Thanks to visit codestin.com
Credit goes to tailscale.com

Get started with Border0

Last validated:

Border0 + Tailscale is currently in beta.

This guide walks you through enabling Border0 + Tailscale so you can begin to provide privileged access for your Tailscale network (known as a tailnet). To learn more about what Border0 does before you start, refer to What is Border0?.

This is the initial release of Border0 + Tailscale and results from Border0 joining Tailscale. As of this release, you need to access both the Tailscale admin console and the Border0 console to set up Border0 for your tailnet.

Prerequisites

Before you begin, confirm you have the following:

  • A tailnet. If you do not have a tailnet, sign up.

  • Border0 integration is enabled for your tailnet. If you want to try Border0 for free, join the waitlist. To learn more about Border0 for your organization, contact Tailscale Sales.

  • A Tailscale account with Owner, Admin, or IT admin permissions, so you can use the Tailscale admin console to enable Border0 for your tailnet.

  • A device to use as a Border0 connector. This topic will show you how to configure this device as a Border0 connector. The device must satisfy one of the following options:

    • Linux
    • AWS EC2
    • Docker
    • Kubernetes
  • A device to use when you want to access a privileged resource. This device must satisfy one of the following options:

    • A device with Tailscale installed and running so that you can use the Border0 connector to get privileged access to the resources on your tailnet. For information about installing Tailscale, refer to Install Tailscale.
    • A device with a browser. This would let you access a resource protected by Border0 without installing the Tailscale client on the device.

Step 1: Enable the Border0 integration for your tailnet

  1. Open the General settings page of the Tailscale admin console.
  2. In the Feature previews section, enable Privileged Access Management by Border0 (Beta).

Step 2: Create a Border0 connector

  1. Open the Connectors page in the Border0 portal. Log in with the same account you use for Tailscale.
  2. Select Add New Connector.
  3. Select the platform that you want to use for the connector.
  4. In the Launch New Connector section, follow the instructions and apply them to the device that you want to use as your connector.

The Border0 connector has Tailscale functionality built into it and will automatically join your tailnet.

Step 3: Secure a resource

You can now use Border0 to create secure access to resources in your tailnet. The resources that you secure are referred to as sockets in Border0. The term socket is borrowed from network programming, where a socket is an endpoint for communication between systems. Border0 treats sockets as the application-aware proxies that handle connections securely.

For examples, refer to topics such as the following on the Border0 site.

Step 4: Grant network access in your tailnet policy

Border0 controls what a user can do once they connect to a resource at the protocol level, such as which commands they can run or which databases and queries they can access. Your tailnet policy file controls whether a user's device can reach that resource over the tailnet in the first place. Both layers apply, so after you secure a resource you must add a grant that permits network access to it. Enabling the integration alone is not enough.

When you secure a resource, Border0 exposes it as a Tailscale service (svc:<name>) tagged tag:border0-managed. You write the grant against that tag or service. This grant lets every member of your tailnet reach all Border0 resources:

// Allow everyone to access Border0 resources
{
    "src": ["autogroup:member"],
    "dst": ["tag:border0-managed"],
    "ip":  ["*"],
},

You do not have to allow everyone. Because Border0 already enforces fine-grained, per-protocol access, this grant only needs to be broad enough to reach the resources. You can scope src to a subset of users and dst to individual resources instead:

// Allow a subset of users to reach specific Border0 resources
{
    "src": ["group:db-admins"],
    "dst": ["svc:prod-postgres", "svc:staging-postgres"],
    "ip":  ["*"],
},

Step 5: Access a socket

Once you create a socket, members of your tailnet with the appropriate access have two ways to access the socket.

Once logged in to either the Tailscale client or the web-based client, members of your tailnet can access the sockets that you configured for them.

Next steps

Explore the following resources on the Border0 site.