ACL samples
This article provides sample ACL rules for common scenarios. For information about the syntax, see Tailscale policy syntax.
Allow all (default ACL)
When you first create your Tailscale network, it gets initialized with a default “allow all” access policy. This makes it easy to connect to and use Tailscale, and does not restrict any traffic in your network.
What this ACL does:
- All devices signed into the network can access all other devices
- All users can establish a Tailscale SSH session to their own devices using check mode, as either root or non-root
If you have a subnet router initialized with --snat-subnet-routes=false
, then any devices on the same local network as the subnet router can also access all devices on the tailnet.
If you have a device shared from another network in your network, then that device cannot access any devices on the tailnet. The device can only respond to incoming connections from the network.
{
"acls": [
// Allow all connections.
{ "action": "accept", "src": ["*"], "dst": ["*:*"] },
],
"ssh": [
// Allow all users to SSH into their own devices in check mode.
{
"action": "check",
"src": ["autogroup:members"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"]
}
]
}
Important note about autogroup:nonroot
In the default ACL, the ssh
rule uses autogroup:self
for the dst
field and
autogroup:nonroot
in the users
field. If you change the dst
field from
autogroup:self
to some other destination, such as an ACL tag,
also consider replacing autogroup:nonroot
in the users
field. If you don't remove
autogroup:nonroot
from the users
field, then anyone permitted by the src
setting
will be able to SSH in as any nonroot user on the dst
device.
Remote access to corp and prod devices (recommended initial ACL)
Your team can use Tailscale to access remote devices. In this scenario, all users can access their own remote devices, as well as any common corporate devices, such as servers, that are tagged. Only Tailscale admins can access production devices. Admins can configure which devices are tagged. No corporate or production devices can access each other, and no shared users can access devices.
What this ACL does:
- All employees can access their own devices
- All employees can access corporate devices tagged
tag:corp
- All Tailscale admins
autogroup:admin
can access devices taggedtag:prod
- All Tailscale admins can manage which devices are tagged with
tag:corp
andtag:prod
{
"acls": [
// all employees can access their own devices
{ "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },
// all employees can access devices tagged tag:corp
{ "action": "accept", "src": ["autogroup:members"], "dst": ["tag:corp:*"] },
// all Tailscale admins can access devices tagged tag:prod
{ "action": "accept", "src": ["autogroup:admin"], "dst": ["tag:prod:*"] },
],
"tagOwners": {
// all Tailscale admins can manage which devices are tagged tag:corp and tag:prod
"tag:corp": ["autogroup:admin"],
"tag:prod": ["autogroup:admin"],
},
}
Application allowlisting for third-party SaaS application (IP allowlisting)
Your IT team can use Tailscale to allow users access to third-party hosted applications, where access is restricted using IP application allowlisting. In this scenario, traffic for a certain application, www.example-saas-app.com, is allowed for your organization’s resources only if coming from a known set of fixed IP addresses. You can host an exit node in your network to route all traffic leaving your network, and use that node’s IP address as part of an application allowlist. You can also use auto approvers so that exit nodes are automatically approved.
What this ACL does:
- All Tailscale admins
autogroup:admin
, e.g. the IT team, can access the devices taggedtag:application-exit-node
, for maintenance - All employees can access the public internet through an exit node in the network. They do not need access to the exit node itself in order to use it
- All Tailscale admins
autogroup:admin
, e.g. the IT team, can manage which devices are tagged withtag:application-exit-node
- All Tailscale admins
autogroup:admin
and devices taggedtag:application-exit-node
can auto-approve exit nodes
{
"groups": {
// Dave has the admin role in Tailscale, so in autogroup:admin
},
"acls": [
// users who are Tailscale admins can access devices tagged tag:application-exit-node
{ "action": "accept", "src": ["autogroup:admin"], "dst": ["tag:application-exit-node:*"] },
// all employees can use exit nodes
{ "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:internet:*"] },
],
"tagOwners": {
// users who are Tailscale admins can apply the tag tag:application-exit-node
"tag:application-exit-node": ["autogroup:admin"],
},
"autoApprovers": {
// exit nodes advertised by users who are Tailscale admins or devices tagged
// tag:application-exit-node will be automatically approved
"exitNode": ["tag:application-exit-node", "autogroup:admin"],
}
}
Access to an internal application (VPN)
Your IT team can use Tailscale to allow users to access internal applications, including both custom internal applications and third-party applications hosted internally. In this scenario, users in your network can access applications based on their job role. The IT team can set up internal applications.
