{"slug":"acl-policy-examples","title":"ACL policy examples","tags":["tailscale","access-control"],"agent_summary":"Last validated: Feb 2, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# ACL policy examples\r\n\r\nLast validated: Feb 2, 2026\r\n\r\nTailscale now secures access to resources using [grants](https://tailscale.com/docs/features/access-control/grants), a next-generation access control policy syntax. Grants provide [all original ACL functionality plus additional capabilities](https://tailscale.com/docs/reference/grants-vs-acls).\r\n\r\nACLs will continue to work **indefinitely**; Tailscale will not remove support for this first-generation syntax from the product. However, Tailscale recommends [migrating to grants](https://tailscale.com/docs/reference/migrate-acls-grants) and using grants for all new tailnet policy file configurations because ACLs will not receive any new features.\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nThis topic provides example [access controls (ACLs)](https://tailscale.com/docs/features/access-control/acls) for common scenarios. For information about the syntax, refer to the [tailnet policy syntax](https://tailscale.com/docs/reference/syntax/policy-file).\r\n\r\n| **Example** | **Description** | **Uses** |\r\n| --- | --- | --- |\r\n| [Allow all](https://tailscale.com/docs/reference/examples/acls#allow-all-default-acl) | The default tailnet policy that lets all devices within the tailnet access other devices in the tailnet. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [SSH](https://tailscale.com/docs/reference/syntax/policy-file#ssh) |\r\n| [Deny all](https://tailscale.com/docs/reference/examples/acls#deny-all) | Deny all connections. | [ACLs](https://tailscale.com/docs/features/access-control/acls) |\r\n| [Users can access their own devices](https://tailscale.com/docs/reference/examples/acls#users-can-access-their-own-devices) | All tailnet users can access devices they own unless another policy prevents it. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [SSH](https://tailscale.com/docs/reference/syntax/policy-file#ssh) |\r\n| [Resource-level access policies](https://tailscale.com/docs/reference/examples/acls#resource-level-access-policies) | Allow specific devices to access specific resources within the tailnet. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [hosts](https://tailscale.com/docs/reference/syntax/policy-file#hosts) |\r\n| [Restrict based on purpose (tags)](https://tailscale.com/docs/reference/examples/acls#restrict-based-on-purpose-tags) | Allow specific devices to access specific resources within the tailnet using tags. | [ACLs](https://tailscale.com/docs/features/access-control/acls) |\r\n| [Restrict based on group](https://tailscale.com/docs/reference/examples/acls#restrict-based-on-group) | Manage access to resources using autogroups, custom groups, and provisioned groups. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups) |\r\n| [Restrict based on individual users](https://tailscale.com/docs/reference/examples/acls#restrict-based-on-individual-user) | Manage access to resources for specific users. | [ACLs](https://tailscale.com/docs/features/access-control/acls) |\r\n| [Standard plan ACL](https://tailscale.com/docs/reference/examples/acls#standard-plan-acl) | Use a basic standard plan that lets employees access their own devices and devices tagged with `corp` and lets admins access devices tagged with `corp` or `prod`. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [Access to an internal application (VPN)](https://tailscale.com/docs/reference/examples/acls#access-to-an-internal-application-vpn) | Manage user access applications based on their job role. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [Access to an internal application (VPN) with synced groups](https://tailscale.com/docs/reference/examples/acls#access-to-an-internal-application-vpn-with-synced-groups) | Manage access to internal resources using groups synced to an identity provider. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [Remote access to a production environment](https://tailscale.com/docs/reference/examples/acls#remote-access-to-production-environment) | Manage user access to the production environment based on their job role. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners), [tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) |\r\n| [VPC access (VPC peering)](https://tailscale.com/docs/reference/examples/acls#vpc-access-vpc-peering) | Manage access to a virtual private cloud using access control lists. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners), [auto approvers](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers) |\r\n| [Share access with a contractor](https://tailscale.com/docs/reference/examples/acls#share-access-with-a-contractor) | Allow a third-party contractor to access shared resources in the development environment. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [Remote development](https://tailscale.com/docs/reference/examples/acls#remote-development) | Manage access to a remote development environment. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [Pair programming](https://tailscale.com/docs/reference/examples/acls#pair-programming) | Create a paired programming environment multiple engineers can connect to using SSH. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [CI/CD deployment pipeline](https://tailscale.com/docs/reference/examples/acls#cicd-deployment-pipeline) | Manage access to resources based on job roles. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [Monitoring access to applications](https://tailscale.com/docs/reference/examples/acls#monitoring-access-to-applications) | Allow a monitoring server to access all applications on common ports. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [Application peering](https://tailscale.com/docs/reference/examples/acls#application-peering) | Allow multiple cloud providers or applications to access each other. