Recent versions of Tailscale work fine even when nodes are placed behind an Amazon Managed NAT Gateway. However, because of the way the Managed NAT Gateway works, it blocks Tailscale’s direct UDP connections, which slows it down and adds latency.

To avoid this issue, you can install one Tailscale node on your AWS network and have it route traffic on behalf of your whole VPC (Virtual Private Cloud) subnet. This maximizes performance and minimizes bandwidth costs.

In the steps below, we’ll set up a fresh Amazon EC2 VPC with Amazon Managed NAT Gateway, then configure a Tailscale relay to offer secure access to that VPC. We’ll create a new VPC from scratch, but once you’re comfortable, you can adapt these instructions to set up Tailscale on an existing VPC too.

Step 1: Create an Elastic IP

From the AWS admin console, create an Elastic IP. This will be the IP of your Managed NAT Gateway.

Step 2: Create a VPC

Use the VPC with Public and Private Subnets configuration. This is most easily done through the VPC Wizard, option #2. In the wizard, give it a name, and assign the Elastic IP you created above to the NAT gateway. You can leave everything else at the default values.

Step 3: Create an EC2 relay

Create an instance with the following configuration:

1. Use one of the supported linux distros.
2. Assign the instance to the VPC you created above.
3. Assign the instance to the public subnet of the VPC, and give it a public IP address.
4. In the security groups configuration, allow inbound ssh. (We’ll need this during initial setup, but you can turn it off later.)
5. Name the security group something distinctive, like “tailscale-relay”

Step 4: Install Tailscale on your EC2 relay

ssh into the EC2 instance and install Tailscale by following the install instructions for your distro.

Once installed, enable the Tailscale systemd service, and authenticate the machine to your Tailscale network by visiting a link in your browser

sudo systemctl enable --now tailscaled
sudo tailscale up --advertise-routes=10.0.0.0/24,10.0.1.0/24

Step 5: Configure your Tailscale network

Visit the admin console and perform the following actions:

1. Disable key expiry so that you don’t need to reauthenticate the server periodically.
2. Authorize subnet routes on the machine, so that Tailscale distributes the 10.0.0.0/24 and 10.0.1.0/24 routes to the rest of your Tailscale network.

Step 6: Verify your connection

Check that you can ping the EC2 instance’s Tailscale IP address from your personal Tailscale machine (Windows, macOS, etc). You can find the Tailscale IP in the admin console, or by running tailscale ip -4 on the EC2 instance.

Step 7: Close off your firewall

Edit the “tailscale-relay” security group settings, and remove ssh access. At this point, you are able to ssh to the EC2 instance securely over Tailscale, so you can close the hole in your public-facing firewall.

Step 8: Create another EC2 instance to relay to

Create an EC2 private instance with the following configuration:

1. Use one of the supported linux distros.
2. Assign the instance to the VPC you created above.
3. Assign the instance to the private subnet of the VPC, and do not give it a public IP.
4. In the security groups configuration, allow all traffic inbound from the “tailscale-relay” security group.

ssh to your newly created private EC2 instance, using its private IP. The ssh session will flow through your Tailscale subnet router and into the private VPC.

4via6 subnet routers

If your network has subnets with overlapping IPv4 addresses, you can use the 4via6 subnet routers feature to ensure traffic from each node on your tailnet is routed to the correct device.