Launching Tailscale Canaries is simple and requires the following:
- Tailscale account access.
- Tailscale is enabled on your Console. Email support to enable it.
When a Tailscale Canary is launched, it needs to join your organisation's tailnet. To do this, an auth key is needed. Tailscale offers a number of key types, each covering specific use cases. The auth key needed to allow a Canary to join your organisation's tailnet is a tagged auth key.
Keep in mind:
- The auth key must be tagged; otherwise, it'll expire, and the Canary will disconnect from your tailnet. This is a single-use key which allows the machine joining the tailnet to do so under a predetermined tag.
The steps to set up and verify your tagged auth key, as well as launch your first Tailcale Canary, follow:
How to configure Tailscale ACLs and create a tagged auth key
- Navigate to Tailscale Access Controls and use the Visual editor or JSON editor to add ACLs that define the tag to which the Canary will be assigned.
Here is a minimal example wheretag:canary
is defined, where all members (withtag:corp
) are allowed to access the Canary andtag:canary
cannot establish connections.
{
"groups": {
// Security team members
"group:security": ["alice@example.com"],
},
// Tests ensure the ACL rules work as expected
// and new rules don't override the original intent
"tests": [
{"src": "tag:canary", "deny": ["tag:corp:22"], "accept": []},
],
"acls": [
// `tag:canary` cannot establish connections.
{"action": "accept", "src": ["tag:canary"], "dst": []},
// Allow all members to hit canary
{"action": "accept", "src": ["tag:corp"], "dst": ["tag:canary:*"]},
],
// Defines tags and their owners
"tagOwners": {
// Only the security group can add this tag
"tag:canary": ["group:security"],
// All members have access to this tag
"tag:corp": ["autogroup:member"],
},
}
- On the access controls page select Preview rules tab and select the
tag:canary
. Ensure that the access granted to thetag:canary
is limited. - Navigate to Settings > Keys and click on Generate auth key. Then toggle Tags on and click Add tags and select
tag:canary
.
Click Generate key and then Copy to add the key to your clipboard.
Launch Tailscale Canary
-
Navigate to your Console
https://{your hash}.canary.tools/nest/add-canary/tailscale
or navigate to the Flock you want the Canary to belong to and select + Add Canary in the top right of the Flock modal to add a Canary.
-
Paste the auth key you created and click Launch.
-
The new Canary will boot in approximately 2 minutes and appear in your console. Note that you do not have to keep this dialogue open, the bird will still appear on your console after boot.
- Your Canary will be launched into the Flock of your choosing and will be present under /machines on your organisation's Tailscale dashboard.
Manually Approving Devices
If you have device approval enabled don't forget to approve your Tailscale Canary during the launch process. Internally we give a 3 minute window for the Canary to enrol in your Tailnet after which the instance will be terminated. Under the Machines tab filter for disabled:needs-approval
and click the `...` option and select approve.