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n| [Network microsegmentation](https://tailscale.com/docs/reference/examples/acls#network-microsegmentation) | Allow access to network microsegments, but deny access between them. | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners), [tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) |\r\n\r\n## [Allow all (default ACL)](https://tailscale.com/docs/reference/examples/acls\\#allow-all-default-acl)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| All plans | [ACLs](https://tailscale.com/docs/reference/syntax/policy-file), [SSH](https://tailscale.com/docs/reference/syntax/policy-file#ssh), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups) |\r\n\r\nWhen you first create your Tailscale network (known as a tailnet), Tailscale initializes it with a default _allow all_ access policy to make it easy to connect to and use Tailscale without restricting any traffic in your network.\r\n\r\nYou can reset your ACL policy file to the original default by deleting the existing policy file contents and selecting **Reset to default**. Policy file changes can also be [reverted](https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies#revert-changes) from the [Configuration logs](https://login.tailscale.com/admin/logs) page of the admin console.\r\n\r\nHere's a breakdown of what the default policy does:\r\n\r\n- Lets all devices in the tailnet access all other devices in the tailnet.\r\n- Lets all users establish a [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) session to their own devices using [check mode](https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh-with-check-mode), as either root or non-root.\r\n- If you have a [subnet router initialized with `--snat-subnet-routes=false`](https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading) (Linux only), then any devices on the same local network as the subnet router can also access all devices in the tailnet.\r\n- If you have a [device shared from another network](https://tailscale.com/docs/features/sharing#sharing-and-access-control-lists-acls) in your tailnet, that device cannot access any devices in the tailnet. The device [can only respond to incoming connections](https://tailscale.com/docs/features/sharing#quarantine) from the tailnet.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"*\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"*:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"ssh\": [\\\r\n    {\\\r\n      \"action\": \"check\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self\"\\\r\n      ],\\\r\n      \"users\": [\\\r\n        \"autogroup:nonroot\",\\\r\n        \"root\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n}\r\n```\r\n\r\nOmitting the `acls` field from the tailnet policy file is equivalent to the default allow all policy. To deny all connections, [use an empty object for the `acls` field](https://tailscale.com/docs/reference/examples/acls#deny-all) in your policy file.\r\n\r\n```json\r\n{} // Tailscale applies the default allow all policy if the acls section is empty.\r\n```\r\n\r\nIn the default ACL, the `ssh` rule uses `autogroup:self` for the `dst` field and`autogroup:nonroot` in the `users` field. If you change the `dst` field from`autogroup:self` to some other destination, such as an [ACL tag](https://tailscale.com/docs/features/tags/), also consider replacing`autogroup:nonroot` in the `users` field. If you don't remove`autogroup:nonroot` from the `users` field, then anyone permitted by the `src` setting will be able to SSH in as any nonroot user on the `dst` device.\r\n\r\n## [Deny all](https://tailscale.com/docs/reference/examples/acls\\#deny-all)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| All plans | [ACLs](https://tailscale.com/docs/reference/syntax/policy-file) |\r\n\r\nYou can deny all connections in your tailnet by using an empty option for the `acls` field in your policy file. This configuration prevents all devices from communicating with each other. This configuration is not recommended for general use because nothing in the tailnet will work.\r\n\r\n```json\r\n{\r\n  \"acls\": []\r\n}\r\n```\r\n\r\nOmitting the `acls` field from the tailnet policy file is not the equivalent of a \"deny all\" policy. Instead, Tailscale applies the [default allow all policy](https://tailscale.com/docs/reference/examples/acls#allow-all-default-acl), which allows all devices within the tailnet to access other devices in the tailnet.\r\n\r\n## [Users can access their own devices](https://tailscale.com/docs/reference/examples/acls\\#users-can-access-their-own-devices)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| All plans | [ACLs](https://tailscale.com/docs/features/access-control/acls), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nThis example lets all users access their own devices. It is suitable for many use cases where you want to allow users to access their own devices, but not other devices in the tailnet.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n}\r\n```\r\n\r\n## [Resource-level access policies](https://tailscale.com/docs/reference/examples/acls\\#resource-level-access-policies)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| All plans | [ACLs](https://tailscale.com/docs/features/access-control/acls), [hosts](https://tailscale.com/docs/reference/syntax/policy-file#hosts) |\r\n\r\nYou can enable connectivity from one device or network to another using their IP addresses. Additionally, the [`hosts`](https://tailscale.com/docs/reference/syntax/policy-file#hosts) section lets you define a human-friendly name for an IP address or CIDR range, to make access rules more readable.\r\n\r\nWhat this example does:\r\n\r\n- The device with the IP address `100.100.123.124` can access the device with the IP address `100.100.123.123`.\r\n- The device with the IP address `100.100.123.124` can access devices in the subnet `192.0.2.0/24` through a [subnet router](https://tailscale.com/docs/features/subnet-routers).