tailscale
tailscale copied to clipboard
render-examples
Automatic hostname resolving
Is it somehow possible to get automatic resolving of the internal hostnames of render to its internal ip address?
It would be great to configure a secondary DNS or something.
Maybe someone that already has a workaround for this could share it, how to configure this (probably something in the tailscale ui too)
@anurag maybe you can help.
Hey @mmachatschek - Interesting idea. I have some questions to better understand what you want.
- You are looking to resolve a Render service's
10.0.0.0IP address, not a Tailscale100.64.0.0/10address, right? - Do you want to resolve that IP address from a DNS client inside your Render private network or a client in your Tailnet outside of Render or both?
- Do you have a more specific use case or cases you can share?
Thanks!
@crcastle thanks for reaching out
You are looking to resolve a Render service's 10.0.0.0 IP address, not a Tailscale 100.64.0.0/10 address, right?
correct. I want my machine (that is connected to my tailscale network that has a subnetrouter to render) to automatically resolve the render service hostname visible in the UI, to the render service IP address 10.x.x.x
Do you want to resolve that IP address from a DNS client inside your Render private network or a client in your Tailnet outside of Render or both?
To get the 10.x.x.x IP address of the render service (even private services or background workers), I would need a DNS from inside my render private network.
Do you have a more specific use case or cases you can share?
- We have multiple team members of which not everyone has access to the render UI, but we want them to be able to connect e.g. to testing services (without opening the services to the whole internet
0.0.0.0/0) where they can test stuff. Managing IP addresses in a shared file that needs to be maintained everytime a service is recreated via a blueprint is tedious and error prone. Instead, just working with hostnames is very easy (can be fetched e.g. via the Render API getting the slugs of all services) - IP addresses can be easily mixed up with staging/production services (if you copy the wrong IP from a shared file) which can lead to unwanted side effects. when you type
staging-someservice-suffixyou can immediately see you connect to a staging service, whereas if you type e.g.psql -h 10.x.x.x -d database_name ...you would need to verify that that IP-address is the correct service I want to connect to - Copying the hostname from the render UI and just connect to the service, instead of going to the webshell and needing to get the correct IP-address is annoying
- Some managed services like redis or postgres don't even support the webshell, therefore you would need to copy the internal address, go to another service that has a shell, and get the IP address via
digof the redis/psql database
Hi @mmachatschek, this makes sense and we'll figure out how to make this possible in Tailscale. Until then, would SSH tunneling be an option? Here's an example: https://render.com/blog/ssh-vscode-remote-debugging. You can get the SSH URL for any service (not just web services) from the dashboard.
Agreed. DNS support would be super helpful. For us the goal is simply giving the developers a similar experience but over the VPN instead of public internet. This would allow us to protect certain admin pages and DBs connections behind the VPN. Currently they tend publicly expose services that should be kept private or have to whitelist their own IPs.
I spoke too soon. It looks like this is working now but took a little digging. I was able to lookup the IP of the DNS server in the private network and add it as a DNS server in Tailscale. Then I had to find the FQDN and add the domain as a Search Domain in Tailscale.
Alright I spent way too many hours on this setup so I figured it would be nice to share. We use two teams, one for production and one for staging because projects in render don't have network isolation nor access control to different team members (but let me stop my rant here, they know I am pissed at their team pricing).
Render network
- Each service gets a
10.204.X.0/24subnet and each instance of that service gets a /32 IP in that subnet - Each service gets an address like
srv-<SERVICE ID>.own-<TEAM ID>.svc.cluster.local - Each database gets a
10.205.Y.0/24subnet and each instance (read replica) of that database gets a /32 IP in that subnet - Each database gets an address like
dpg-<DATABASE ID>.own-<TEAM ID>.svc.cluster.local - The DNS server is always at IP
10.205.0.10and it can resolve DNS names of ALL render services even if it is in a different team - To get an address you can shell into a service and do
getent hosts <SERVICE SHORT NAME>
Tailscale setup
- We deploy one router per team (see files below)
- We advertise
/24subnets, we were lucky since we had no overlap between production and staging but that is not guaranteed. If that happens you have to re-create your service. - Make sure one router advertises the
10.205.0.0/24subnet, it doesn't matter which - In DNS, we added a split DNS nameserver for
svc.cluster.localwith the IP10.205.0.10 - Disabled key expiration for the routers
Files
-
render.yaml
services:
- type: worker
plan: Starter
region: oregon
name: tailscale-router
env: docker
dockerfilePath: ./applications/tailscale/Dockerfile
dockerContext: ./applications/tailscale
numInstances: 1
autoDeploy: false
envVars:
- key: ADVERTISE_ROUTES
value: '10.205.195.0/24,10.205.98.0/24,10.204.123.0/24,10.204.69.0/24'
- key: TAILSCALE_AUTHKEY
sync: false
disk:
name: tailscale-state
mountPath: /var/lib/tailscale
sizeGB: 1
-
endpoint.sh
#!/bin/sh
tailscaled --tun=userspace-networking --socks5-server=localhost:1055 &
PID=$!
ADVERTISE_ROUTES=${ADVERTISE_ROUTES:-10.0.0.0/8}
until tailscale up --authkey="${TAILSCALE_AUTHKEY}" --hostname="${RENDER_SERVICE_NAME}" --advertise-routes="$ADVERTISE_ROUTES"; do
sleep 0.1
done
export ALL_PROXY=socks5://localhost:1055/
tailscale_ip=$(tailscale ip)
echo "Tailscale is up at IP ${tailscale_ip}"
wait ${PID}
-
Dockerfile
FROM tailscale/tailscale:v1.50.1
COPY "entrypoint.sh" .
ENTRYPOINT ["sh"]
CMD ["entrypoint.sh"]
@anurag I posted in community forum https://community.render.com/t/render-internals/17888
Maybe @iandouglas could engage there :)
I saw that the 10.204.X.0/24 are not as fixed as I thought so any precision on that would be nice, I had to change my tailscale config a few times.