What this ACL does:
- Members of the engineering team
group:engineering
can access the devices taggedtag:engineering
- Members of the finance team
group:finance
can access the devices taggedtag:finance
- Members of the legal team
group:legal
can access the devices taggedtag:legal
- All employees can access the devices tagged
tag:internal
- All Tailscale admins
autogroup:admin
, e.g. the IT team, can manage which devices are tagged withtag:engineering
,tag:finance
,tag:legal
, andtag:internal
{
"groups": {
// Alice is in group:engineering
"group:engineering": ["alice@example.com",],
// Bob is in group:finance
"group:finance": ["bob@example.com",],
// Carl is in group:legal
"group:legal": ["carl@example.com",],
// Dave has the admin role in Tailscale, so in autogroup:admin
},
"acls": [
// users in group:engineering can access devices tagged tag:engineering
{ "action": "accept", "src": ["group:engineering"], "dst": ["tag:engineering:*"] },
// users in group:finance can access devices tagged tag:finance
{ "action": "accept", "src": ["group:finance"], "dst": ["tag:finance:*"] },
// users in group:legal can access devices tagged tag:legal
{ "action": "accept", "src": ["group:legal"], "dst": ["tag:legal:*"] },
// all employees can access devices tagged tag:internal
{ "action": "accept", "src": ["autogroup:members"], "dst": ["tag:internal:*"] },
],
"tagOwners": {
// users who are Tailscale admins can apply the tag tag:engineering
"tag:engineering": ["autogroup:admin"],
// users who are Tailscale admins can apply the tag tag:finance
"tag:finance": ["autogroup:admin"],
// users who are Tailscale admins can apply the tag tag:legal
"tag:legal": ["autogroup:admin"],
// users who are Tailscale admins can apply the tag tag:internal
"tag:internal": ["autogroup:admin"],
},
}
Remote access to production environment
Your DevOps, infrastructure, or SRE team can use Tailscale to access their sensitive and highly protected production environment. In this scenario, a DevOps team might be able to access the production environment, whereas other developers might only be able to access resources in a development environment. All developers are able to access monitoring tools, such as Grafana.
autogroup:members
instead of group:dev
to use this example on the Starter plan.What this ACL does:
- All employees can access their own devices, such as remote workstations
- Members of the development team
group:dev
can access the devices taggedtag:dev
, such as license servers - All Tailscale admins
autogroup:admin
, such as members of the DevOps team, can access the devices taggedtag:prod
, such as the production environment - All employees can access devices tagged
tag:monitoring
on ports 80 and 443, such as monitoring dashboards - All Tailscale admins
autogroup:admin
can manage which devices are tagged withtag:dev
,tag:prod
, andtag:monitoring
- Tests ensure that if ACLs are updated, Carl will still be able to access devices tagged
tag:prod
on port 80, and that Alice will be able to access devices taggedtag:dev
but nottag:prod
on port 80
{
"groups": {
// Alice and Bob are in group:dev
"group:dev": ["alice@example.com", "bob@example.com",],
// Carl has the admin role in Tailscale, so in autogroup:admin
},
"acls": [
// all employees can access their own devices
{ "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },
// users in group:dev can access devices tagged tag:dev
{ "action": "accept", "src": ["group:dev"], "dst": ["tag:dev:*"] },
// users who are Tailscale admins can access devices tagged tag:prod
{ "action": "accept", "src": ["autogroup:admin"], "dst": ["tag:prod:*"] },
// all employees can access devices tagged tag:monitoring on
// ports 80 and 443
{ "action": "accept", "src": ["autogroup:members"], "dst": ["tag:monitoring:80,443"] },
],
"tagOwners": {
// users who are Tailscale admins can apply the tag tag:monitoring
"tag:monitoring": ["autogroup:admin"],
// users who are Tailscale admins can apply the tag tag:dev
"tag:dev": ["autogroup:admin"],
// users who are Tailscale admins can apply the tag tag:prod
"tag:prod": ["autogroup:admin"],
},
"tests": [
{
"src": "carl@example.com",
// test that Carl can access devices tagged tag:prod on port 80
"accept": ["tag:prod:80"],
},
{
"src": "alice@example.com",
// test that Alice can access devices tagged tag:dev on port 80
"accept": ["tag:dev:80"],
// test that Alice cannot access devices tagged tag:prod on port 80
"deny": ["tag:prod:80"],
},
],
}
VPC access (VPC peering)
Your DevOps team can use Tailscale to allow developers to access existing internal applications running in a Virtual Private Cloud (VPC) on a private or hosted cloud provider. In this scenario, developers can access resources in the VPC, and the DevOps team is able to manage access to the VPC. VPCs can be peered to each other, if they don’t have overlapping IP ranges. To connect an existing subnet to your Tailscale network without installing Tailscale on every node, you can use a subnet router. Run a subnet router in the subnet, and advertise the routes so that Tailscale can route traffic for the subnet to the device for forwarding. For devices on a subnet to connect to devices on your tailnet, disable subnet route masquerading. You can also use auto approvers so that routes are automatically approved.
