These Bicep & ARM templates deploy a Tailscale subnet router as an Azure Container Instance. The subnet router ACI instance is deployed into an existing Azure Virtual Network and advertises to your Tailnet the CIDR block for the Azure VNet.
When deploying the ARM or Bicep templates, the value of the containerRegistry parameter will determine where the deployment pulls the container image from.
- If
DockerHubis selected, the image will be pulled from cocallaw/tailscale-sr on Docker Hub, the parameterstailscaleImageRepositoryandtailscaleImageRepositoryare not used and can be left to their default values or null. - If
ACRis selected, the image will be pulled from Azure Container Registry using the values of thetailscaleImageRepositoryandtailscaleImageRepositoryparameters.
The docker/Dockerfile file extends the tailscale/tailscale
image with an entrypoint script that starts the Tailscale daemon and runs
tailscale up using an auth key and the relevant advertised CIDR block.
The Docker container must be built and pushed to an ACR if the parameter containerRegistry is set to ACR so that it can be referenced during deployment. If the parameter containerRegistry is set to DockerHub, the container does not need to be built as it will be pulled from Docker Hub.
Build locally with Docker and push image to ACR
docker build \
--tag tailscale-subnet-router:v1 \
--file ./docker/tailscale.Dockerfile \
.
# Optionally override the tag for the base `tailscale/tailscale` image
docker build \
--build-arg TAILSCALE_TAG=v1.29.18 \
--tag tailscale-subnet-router:v1 \
--file ./docker/tailscale.Dockerfile \
.Build remotely using Azure Container Registry Tasks with Azure CLI
ACR_NAME=<registry-name>
az acr build --registry $ACR_NAME --image tailscale:v1 .
# Optionally override the tag for the base `tailscale/tailscale` image
ACR_NAME=<registry-name>
az acr build --registry $ACR_NAME --build-arg TAILSCALE_TAG=v1.29.18 --image tailscale:v1 .To assist with the deployment of the ACI container group in the Azure VNet, the subnet being used should be delegated to the Microsoft.ContainerInstance/containerGroups.
# Update the subnet with a delegation for Microsoft.ContainerInstance/containerGroups
az network vnet subnet update \
--resource-group myResourceGroup \
--name mySubnet \
--vnet-name myVnet \
--delegations Microsoft.ContainerInstance/containerGroups
# Verify that the subnet is now delegated to the ACI instance
az network vnet subnet show \
--resource-group myResourceGroup \
--name mySubnet \
--vnet-name myVnet \
--query delegations- The Tailscale state (
/var/lib/tailscale) is stored in a Azure File Share in a Storage Account so that the subnet router only needs to be authorized once.
Currently the templates only support using a username and password to authenticate to the ACR repository, and the server URL is derived from the ACR repository name.
- Validation testing needed for use with Docker Hub
- Add Option to use anonymous pull with ACR
- Investigate using a service principal to authenticate to the ACR repository
When the Tailscale container is deployed, the size is set to 1 CPU core and 1 GiB of memory. Currently there is no option to adjust this size, unless the template file is edited.
- Add Variable Option to adjust the size of the ACI container. Possible Small/Med/Large options that are available for deployment but easily defined by the user.