Launching Tailscale Canaries

How to launch a Tailscale Canary to join your organization's tailnet, configure the necessary auth key and tags, and get it running securely so you can monitor internal network activity.

Launching Tailscale Canaries is simple and requires the following:

• Tailscale account access.
• Tailscale is enabled on your Console. Email support to enable it.

When a Tailscale Canary is launched, it needs to join your organisation's tailnet. To do this, an auth key is needed. Tailscale offers a number of key types, each covering specific use cases. The auth key needed to allow a Canary to join your organisation's tailnet is a tagged auth key.

Keep in mind:

• The auth key must be tagged; otherwise, it'll expire, and the Canary will disconnect from your tailnet. This is a single-use key which allows the machine joining the tailnet to do so under a predetermined tag.

The steps to set up and verify your tagged auth key, as well as launch your first Tailcale Canary, follow:

How to configure Tailscale ACLs and create a tagged auth key

Navigate to Tailscale Access Controls and use the Visual editor or JSON editor to add ACLs that define the tag to which the Canary will be assigned. Here is a minimal example where tag:canary is defined, where all members (with tag:corp) are allowed to access the Canary and tag:canary cannot establish connections.

{
  "groups": {
    // Security team members
    "group:security": ["alice@example.com"],
  },

  // Tests ensure the ACL rules work as expected
  // and new rules don't override the original intent
  "tests": [
    {"src": "tag:canary", "deny": ["tag:corp:22"], "accept": []},
  ],

  "acls": [
    // `tag:canary` cannot establish connections.
    {"action": "accept", "src": ["tag:canary"], "dst": []},
    // Allow all members to hit canary
    {"action": "accept", "src": ["tag:corp"], "dst": ["tag:canary:*"]},
  ],

  // Defines tags and their owners
  "tagOwners": {
      // Only the security group can add this tag
    "tag:canary": ["group:security"],
    // All members have access to this tag
    "tag:corp":   ["autogroup:member"],
  },
}

On the access controls page select Preview rules tab and select the tag:canary. Ensure that the access granted to the tag:canary is limited.

Navigate to Settings > Keys and click on Generate auth key. Then toggle Tags on and click Add tags and select tag:canary.

Click Generate key and then Copy to add the key to your clipboard.

Launch Tailscale Canary

Navigate to your Console https://{your hash}.canary.tools/nest/add-canary/tailscale or navigate to the Flock you want the Canary to belong to and select + Add Canary in the top right of the Flock modal to add a Canary.

Paste the auth key you created and click Launch.

The new Canary will boot in approximately 2 minutes and appear in your Console. Note that you do not have to keep this dialogue open, the bird will still appear on your Console after boot.

Your Canary will be launched into the Flock of your choosing and will be present under /machines on your organisation's Tailscale dashboard.

Manually Approving Devices

If you have device approval enabled don't forget to approve your Tailscale Canary during the launch process. Internally we give a 3 minute window for the Canary to enrol in your Tailnet after which the instance will be terminated. Under the Machines tab filter for disabled:needs-approval and click the ... option and select approve.