\r\n- The device with the hostname `frontend-server-01` can access devices in the subnet `192.0.2.0/24`.\r\n- The device with the hostname `frontend-server-01` can access the device with the hostname `dev-network-01`.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"100.100.123.124\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"100.100.123.123:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"100.100.123.124\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"192.0.2.0/24:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"frontend-server-01\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"192.0.2.0/24:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"frontend-server-01\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"dev-network-01:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"hosts\": {\r\n    \"frontend-server-01\": \"100.100.123.123\",\r\n    \"dev-network-01\": \"203.0.113.0/24\"\r\n  }\r\n}\r\n```\r\n\r\nWhen writing access control rules targeting resources behind a [4via6 subnet](https://tailscale.com/docs/features/subnet-routers/4via6-subnets) router, use the IPv6 CIDR or address as the destination, not the IPv4 address.\r\n\r\nUse `tailscale debug via` to get the IPv6 CIDR.\r\n\r\n## [Restrict based on purpose (tags)](https://tailscale.com/docs/reference/examples/acls\\#restrict-based-on-purpose-tags)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| All plans | [ACLs](https://tailscale.com/docs/features/access-control/acls), [tags](https://tailscale.com/docs/features/tags) |\r\n\r\n[Tags](https://tailscale.com/docs/features/tags) let you assign an identity to a device that is separate from human users, and use that identity as part of an ACL to restrict access. Tags should be used when adding servers to your Tailscale network, so that their access is based on their purpose, not based on which member of your operations team enrolled them.\r\n\r\nWhat this example does:\r\n\r\n- Devices tagged with `tag:frontend` can access devices tagged with `tag:backend`.\r\n- Devices tagged with `tag:backend` can access devices tagged with `tag:logging`.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:frontend\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:backend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:backend\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\n## [Restrict based on group](https://tailscale.com/docs/reference/examples/acls\\#restrict-based-on-group)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\nYou can enable access to resources in your tailnet with [autogroups](https://tailscale.com/docs/reference/examples/acls#with-autogroups), [custom groups](https://tailscale.com/docs/reference/examples/acls#with-custom-groups), or [groups provisioned from supported identity providers](https://tailscale.com/docs/reference/examples/acls#with-provisioned-groups).\r\n\r\n### [With autogroups](https://tailscale.com/docs/reference/examples/acls\\#with-autogroups)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| All plans | [ACLs](https://tailscale.com/docs/features/access-control/acls), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups), [tags](https://tailscale.com/docs/features/tags) |\r\n\r\n[Autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups) are built-in groups that automatically include users, destinations, or usernames with the same properties.\r\n\r\nWhat this example does:\r\n\r\n- All tailnet members `autogroup:member` can access devices tagged with `tag:frontend`.\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) can access devices tagged with `tag:backend` or `tag:logging`.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:admin\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:backend:*\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\n### [With custom groups](https://tailscale.com/docs/reference/examples/acls\\#with-custom-groups)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups), [tags](https://tailscale.com/docs/features/tags) |\r\n\r\n[Custom groups](https://tailscale.com/docs/reference/syntax/policy-file#groups) let you define a shorthand for a group of users, which you can then use in access rules instead of listing users out explicitly.\r\n\r\nWhat this example does:\r\n\r\n- The Engineering team `group:engineering` consists of `alice@example.com` and `bob@example.com`.\r\n- The DevOps team `group:engineering` consists of `amelie@example.com` and `carl@example.com`.\r\n- The Engineering team `group:engineering` can access devices tagged with `tag:frontend` or `tag:backend`.\r\n- The DevOps team `group:devops` can access devices tagged with `tag:frontend`, `tag:backend`, or `tag:logging`.\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:engineering\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ],\r\n    \"group:devops\": [\\\r\n      \"amelie@example.com\",\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:engineering\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\",\\\r\n        \"tag:backend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:devops\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\",\\\r\n        \"tag:backend:*\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\n### [With provisioned groups](https://tailscale.com/docs/reference/examples/acls\\#with-provisioned-groups)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\nYou can use [group provisioning from supported identity providers](https://tailscale.com/docs/features/user-group-provisioning) and avoid maintaining custom groups in your ACLs.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:engineering@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\",\\\r\n        \"tag:backend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:devops@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\",\\\r\n        \"tag:backend:*\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\n## [Restrict based on individual user](https://tailscale.com/docs/reference/examples/acls\\#restrict-based-on-individual-user)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [tags](https://tailscale.com/docs/features/tags) |\r\n\r\nYou can enable access to resources based on individual users.