Skip to main content
After deploying all infrastructure layers, you can access your services through Tailscale VPN. This guide covers how to set up access and connect to each service.

Tailscale VPN Setup

Tailscale provides secure, private access to your infrastructure without exposing services to the public internet.

Install Tailscale

brew install tailscale

Connect to Tailscale Network

1

Start Tailscale

sudo tailscale up
Follow the authentication prompt in your browser.
2

Verify connection

tailscale status
You should see your devices listed, including the AWS subnet router.
3

Test VPC connectivity

# Ping a private IP in your VPC
ping 10.0.1.10
If this works, you have full access to your private infrastructure.

Creating a Tailscale Auth Key

If you need to create a new auth key for additional subnet routers:
1

Open Tailscale Admin Console

Navigate to https://login.tailscale.com/admin/settings/keys
2

Generate new auth key

Click “Generate auth key” and configure:
  • Reusable: Allow key to be used multiple times
  • Ephemeral: Device will be removed when disconnected
  • Pre-authorized: Skip manual approval
  • Tags: tag:aws-router
  • Expiration: 90 days (or custom)
3

Copy and save the key

Copy the key starting with tskey-auth- and store it securely.
This key will only be shown once. Store it in your password manager or .env file.

Accessing EKS Cluster

With Tailscale connected, you can access the EKS cluster API directly.

Configure kubectl

aws eks update-kubeconfig --name dev-eks-cluster --region us-east-2
This updates your kubeconfig with the EKS cluster endpoint and authentication details.

Verify Access

# Check connection
kubectl cluster-info

# List nodes
kubectl get nodes

# List all pods
kubectl get pods -A
The EKS API endpoint is private-only and not accessible without Tailscale connection.

Common kubectl Commands

# Get pods in a namespace
kubectl get pods -n argocd

# Describe a resource
kubectl describe pod <pod-name> -n <namespace>

# View logs
kubectl logs <pod-name> -n <namespace>

# Execute command in pod
kubectl exec -it <pod-name> -n <namespace> -- /bin/sh

# Port forward to a service
kubectl port-forward -n <namespace> svc/<service-name> <local-port>:<service-port>

Accessing Vault

HashiCorp Vault is accessible via web UI and CLI.

Web UI Access

1

Ensure Tailscale is connected

tailscale status
2

Navigate to Vault URL

Open your browser and go to:
https://vault.yourdomain.com
3

Login with root token

Use the root token generated during Vault initialization:
cat ~/.vault-secrets/vault.env | grep VAULT_TOKEN
Enter this token in the web UI login form.

CLI Access

# Source Vault environment variables
source ~/.vault-secrets/vault.env

# Verify connection
vault status

# List secrets
vault kv list secret/

# Read a secret
vault kv get secret/path/to/secret

# Write a secret
vault kv put secret/path/to/secret key=value

Port Forward Method

Alternatively, access Vault via kubectl port forwarding: 
# Port forward to Vault service
kubectl port-forward -n vault svc/vault 8200:8200

# In another terminal
export VAULT_ADDR="http://localhost:8200"
vault status

Accessing ArgoCD

ArgoCD provides a web UI for managing GitOps deployments.

Web UI Access

1

Get admin password

kubectl -n argocd get secret argocd-initial-admin-secret \
  -o jsonpath="{.data.password}" | base64 -d && echo
Save this password for login.
2

Navigate to ArgoCD URL

With Tailscale connected:
https://argocd.yourdomain.com
3

Login

  • Username: admin
  • Password: (from step 1)
4

Change default password (recommended)

  1. Click “User Info” in top right
  2. Select “Update Password”
  3. Enter current and new password

CLI Access

Install ArgoCD CLI: 
brew install argocd
Login via CLI: 
# Login to ArgoCD
argocd login argocd.yourdomain.com

# List applications
argocd app list

# Get application details
argocd app get <app-name>

# Sync an application
argocd app sync <app-name>

Port Forward Method

# Port forward to ArgoCD server
kubectl port-forward -n argocd svc/argocd-server 8080:443

# Access in browser
https://localhost:8080

Accessing Traefik Dashboard

Traefik provides a dashboard for monitoring routes and services.

Port Forward Access

# Port forward to Traefik dashboard
kubectl port-forward -n traefik svc/traefik 9000:9000
Then navigate to: http://localhost:9000/dashboard/
Note the trailing slash in the URL - it’s required.

Service URLs Reference

Once connected to Tailscale, access services at these URLs:
ServiceURLAuthentication
Vaulthttps://vault.yourdomain.comRoot token
ArgoCDhttps://argocd.yourdomain.comadmin / (generated password)
Traefik DashboardPort forward to localhost:9000None
EKS APIVia kubectlAWS IAM

Troubleshooting Access

Cannot Connect to Services

Check Tailscale status:
tailscale status
If not connected, run:
sudo tailscale up
  1. Go to Tailscale Admin Console
  2. Find your subnet router
  3. Check that routes are advertised and approved
  4. If not approved, check your ACL configuration includes auto-approvers
If vault.yourdomain.com doesn’t resolve:
  1. Check Cloudflare DNS records
  2. Verify external-dns is running: 
    kubectl get pods -n external-dns
  3. Check external-dns logs: 
    kubectl logs -n external-dns deployment/external-dns
If you see SSL/TLS certificate errors:
  1. Check certificate status: 
    kubectl get certificates -A
  2. Verify cert-manager is running: 
    kubectl get pods -n cert-manager
  3. Check certificate details: 
    kubectl describe certificate <cert-name> -n <namespace>

kubectl Connection Issues

# Update kubeconfig
aws eks update-kubeconfig --name dev-eks-cluster --region us-east-2

# Verify AWS credentials
aws sts get-caller-identity

# Test cluster connectivity
kubectl cluster-info

Vault Unsealed Status

If Vault is sealed: 
# Check Vault status
kubectl exec -n vault vault-0 -- vault status

# If sealed, Vault should auto-unseal with KMS
# Check pod logs if issues persist
kubectl logs -n vault vault-0

Security Best Practices

Important security considerations:
  • Store Vault root token in a secure password manager
  • Rotate Vault root token after initial setup
  • Change ArgoCD admin password immediately
  • Never share Tailscale auth keys publicly
  • Use short-lived tokens for CI/CD
  • Enable MFA on Tailscale account

Next Steps

Troubleshooting

Common issues and solutions

Destroying Resources

How to safely tear down infrastructure

Build docs developers (and LLMs) love

Get started for freeTalk to us