Tailscale VPN

Tailscale VPN¶

For this course, each team will need to sign up for Tailscale's Starter plan. You can sign up for the Starter plan at Tailscale Pricing.

Create a new private GitHub repository for AMI in the GitHub organization you created.
GitHub repository name must be ami-tailscale.
Update README.md in your repository with instructions for using packer.
Fork the GitHub repository in your namespace. You will do all development work on your fork.
All code for Tailscale AMI should be in this repository.
Add appropriate .gitignore to your repository. A collection of useful .gitignore templates can be found here.

Use Ubuntu 24.04 LTS as your source image to create a custom AMI using packer.
All AMI you build should be private. Only your team can deploy EC2 instances from it.
All AMI builds should happen in your ROOT AWS account.
AMI builds should be set up to run in your default VPC.
The AMI should include everything needed to run Tailscale except for credentials and route configuration.
The AMI should configure tailscale to start automatically on boot with systemd

The Tailscale instance should be deployed in the public subnet of the VPC created by your terraform aws-infra repository.
The route configuration and credentials for Tailscale should be passed as user data when launching the EC2 instance.
The Tailscale EC2 instance should be deployed in the public subnet of the VPC created by your terraform aws-infra repository.
The Tailscale instance should be configured to allow access to the private subnets in the VPC.
The Tailscale instance should have deletion protection enabled to prevent accidental deletion.
The Tailscale instance's EBS volume should be encrypted using the custom AWS KMS key created in your aws-infra repository.
Tailscale instances should not be terminated or deleted once created. They may be stopped and started as needed to save costs.
Tailscale instances do not need to be configured with Elastic IPs. They can use the public IP assigned by AWS.