Skip to main content

Search

Launching Tailscale Canaries

Launching Tailscale Canaries is simple and requires the following:

  • Tailscale account access.
  • Tailscale enabled on your Console. Email support to enable it.

When a Tailscale Canary is launched it needs to join your organisation's tailnet. To do this, an auth key is needed. Tailscale offers a number of key types each covering specific use cases. The auth key needed to allow a Canary to join your organisations tailnet is a tagged auth key. Note: the auth key must be a tagged key otherwise it'll expire and the canary will disconnect from your tailnet. This is a single-use key which allows the machine joining the tailnet to do so under a predetermined tag. The steps to setup and verify your tagged auth key as well as launch your first Tailcale Canary follow:

 

Configure Tailscale ACLs and create a tagged auth key

  • Navigate to Tailscale access controls and add ACLs that define the tag to which the Canary will be assigned. Here is a minimal example where  `tag:canary` is defined.
{
"groups": {
     // Security team members.
     "group:security": ["benjamin-thinkst@github"],},

// Tests ensure the acl rules work as expected
// and new rules don't override the original intent.
"tests": [{"src": "tag:canary", "deny": ["tag:corp:22"], "accept": []}],

"acls": [
  // `tag:canary` cannot establish connections.
  {"action": "accept", "src": ["tag:canary"], "dst": []},
  {
    // Allow all members to hit canary
    "action": "accept",
    "src": ["tag:corp"],
    "dst": ["tag:canary:*"],
   },],
"tagOwners": {
   "tag:canary": ["group:security"],
   "tag:corp": ["autogroup:members"],
  },
}
  • On the access controls page select "Preview rules" tab and select the `tag:canary`. Ensure that the access granted to the `tag:canary` is limited.mceclip0.png
  • Navigate to settings/keys and click on "Generate auth key". Then toggle "Tags" on and click "Add tags" and select `tag:canary`.

mceclip0.png

Click "Generate key" and then "Copy" to add the key to your clipboard.

mceclip1.png

Launch Tailscale Canary

  • Navigate to your Console https://{your hash}.canary.tools/nest/add-canary/tailscale and click "Add Tailcale Canary". Or navigate to the flock you want the Canary to belong to and select `+` in the top right of the flock modal to add a canary. mceclip2.png
  • Paste the auth key and click "Launch"mceclip3.png
  • A few moments later...

Your Canary will be launched into the flock of your choosing and will be present under /machines on your organisation's Tailscale dashboard.

Manually Approving Devices

If you have device approval enabled don't forget to approve your Tailscale Canary during the launch process. Internally we give a 3 minute window for the Canary to enrol in your Tailnet after which the instance will be terminated. Under the Machines tab filter for `needs-approval` and click the `...` option and select approve. 

Was this article helpful?
3 out of 3 found this helpful
Return to top