Network Transports
Network transports are the overlay networks Firetiger agents use to reach
customer-side systems that aren’t reachable from the public internet (today:
Tailscale). A transport holds the tailnet
credentials and tag policy; sibling resources (such as Connections) reference
a transport by name when they need egress into your private network.
The oauthClientSecret you supply is stored in a secrets manager. Create,
Update, and List responses omit it, but GetNetworkTransport returns the
stored secret — treat Get responses as sensitive (don’t log or expose
them).
Service: firetiger.network_transports.v1.NetworkTransportsService
Resource name pattern: network-transports/{network_transport}
Access: Read-write
Example flow
Create a Tailscale transport, then reference it by name from a connection
that needs to reach a private host.
1. Create a transport
curl -X POST "https://api.cloud.firetiger.com/firetiger.network_transports.v1.NetworkTransportsService/CreateNetworkTransport" \
-u "$USERNAME:$PASSWORD" \
-H "Content-Type: application/json" \
-d '{
"networkTransportId": "prod-vpc",
"networkTransport": {
"displayName": "Production VPC",
"description": "Egress into the prod VPC via Tailscale",
"tailscale": {
"oauthClientId": "k123abc",
"oauthClientSecret": "tskey-client-...",
"tailnet": "example.com",
"tags": ["tag:firetiger"]
}
}
}'
{
"networkTransport": {
"name": "network-transports/prod-vpc",
"displayName": "Production VPC",
"description": "Egress into the prod VPC via Tailscale",
"tailscale": {
"oauthClientId": "k123abc",
"tailnet": "example.com",
"tags": ["tag:firetiger"]
},
"createTime": "2026-05-27T00:00:00Z"
}
}
Note the create response omits oauthClientSecret. (Get
re-populates it from the secrets store.)
Transport details (Tailscale)
The tailscale field carries the provider-specific configuration. Firetiger
joins your tailnet as an ephemeral, preauthorized node using these
credentials.
| Field | Type | Required | Description |
|---|---|---|---|
oauthClientId |
string | Yes | Tailscale OAuth client ID. |
oauthClientSecret |
string | Yes | Tailscale OAuth client secret. Stored in a secrets manager. Omitted from Create/Update/List responses, but returned by Get. |
tailnet |
string | Yes | The tailnet to join (e.g. example.com or example.ts.net). |
hostname |
string | No | Hostname for the proxy node. Defaults to an auto-generated ft-proxy-* name. |
tags |
string[] | No | ACL tags assigned to the proxy node. Must be a subset of the tags authorized for the OAuth client (e.g. ["tag:firetiger"]). |
acceptDns |
bool | No | See DNS resolution below. Defaults to false. |
DNS resolution (accept_dns)
By default (acceptDns: false), Firetiger resolves target hostnames using
its own resolver: it first tries the tailnet’s MagicDNS, then falls back to
the standard public resolver. This handles the common case — including public
hostnames that resolve to private addresses reachable through a
subnet router (for example, an
*.rds.amazonaws.com endpoint mapping to a VPC-internal IP).
Set acceptDns: true only when your target hostnames can only be resolved
by a private nameserver inside your network — for example, split-DNS or
restricted nameservers configured in the Tailscale admin console (internal
zones served by a private DNS server). This is equivalent to
tailscale up --accept-dns and makes the node use the tailnet’s DNS
configuration.
Enabling
acceptDnsis not purely additive. If your tailnet is configured to override local DNS, routing resolution through the tailnet’s nameservers can prevent resolution of public names (such as RDS endpoints) that resolve correctly with the default resolver. Leave itfalseunless you specifically need private-nameserver resolution.
Methods
| Method | Description |
|---|---|
| CreateNetworkTransport | Register a new transport |
| GetNetworkTransport | Retrieve a transport by name (returns the stored secret) |
| UpdateNetworkTransport | Edit a transport (partial update via update_mask) |
| DeleteNetworkTransport | Soft-delete a transport |
| ListNetworkTransports | List transports with filtering + pagination |
CreateNetworkTransport
Register a new transport. The transportDetails oneof (tailscale) picks the
provider and carries its required credentials. The supplied
oauthClientSecret is stored in a secrets manager and cleared from the create
response (though Get returns it).
POST /firetiger.network_transports.v1.NetworkTransportsService/CreateNetworkTransport
Request body
| Field | Type | Required | Description |
|---|---|---|---|
networkTransportId |
string | No | ID for the new transport (matches ^[a-zA-Z0-9][a-zA-Z0-9_-]*$). Server-assigned if omitted. |
networkTransport |
NetworkTransport | Yes | Transport fields. displayName is required; set the tailscale transport details. |
GetNetworkTransport
Retrieve one transport’s metadata, including the stored oauthClientSecret
(re-fetched from the secrets store and merged into the response).
POST /firetiger.network_transports.v1.NetworkTransportsService/GetNetworkTransport
Unlike
Create,Update, andList— which omit it —GetNetworkTransportreturnsoauthClientSecretin the response. TreatGetresponses as sensitive: don’t log them or surface them to untrusted callers.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
name |
string | Yes | Resource name (network-transports/{id}) |
UpdateNetworkTransport
Edit a transport. Partial updates follow AIP-134
via updateMask. The provider within transportDetails cannot be swapped in
place — create a new transport and point consumers at it instead.
POST /firetiger.network_transports.v1.NetworkTransportsService/UpdateNetworkTransport
Request body
| Field | Type | Required | Description |
|---|---|---|---|
networkTransport |
NetworkTransport | Yes | Transport object with name set |
updateMask |
FieldMask | No | Fields to update (e.g. "tailscale.acceptDns") |
DeleteNetworkTransport
Soft-delete the transport per AIP-164. Connections that reference it keep the reference but will fail at egress time; reconcile downstream wiring before relying on the delete.
POST /firetiger.network_transports.v1.NetworkTransportsService/DeleteNetworkTransport
Request body
| Field | Type | Required | Description |
|---|---|---|---|
name |
string | Yes | Resource name (network-transports/{id}) |
ListNetworkTransports
Enumerate the organization’s transports. Supports
AIP-158 pagination,
AIP-160 filter / orderBy, and showDeleted.
POST /firetiger.network_transports.v1.NetworkTransportsService/ListNetworkTransports
Request body
| Field | Type | Required | Description |
|---|---|---|---|
filter |
string | No | AIP-160 filter expression |
orderBy |
string | No | Sort order |
pageSize |
int32 | No | Maximum results per page |
pageToken |
string | No | Token from a previous nextPageToken |
showDeleted |
bool | No | Include soft-deleted transports |