Network Transports

Network transports are the overlay networks Firetiger agents use to reach customer-side systems that aren’t reachable from the public internet (Tailscale or a SOCKS5 proxy). A transport holds the provider credentials and policy; sibling resources (such as Connections) reference a transport by name when they need egress into your private network.

The secret you supply (tailscale.oauthClientSecret or socks5.password) is stored in a secrets manager. Create, Update, and List responses omit it, but GetNetworkTransport returns the stored secret — treat Get responses as sensitive (don’t log or expose them).

Service: firetiger.network_transports.v1.NetworkTransportsService

Resource name pattern: network-transports/{network_transport}

Access: Read-write

Example flow

Create a Tailscale transport, then reference it by name from a connection that needs to reach a private host.

1. Create a transport

curl -X POST "https://api.cloud.firetiger.com/firetiger.network_transports.v1.NetworkTransportsService/CreateNetworkTransport" \
  -u "$USERNAME:$PASSWORD" \
  -H "Content-Type: application/json" \
  -d '{
    "networkTransportId": "prod-vpc",
    "networkTransport": {
      "displayName": "Production VPC",
      "description": "Egress into the prod VPC via Tailscale",
      "tailscale": {
        "oauthClientId": "k123abc",
        "oauthClientSecret": "tskey-client-...",
        "tailnet": "example.com",
        "tags": ["tag:firetiger"]
      }
    }
  }'

{
  "networkTransport": {
    "name": "network-transports/prod-vpc",
    "displayName": "Production VPC",
    "description": "Egress into the prod VPC via Tailscale",
    "tailscale": {
      "oauthClientId": "k123abc",
      "tailnet": "example.com",
      "tags": ["tag:firetiger"]
    },
    "createTime": "2026-05-27T00:00:00Z"
  }
}

Note the create response omits oauthClientSecret. (Get re-populates it from the secrets store.)

Transport details (Tailscale)

The tailscale field carries the provider-specific configuration. Firetiger joins your tailnet as an ephemeral, preauthorized node using these credentials.

Field Type Required Description
oauthClientId string Yes Tailscale OAuth client ID.
oauthClientSecret string Yes Tailscale OAuth client secret. Stored in a secrets manager. Omitted from Create/Update/List responses, but returned by Get.
tailnet string Yes The tailnet to join (e.g. example.com or example.ts.net).
hostname string No Hostname for the proxy node. Defaults to an auto-generated ft-proxy-* name.
tags string[] No ACL tags assigned to the proxy node. Must be a subset of the tags authorized for the OAuth client (e.g. ["tag:firetiger"]).
acceptDns bool No See DNS resolution below. Defaults to false.

DNS resolution (accept_dns)

By default (acceptDns: false), Firetiger resolves target hostnames using its own resolver: it first tries the tailnet’s MagicDNS, then falls back to the standard public resolver. This handles the common case — including public hostnames that resolve to private addresses reachable through a subnet router (for example, an *.rds.amazonaws.com endpoint mapping to a VPC-internal IP).

Set acceptDns: true only when your target hostnames can only be resolved by a private nameserver inside your network — for example, split-DNS or restricted nameservers configured in the Tailscale admin console (internal zones served by a private DNS server). This is equivalent to tailscale up --accept-dns and makes the node use the tailnet’s DNS configuration.

Enabling acceptDns is not purely additive. If your tailnet is configured to override local DNS, routing resolution through the tailnet’s nameservers can prevent resolution of public names (such as RDS endpoints) that resolve correctly with the default resolver. Leave it false unless you specifically need private-nameserver resolution.

Transport details (SOCKS5)

Alternatively, set the socks5 field to route through a SOCKS5 proxy (for example, a bastion host that fronts your private network). The Firetiger proxy opens a connection to the SOCKS5 server, which dials the target on its behalf — so the target only needs to be reachable from the SOCKS5 proxy, not from Firetiger directly.

Field Type Required Description
host string Yes SOCKS5 proxy hostname or IP, reachable from Firetiger.
port int32 Yes SOCKS5 proxy port (e.g. 1080).
username string No Username for SOCKS5 username/password auth (RFC 1929).
password string No Password for SOCKS5 auth. Stored in a secrets manager; omitted from Create/Update/List responses but returned by Get (like tailscale.oauthClientSecret). 
{
  "networkTransport": {
    "displayName": "Bastion SOCKS5",
    "socks5": { "host": "bastion.internal", "port": 1080, "username": "ft", "password": "..." }
  }
}

Methods

Method Description
CreateNetworkTransport Register a new transport
GetNetworkTransport Retrieve a transport by name (returns the stored secret)
UpdateNetworkTransport Edit a transport (partial update via update_mask)
DeleteNetworkTransport Soft-delete a transport
ListNetworkTransports List transports with filtering + pagination

CreateNetworkTransport

Register a new transport. The transportDetails oneof (tailscale or socks5) picks the provider and carries its required credentials. Secret fields (tailscale.oauthClientSecret, socks5.password) are stored in a secrets manager and cleared from the create response (though Get returns them).

POST /firetiger.network_transports.v1.NetworkTransportsService/CreateNetworkTransport

Request body

Field Type Required Description
networkTransportId string No ID for the new transport (matches ^[a-zA-Z0-9][a-zA-Z0-9_-]*$). Server-assigned if omitted.
networkTransport NetworkTransport Yes Transport fields. displayName is required; set exactly one of the tailscale or socks5 transport details.

GetNetworkTransport

Retrieve one transport’s metadata, including the stored secret (tailscale.oauthClientSecret or socks5.password, re-fetched from the secrets store and merged into the response).

POST /firetiger.network_transports.v1.NetworkTransportsService/GetNetworkTransport

Unlike Create, Update, and List — which omit it — GetNetworkTransport returns the stored secret (tailscale.oauthClientSecret / socks5.password) in the response. Treat Get responses as sensitive: don’t log them or surface them to untrusted callers.

Request body

Field Type Required Description
name string Yes Resource name (network-transports/{id})

UpdateNetworkTransport

Edit a transport. Partial updates follow AIP-134 via updateMask. The provider within transportDetails cannot be swapped in place — create a new transport and point consumers at it instead.

POST /firetiger.network_transports.v1.NetworkTransportsService/UpdateNetworkTransport

Request body

Field Type Required Description
networkTransport NetworkTransport Yes Transport object with name set
updateMask FieldMask No Fields to update (e.g. "tailscale.acceptDns")

DeleteNetworkTransport

Soft-delete the transport per AIP-164. Connections that reference it keep the reference but will fail at egress time; reconcile downstream wiring before relying on the delete.

POST /firetiger.network_transports.v1.NetworkTransportsService/DeleteNetworkTransport

Request body

Field Type Required Description
name string Yes Resource name (network-transports/{id})

ListNetworkTransports

Enumerate the organization’s transports. Supports AIP-158 pagination, AIP-160 filter / orderBy, and showDeleted.

POST /firetiger.network_transports.v1.NetworkTransportsService/ListNetworkTransports

Request body

Field Type Required Description
filter string No AIP-160 filter expression
orderBy string No Sort order
pageSize int32 No Maximum results per page
pageToken string No Token from a previous nextPageToken
showDeleted bool No Include soft-deleted transports
This site uses Just the Docs, a documentation theme for Jekyll.