The Mesh Relay: Architecting Secure Hybrid Cloud Networks with Tailscale Peer Relays and Terraform

Revolutionize your hybrid cloud connectivity. Learn to deploy secure Tailscale Subnet Routers with Terraform for seamless, scalable, and automated network architecture.

Photo by Tyler on Unsplash

For decades, the standard answer to connecting an on-premise data center with a cloud VPC—or connecting two distinct clouds—was the IPsec VPN tunnel. It was the industry standard, yet it brought with it a host of headaches: brittle configuration files, overlapping subnets, firewall purgatory, and a rigid hub-and-spoke topology that introduced latency and single points of failure.

As we move toward Zero Trust architectures, the traditional VPN appliance is rapidly becoming a bottleneck. Enter the Mesh Network. Specifically, Tailscale (built on the revolutionary WireGuard protocol) has democratized secure, peer-to-peer networking. But what happens when you need to connect resources that can't run a VPN client, like a managed RDS database, a legacy mainframe, or a proprietary IoT gateway?

This is where the Peer Relay (or Subnet Router) comes in. By combining Tailscale's subnet routing capabilities with the infrastructure-as-code power of Terraform, we can architect hybrid networks that are self-healing, auditable, and incredibly secure. In this guide, we will explore how Nohatek approaches this modern architecture to solve complex connectivity challenges.

Beyond the Hub-and-Spoke: Understanding the Peer Relay

black metal stand with white background — Photo by Shay on Unsplash

In a pure mesh network, every device talks directly to every other device. This is ideal for laptops and servers you control. However, in a hybrid enterprise environment, you inevitably encounter "black boxes"—managed cloud services or legacy hardware where you cannot install the Tailscale agent.

The Peer Relay, formally known in the Tailscale ecosystem as a Subnet Router, acts as a transparent gateway. It sits inside your private network (like an AWS VPC or an on-premise LAN), joins the mesh, and advertises the local subnets to the rest of your Tailnet.

The beauty of the Peer Relay is that it allows a developer in a coffee shop to securely access a private Amazon RDS instance without ever exposing that database to the public internet and without managing complex SSH bastion hosts.

Unlike a traditional VPN concentrator that funnels all traffic through a central choke point, you can deploy multiple Peer Relays across different environments. This creates a distributed ingress layer. If your Azure environment needs to talk to AWS, they communicate directly via their respective relays, encrypted end-to-end, without hairpinning traffic back through your corporate HQ.

Infrastructure as Code: Automating Connectivity with Terraform

a laptop computer sitting on top of a white table — Photo by Surface on Unsplash

Manually configuring networking gear is a recipe for configuration drift and security gaps. At Nohatek, we believe that network topology should be defined in code. Using Terraform, we can treat our connectivity layer just like we treat our compute resources: versioned, reviewed, and automated.

To deploy a Tailscale Peer Relay, we need to automate two distinct parts: the generation of the authentication key and the provisioning of the relay server itself. Using the official Tailscale Terraform provider, this becomes seamless.

Here is a conceptual example of how we define a reusable auth key for our routers:

resource "tailscale_tailnet_key" "subnet_router_key" {
  reusable      = true
  ephemeral     = false
  preauthorized = true
  tags          = ["tag:subnet-router"]
}

Once the key is generated, we can inject it into a cloud instance (like an EC2 instance) via user_data. The script below installs Tailscale, enables IP forwarding (crucial for routing), and advertises the local VPC CIDR block:

#!/bin/bash
# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.d/99-tailscale.conf
sysctl -p /etc/sysctl.d/99-tailscale.conf

# Install and Advertise
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up --authkey=${tailscale_auth_key} --advertise-routes=10.0.0.0/16

By wrapping this logic in a Terraform module, spinning up a secure bridge between your on-premise network and the cloud becomes a simple terraform apply. If a relay node fails, an Auto Scaling Group can replace it instantly, and because the state is managed in code, the new node automatically rejoins the mesh and re-advertises the routes.

Security Governance: ACLs and High Availability

scrabble tiles spelling security on a wooden surface — Photo by Markus Winkler on Unsplash

Connecting networks is easy; securing them is hard. One of the primary fears CTOs have regarding mesh networking is "flat network" syndrome—where once you are in, you can access everything. This is where Tailscale ACLs (Access Control Lists) shine, especially when managed via Terraform.

We can define rigid policies that restrict traffic flow based on identity rather than IP address. Even though a Peer Relay advertises a whole subnet (e.g., 10.0.0.0/16), that doesn't mean every user can access every IP in that range.

Tag-Based Logic: We assign the relay a tag, such as tag:prod-relay.
Granular Rules: We can write a policy that says: "Only the DevOps group can access port 22 via the prod-relay, and only the Backend App group can access port 5432 (Postgres)."

Furthermore, for mission-critical hybrid clouds, we architect for High Availability (HA). By deploying two Subnet Routers in different Availability Zones and advertising the same CIDR block, Tailscale automatically handles failover. If Router A goes dark during a patch cycle, traffic seamlessly shifts to Router B. This capability, formerly requiring expensive load balancers and BGP configuration, is now native to the software-defined layer.

This approach satisfies the rigorous compliance requirements of SOC2 and HIPAA by ensuring that access is auditable, least-privilege, and resistant to infrastructure failure.

The era of the hardware VPN appliance is fading. As organizations adopt multi-cloud strategies and rely heavily on microservices, the network must become as agile as the software running on top of it. The combination of Tailscale's Peer Relays and Terraform's automation offers a robust, secure, and scalable way to bridge the gap between legacy infrastructure and modern cloud environments.

At Nohatek, we specialize in modernizing IT infrastructure. Whether you are looking to simplify developer access, secure a hybrid cloud deployment, or automate your network operations, our team can help you architect a solution that is built for the future.

Ready to ditch the legacy VPN? Contact us today to discuss your network architecture.