autogroup:members
instead of group:dev
to use this example on the Starter plan.What this ACL does:
- All Tailscale admins
autogroup:admin
, e.g. the IT team, can access the devices taggedtag:vpc-peering
, for maintenance - Members of the development team
group:dev
can access devices in the subnets10.0.0.0/16
and10.128.0.0/24
- The subnet
10.0.0.0/16
can access the subnet10.128.0.0/24
and vice versa, if subnet route masquerading is disabled - All Tailscale admins
autogroup:admin
, e.g. the IT team, can manage which devices are tagged withtag:vpc-peering
- All Tailscale admins
autogroup:admin
and devices taggedtag:vpc-peering
can auto-approve routes for10.0.0.0/16
and10.128.0.0/24
{
"groups": {
// Alice and Bob are in group:dev
"group:dev": ["alice@example.com", "bob@example.com",],
// Dave has the admin role in Tailscale, so in autogroup:admin
},
"acls": [
// users who are Tailscale admins can access devices tagged tag:vpc-peering
{ "action": "accept", "src": ["autogroup:admin"], "dst": ["tag:vpc-peering:*"] },
// users in group:dev, and devices in subnets 10.0.0.0/16 and
// 10.128.0.0/24 can access devices in subnets 10.0.0.0/16 and
// 10.128.0.0/24
{ "action": "accept", "src": ["group:dev","10.0.0.0/16", "10.128.0.0/24"], "dst": ["10.0.0.0/16:*", "10.128.0.0/24:*"] },
],
"tagOwners": {
// users who are Tailscale admins can apply the tag tag:vpc-peering
"tag:vpc-peering": ["autogroup:admin"],
},
"autoApprovers": {
"routes": {
// subnets included in 10.0.0.0/16 advertised by devices tagged
// tag:vpc-peering or users who are Tailscale admins will be automatically approved
"10.0.0.0/16": ["tag:vpc-peering", "autogroup:admin"],
// subnets included in 10.128.0.0/24 advertised by devices tagged
// tag:vpc-peering or users who are Tailscale admins will be automatically approved
"10.128.0.0/24": ["tag:vpc-peering", "autogroup:admin"],
},
},
}
Share access with a contractor
Your development team can use Tailscale to share access to specific resources, such as a database or a hosted code repository, with a contractor. In this scenario, developers can access internal development resources. Specific devices can be shared with a contractor as part of their job.
autogroup:members
instead of group:dev
to use this example on the Starter plan.What this ACL does:
- All employees can access their own devices
- Members of the development team
group:dev
can access devices taggedtag:dev
, such as package registries and databases - Contractors who have accepted a share invite can access devices tagged
tag:dev
which have been shared with them
{
"groups": {
// Alice and Bob are in group:dev
"group:dev": ["alice@example.com", "bob@example.com",],
},
"acls": [
// all employees can access their own devices
{ "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },
// users in group:dev and contractors who have accepted a share invite can
// access devices tagged tag:dev
{ "action": "accept", "src": ["group:dev","autogroup:shared"], "dst": ["tag:dev:*"] },
],
"tagOwners": {
// users in group:dev can apply the tag tag:dev
"tag:dev": ["group:dev"],
},
}
Remote development
Your development team can use Tailscale as part of their remote development setup. In this scenario, a developer might have a local device, like a laptop, and use it to access a remote workstation, hosted in the cloud or hosted on another device in their network. This is useful if you’re accessing a workstation with more processing power, for example for machine learning or for building. You might also use a remote code environment like GitHub Codespaces, Gitpod, or Coder. From your development environment, you might access a license server, a package registry, a production database, or another development or build resource. You might also access a self-hosted or private code repository.
autogroup:members
instead of group:dev
to use this example on the Starter plan.What this ACL does:
- All employees can access their own devices
- Members of the development team
group:dev
can access devices taggedtag:dev
, such as package registries and databases - The development team
group:dev
can manage which devices are tagged withtag:dev
{
"groups": {
// Alice and Bob are in group:dev
"group:dev": ["alice@example.com", "bob@example.com",],
},
"acls": [
// all employees can access their own devices
{ "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },
// users in group:dev can access devices tagged tag:dev
{ "action": "accept", "src": ["group:dev"], "dst": ["tag:dev:*"] },
],
"tagOwners": {
// users in group:dev can apply the tag tag:dev
"tag:dev": ["group:dev"],
},
}
Pair programming
Your development team can use Tailscale to pair program on the same device remotely. In this scenario, two or more developers can SSH to a corporate device, such as a VM, and share a terminal, for example a tmux session.
autogroup:members
and autogroup:admin
instead of named users to use this example on the Starter plan.What this ACL does:
- Users Alice and Bob can access the corporate device tagged
tag:pair-programming
on port 22, for SSH - Bob can manage which devices are tagged
tag:pair-programming
{
"acls": [
// Alice and Bob can access devices tagged tag:pair-programming on
// port 22
{ "action": "accept", "src": ["alice@example.com", "bob@example.com"], "dst": ["tag:pair-programming:22"] },
],
"tagOwners": {
// Bob can apply the tag tag:pair-programming
"tag:pair-programming": ["bob@example.com"],
},
}
CI/CD deployment pipeline
Your DevOps or infrastructure team can use Tailscale to restrict access to your deployment pipeline. In this scenario, developers can access your development tools, such as your code repository. Then, an automated CI/CD pipeline builds and deploys code. The DevOps team can access the deployment pipeline and production environment.
