Reputation: 2673
using Tailscale as a corporate VPN
I must be really stupid, because something isn't adding up. I keep reading about how awesome TailScale is and how I should be using it to connect to my remote devices....but in the cloud era, I don't really have "devices" to connect to.
In my case, I have an azure subscription that has storage accounts and key vaults and service bus queues and topics.
Instead of those resources being accessible from the public internet, I want to only allow access from a specific VNET. In the past, that VNET would have been a "hub" vnet and all the other subscriptions would be a spoke
For example, if TailScale wasn't a thing, I would run some VPN server in my hub vnet and staff (we are all fully remote) would connect to the VPN server. The secrets in a vault or the blobs in the storage account would be accessible in the portal or via a CLI because the traffic would appear to be coming from the hub vnet.
Is that even doable with tailscale? I see subnet routers, but that's just a VM in my vnet that I now have to maintain.
If I'm going to run a VM on my vnet to run the tailscale subnet router, why not just run the VM that is the VPN server?
All I want/need is for all my employees, regardless if they are staff or temp, to run a point to site VPN client so I can configure firewalls on all the azure resources correctly.
what am I missing? seems like using tailscale has all the same downfalls (having to run a VM in the hub) and is actually more complex than just running a VPN server.
what are my options???
Upvotes: 0
Views: 168
Answers (1)
Reputation: 1
Since Tailscale cannot be integrated directly with Azure services, you would need to deploy it as a separate instance to act as a proxy to other services.
However, I disagree with that managing Tailscale is more complex than managing a traditional VPN server.
To simplify deployment and management, you could run Tailscale on an Azure Container App, so you don't need to manage a dedicated VM. The setup process for this approach is relatively straightforward, as you just need to provide API key for tailscale container through env variable TS_AUTHKEY. Just make sure that your container can have access to those services.
Whatever option you choose, you are always going to need a device that will be an entry point to your network.
Take a look at the following references:
https://tailscale.com/kb/1282/docker
https://tailscale.com/kb/1314/azure-reference-architecture
Upvotes: 0
Related Questions
- Possible to connect to storage account when connected to openvpn vm in subnet
- S2S VPN not propagating route to spoke and hub vnet
- Unable to delete the Azure Subnet that is associated with PowerPlatform Data Gateway
- How to update resource from another Terraform configuration
- Azure Peering Hub and Spoke Overlapping IP ranges possible?
- Azure point to site vpn connectivity to on prem
- Connecting a P2S VPN to a VNET
- How can I connect an azure app service plan to a vnet which is also connected through peering to another vnet
- Connect Azure API management to my VPN