Connect Firetiger to Your Private Network Using Tailscale

This guide walks through connecting Firetiger to an AWS RDS PostgreSQL database that is not publicly accessible, using Tailscale as the network transport.

By the end, Firetiger agents will be able to query your private RDS instance through a secure Tailscale tunnel.

Prerequisites

  • A Tailscale account with admin access
  • Your RDS database must be reachable from your tailnet (via a subnet router in the same VPC)

Step 1: Configure Tailscale ACLs

Open the Access Controls page in the Tailscale admin console.

Add a tag:firetiger tag and grant it access to your database port:

"tagOwners": {
    "tag:firetiger": ["autogroup:admin"]
},

"grants": [
    {
        "src": ["tag:firetiger"],
        "dst": ["*"],
        "ip": ["5432"]
    }
]

Restrict dst to specific machines or tags for tighter security (e.g., ["tag:databases"] instead of ["*"]).

Step 2: Create a Tailscale OAuth Client

  1. Go to Settings > OAuth clients
  2. Click Generate OAuth client
  3. Set the description to something like firetiger
  4. Under Tags, select tag:firetiger
  5. Under Scopes, ensure auth_keys Write is included (this allows the client to generate auth keys with the selected tags)
  6. Click Generate
  7. Copy the Client ID and Client Secret

The client secret is only shown once. Save it securely before closing the dialog.

The OAuth client must have the tag:firetiger tag selected. Without it, the proxy cannot generate tagged auth keys and will fail with “requested tags are invalid or not permitted”.

Step 3: Find Your Tailnet Name

You’ll need your tailnet name for the next step. Find it at Settings > General, or run:

tailscale status --json | jq -r .MagicDNSSuffix

It looks like example.ts.net or tail1234.ts.net.

Step 4: Create the Network Transport

  1. Navigate to https://ui.cloud.firetiger.com/integrations/network-transports
  2. Click Create Network Transport > Tailscale
  3. Enter a display name (e.g., “Tailscale”)
  4. Enter your Tailscale OAuth Client ID and Client Secret from Step 2
  5. Enter your tailnet name from Step 3
  6. Optionally set a hostname for the proxy node (default: auto-generated)
  7. Click Create Network Transport

Step 5: Create the Database Connection

  1. Navigate to https://ui.cloud.firetiger.com/integrations/connections/new
  2. Select PostgreSQL
  3. Enter the connection details:
    • Host: Use the private IP or DNS name of your RDS instance (the one reachable from within the VPC, not a public endpoint — e.g., mydb.abc123.us-east-1.rds.amazonaws.com)
    • Port: 5432
    • Database: your database name
    • Username / Password: your database credentials
    • SSL Mode: require
    • Read Only: enabled (recommended for production)
  4. Under Network Transport, select your Tailscale network transport
  5. Click Save

Step 6: Test the Connection

On the connection page, click Save + Test.

If successful, agents can now query your private RDS database through the Tailscale tunnel.

Troubleshooting

Error Cause Fix
“requested tags are invalid or not permitted” OAuth client doesn’t have tag:firetiger Recreate the OAuth client with the tag selected
“tailnet not found” Wrong tailnet name Check tailscale status --json \| jq -r .MagicDNSSuffix
“tailnet-owned auth key must have tags set” Network transport missing tags field Update the transport to include "tags": ["tag:firetiger"]
Connection times out Database not reachable from tailnet Verify your subnet router is running and the RDS security group allows traffic from the subnet router

How It Works 

Agent ──► Firetiger Proxy ──► Tailscale Tunnel ──► Subnet Router ──► RDS
                                  (ephemeral           (in your
                                   node with             VPC)
                                   tag:firetiger)

The proxy joins your tailnet as an ephemeral node, dials the RDS endpoint through the Tailscale mesh network, and forwards the database traffic. The node is automatically removed when the connection closes.

This site uses Just the Docs, a documentation theme for Jekyll.