What this ACL does:
- Members of the development team
group:dev
can access the devices taggedtag:dev
, such as code repositories and license servers - Members of the DevOps team
group:devops
can access the devices taggedtag:ci
, such as the build tooling; andtag:prod
, such as the production environment - The DevOps team
group:devops
can manage which devices are tagged withtag:dev
,tag:ci
, andtag:prod
- The tag
tag:ci
can manage which device are taggedtag:prod
andtag:dev
, to apply tags as part of the deployment pipeline
{
"groups": {
// Alice and Bob are in group:dev
"group:dev": ["alice@example.com", "bob@example.com",],
// Carl is in group:devops
"group:devops": ["carl@example.com",],
},
"acls": [
// users in group:dev can access devices tagged tag:dev
{ "action": "accept", "src": ["group:dev"], "dst": ["tag:dev:*"] },
// users in group:devops can access devices tagged tag:ci or
// tagged tag:prod
{ "action": "accept", "src": ["group:devops"], "dst": ["tag:ci:*", "tag:prod:*"] },
],
"tagOwners": {
// users in group:devops can apply the tag tag:ci
"tag:ci": ["group:devops"],
// users in group:devops or devices tagged tag:ci can apply the tag tag:dev
"tag:dev": ["group:devops", "tag:ci"],
// users in group:devops or devices tagged tag:ci can apply the tag tag:prod
"tag:prod": ["group:devops", "tag:ci"],
},
}
Monitoring access to applications
Your DevOps team can use Tailscale to query logs from services in your network and report these as part of your monitoring tooling. In this scenario, all applications in your network can be accessed by your monitoring server, such as Prometheus, on common ports.
autogroup:members
instead of group:devops
to use this example on the Starter plan.What this ACL does:
- Devices tagged
tag:monitoring
can access services on ports 80, 443, 9100 - Devices tagged
tag:monitoring
can access services taggedtag:logging
- The DevOps team
group:devops
can access devices tagged withtag:monitoring
andtag:logging
- The DevOps team
group:devops
can manage which devices are tagged withtag:monitoring
andtag:logging
{
"groups": {
// Carl is in group:devops
"group:devops": ["carl@example.com",],
},
"acls": [
// devices tagged tag:monitoring can access all devices in the network on
// ports 80, 443, and 9100, and devices tagged tag:logging on all ports
{ "action": "accept", "src": ["tag:monitoring"], "dst": ["*:80,443,9100", "tag:logging:*"] },
// users in group:devops can access devices tagged tag:monitoring and
// tag:logging
{ "action": "accept", "src": ["group:devops"], "dst": ["tag:monitoring:*", "tag:logging:*"] },
],
"tagOwners": {
// users in group:devops can apply the tag tag:monitoring
"tag:monitoring": ["group:devops"],
// users in group:devops can apply the tag tag:logging
"tag:logging": ["group:devops"],
},
}
Application peering
Your infrastructure team can use Tailscale to connect applications or services running in multiple cloud providers or SaaS applications together. In this scenario, one application can connect with another application in your network, for example to stream from one database to another, such as with Materialize.
autogroup:members
instead of group:infra
to use this example on the Starter plan.What this ACL does:
- Devices tagged
tag:database
can access other devices taggedtag:database
- Devices tagged
tag:gcp
andtag:aws
can access devices taggedtag:database
, but not vice versa - The infrastructure team
group:infra
can manage which devices are tagged withtag:database
,tag:gcp
, andtag:aws
{
"groups": {
// Carl is in group:infra
"group:infra": ["carl@example.com",],
},
"acls": [
// devices tagged tag:database, tag:gcp, or tag:aws can access devices
// tagged tag:database
{ "action": "accept", "src": ["tag:database", "tag:gcp","tag:aws"], "dst": ["tag:database:*"] },
],
"tagOwners": {
// users in group:infra can apply the tag tag:database
"tag:database": ["group:infra"],
// users in group:infra can apply the tag tag:gcp
"tag:gcp": ["group:infra"],
// users in group:infra can apply the tag tag:aws
"tag:aws": ["group:infra"],
},
}