\r\n\r\nWhat this example does:\r\n\r\n- User Alice can access devices tagged with `tag:frontend`.\r\n- User Bob can access devices tagged with `tag:backend`.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"amelie@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"bob@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:backend:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\n## [Standard plan ACL](https://tailscale.com/docs/reference/examples/acls\\#standard-plan-acl)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| All plans | [ACLs](https://tailscale.com/docs/features/access-control/acls), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nThis example provides remote access to corp and prod devices. It is suitable for many Standard plan use cases.\r\n\r\nYour team can use Tailscale to access remote devices. In this scenario, all users can access their own remote devices, as well as any common corporate devices, such as servers, that are tagged. Only Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) can access production devices. Admins can configure which devices are tagged. No corporate or production devices can access each other, and no shared users can access devices.\r\n\r\nWhat this example does:\r\n\r\n- All employees can access their own devices.\r\n- All employees can access corporate devices tagged with `tag:corp`.\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) can access devices tagged with `tag:prod`.\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) can manage which devices are tagged with `tag:corp` and `tag:prod`.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:corp:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:admin\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:prod:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:corp\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:prod\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n## [Access to an internal application (VPN)](https://tailscale.com/docs/reference/examples/acls\\#access-to-an-internal-application-vpn)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nYou can use Tailscale to allow users to access internal applications, including both custom internal applications and third-party applications hosted internally. In this scenario, users in your tailnet can access applications based on their job role. The IT team can set up internal applications.\r\n\r\nWhat this example does:\r\n\r\n- Members of the engineering team `group:engineering` can access the devices tagged with `tag:engineering`.\r\n- Members of the finance team `group:finance` can access the devices tagged with `tag:finance`.\r\n- Members of the legal team `group:legal` can access the devices tagged with `tag:legal`.\r\n- All employees can access the devices tagged with `tag:internal`.\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) (such as the IT team) can manage which devices are tagged with `tag:engineering`, `tag:finance`, `tag:legal`, and `tag:internal`.\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:engineering\": [\\\r\n      \"alice@example.com\"\\\r\n    ],\r\n    \"group:finance\": [\\\r\n      \"bob@example.com\"\\\r\n    ],\r\n    \"group:legal\": [\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:engineering\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:engineering:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:finance\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:finance:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:legal\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:legal:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:internal:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:engineering\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:finance\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:legal\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:internal\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n### [Access to an internal application (VPN) with synced groups](https://tailscale.com/docs/reference/examples/acls\\#access-to-an-internal-application-vpn-with-synced-groups)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nYou can use [user and group provisioning](https://tailscale.com/docs/features/user-group-provisioning) to include groups synced from your identity provider in access rules. Tailscale treats synced group names as lowercase. They can include spaces, but not the `@` symbol.\r\n\r\nWhat this example does:\r\n\r\n- Members of the engineering team in the synced group `group:engineering@example.com` can access the devices tagged with `tag:engineering`.\r\n- Members of the finance team in the synced group `group:finance team@example.com` can access the devices tagged with `tag:finance`.\r\n- Members of the legal team in the synced group `group:Legal@example.com` can access the devices tagged with `tag:legal`.\r\n- All employees can access the devices tagged with `tag:internal`.\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) (such as the IT team) can manage which devices are tagged with `tag:engineering`, `tag:finance`, `tag:legal`, and `tag:internal`.