our blog post on the history of access control systems, and why we designed Tailscale’s access rules the way we did.

ACL syntax

ACLs and some network policy options for your tailnet are defined in the tailnet policy file. To understand the syntax used for the tailnet policy file, see ACL syntax.

Default policy

When you first create your tailnet, the default tailnet policy file allows all devices within the tailnet to communicate with one another, in order to get started. You can modify your policy file to fit your organization’s needs.

Editing ACLs

You can edit your tailnet’s access rules by using the Access Controls page of the admin console, GitOps for Tailscale ACLs, or the Tailscale API. See Editing ACLs.

See sample ACLs for examples of common policies.

Availability by plan

Availability On all plans On the Personal, Premium, and Enterprise plans
Access rules for...
  • Any
  • Tailscale IP
  • Subnet CIDR Range
  • Autogroups
  • Tags
  • Hosts
  • Any
  • Tailscale IP
  • Subnet CIDR Range
  • Autogroups
  • Groups
  • Users
  • Tags
  • Hosts
Access rules specifying...
  • Ports
  • Protocols
ACL sections for...
  • acl
  • hosts
  • tests
  • tagOwners
  • autoApprovers
  • nodeAttrs
  • postures with default device posture attributes only
  • acl
  • groups
  • hosts
  • tests
  • tagOwners
  • autoApprovers
  • ssh for Tailscale SSH
  • nodeAttrs for Tailscale Funnel
  • postures with default, custom, and third-party attributes (Personal and Enterprise plans only)