Get started
Login
© 2024

Expose a cloud service to your tailnet

You can use the Tailscale Kubernetes operator to expose any cloud service, such as an RDS database on a cluster network, to your tailnet. If you have a cloud service that is not publicly accessible but is accessible to a Kubernetes cluster on that cloud, you can make it available to your tailnet using an operator deployed in the cluster.

Prerequisites

Expose a cloud service using a Kubernetes ExternalName Service

If the cloud service that you wish to expose has a DNS name that can be resolved from within the cluster, you can expose it using an ExternalName Service.

For example, to expose an RDS database and connect to it from a tailnet client:

  1. Deploy Tailscale Kubernetes operator to a Kubernetes cluster that is on the same network as the RDS instance.

    Follow the installation instructions to deploy the operator.

  2. Create an ExternalName Service with tailscale.com/expose: "true" annotation and spec.externalName set to the DNS name of the RDS instance:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-rds
      annotations:
        tailscale.com/expose: "true"
    spec:
      type: ExternalName
      externalName: my-rds.eu-central-1.rds.amazonaws.com
    
  3. Retrieve the Tailscale MagicDNS name of the cluster proxy that the operator creates for the Service using the view-secret kubectl plugin:

    rds_magic_dns_name=$(kubectl view-secret \
      $(kubectl get secret -n tailscale   \
      --selector tailscale.com/parent-resource=my-rds,tailscale.com/parent-resource-ns=default,tailscale.com/parent-resource-type=svc \
      -ojsonpath='{.items[0].metadata.name}') \
      -n tailscale \
      device_fqdn)
    
  4. You can now connect to the RDS instance from a tailnet client using the MagicDNS name of the proxy as the database hostname.

    For example, for a PostgreSQL database:

    psql -h ${rds_magic_dns_name} -U postgres
    

The cluster proxies created for ExternalName Services forward TCP traffic, so you should be able to use them with different backend protocols, such as PostgreSQL.

The Tailscale Kubernetes operator periodically (every 10 minutes) attempts to resolve the IP addresses of the backend cloud service and reconfigures the proxy rules, if needed.

For proxies deployed with firewall in nftables mode, the traffic will only be proxied to the first IP address that the DNS name resolves to.

ExternalName Services support the same tailscale.com labels and annotations as other Services.

We are actively seeking feedback about this feature — reach out if you would like it to support additional workflows.

Expose a cloud service or services using Connector

If the cloud service that you intend to expose does not have a DNS name that can be resolved from within a cluster, or you want to expose a whole CIDR range, you can do so using Connector:

apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
  name: my-rds-instances
spec:
  subnetRouter:
    advertiseRoutes:
      - "<rds-cidr-range>"

The above Connector instance configures the operator to deploy an in-cluster subnet router that exposes the configured CIDR range to your tailnet.

Customization

Learn how to customize the operator and resources it manages.

Troubleshooting

Learn how to troubleshoot the operator and resources it manages.

Last updated Dec 20, 2024