\r\n\r\n```json\r\n{\r\n  \"groups\": {},\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:engineering@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:engineering:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:finance team@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:finance:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:legal@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:legal:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:internal:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:engineering\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:finance\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:legal\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:internal\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n## [Remote access to production environment](https://tailscale.com/docs/reference/examples/acls\\#remote-access-to-production-environment)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners), [tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) |\r\n\r\nYou can modify this example to work on the Standard plan by using `autogroup:member` instead of a custom group (`group:dev`).\r\n\r\nYour DevOps, infrastructure, or SRE team can use Tailscale to access their sensitive and highly protected production environment. In this scenario, a DevOps team might be able to access the production environment, whereas other developers might only be able to access resources in a development environment. All developers are able to access monitoring tools, such as [Grafana](https://tailscale.com/blog/grafana-auth).\r\n\r\nWhat this example does:\r\n\r\n- All employees can access their own devices (such as remote workstations).\r\n- Members of the development team `group:dev` can access the devices tagged with `tag:dev` (such as license servers).\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) (such as members of the DevOps team) can access the devices tagged with `tag:prod` (such as the production environment).\r\n- All employees can access devices tagged with `tag:monitoring` on ports `80` and `443` (such as monitoring dashboards).\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) can manage which devices are tagged with `tag:dev`, `tag:prod`, and `tag:monitoring`\r\n- [Tests](https://tailscale.com/docs/reference/syntax/policy-file#tests)ensure that if ACLs change:\r\n  - Carl will still be able to access devices tagged with `tag:prod` on port `80`.\r\n  - Alice will still be able to access devices tagged with `tag:dev` (but not devices tagged with `tag:prod`) on port `80`.\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:dev:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:admin\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:prod:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:monitoring:80,443\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:monitoring\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:dev\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:prod\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  },\r\n  \"tests\": [\\\r\n    {\\\r\n      \"src\": \"carl@example.com\",\\\r\n      \"accept\": [\\\r\n        \"tag:prod:80\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"src\": \"alice@example.com\",\\\r\n      \"accept\": [\\\r\n        \"tag:dev:80\"\\\r\n      ],\\\r\n      \"deny\": [\\\r\n        \"tag:prod:80\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\n## [VPC access (VPC peering)](https://tailscale.com/docs/reference/examples/acls\\#vpc-access-vpc-peering)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners), [auto approvers](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers) |\r\n\r\nYou can modify this example to work on the Standard plan by using `autogroup:member` instead of a custom group (`group:dev`).\r\n\r\nYour DevOps team can use Tailscale to allow developers to access existing internal applications running in a Virtual Private Cloud (VPC) on a private or hosted cloud provider. In this scenario, developers can access resources in the VPC, and the DevOps team is able to manage access to the VPC. VPCs can be peered to each other if they don't have [overlapping IP ranges](https://tailscale.com/docs/features/subnet-routers/4via6-subnets). To connect an existing subnet to your Tailscale network without installing Tailscale on every device, you can use a [subnet router](https://tailscale.com/docs/features/subnet-routers). Run a subnet router in the subnet, and advertise the routes so that Tailscale can route traffic for the subnet to the device for forwarding. For devices on a subnet to connect to devices in your tailnet, [disable subnet route masquerading](https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading). You can also use [auto approvers](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers) to automatically approve routes.\r\n\r\nWhat this example does:\r\n\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) (such as the IT team) can access the devices tagged with `tag:vpc-peering` (for maintenance).\r\n- Members of the development team `group:dev` can access devices in the subnets `192.0.2.0/24` and `198.51.100.0/24`.\r\n- The subnet `192.0.2.0/24` can access the subnet `198.51.100.0/24` and vice versa (if [subnet route masquerading is disabled](https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading)).\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) (such as the IT team) can manage which devices are tagged with `tag:vpc-peering`.\r\n- All Tailscale [Admins](https://tailscale.com/docs/reference/user-roles) (`autogroup:admin`) and devices tagged with `tag:vpc-peering` can auto-approve routes for `192.0.2.0/24` and `198.51.100.0/24`.\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:admin\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:vpc-peering:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\",\\\r\n        \"192.0.2.0/24\",\\\r\n        \"198.51.100.0/24\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"192.0.2.0/24:*\",\\\r\n        \"198.51.100.0/24:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:vpc-peering\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  },\r\n  \"autoApprovers\": {\r\n    \"routes\": {\r\n      \"192.0.2.0/24\": [\\\r\n        \"tag:vpc-peering\",\\\r\n        \"autogroup:admin\"\\\r\n      ],\r\n      \"198.51.100.0/24\": [\\\r\n        \"tag:vpc-peering\",\\\r\n        \"autogroup:admin\"\\\r\n      ]\r\n    }\r\n  }\r\n}\r\n```\r\n\r\n## [Share access with a contractor](https://tailscale.com/docs/reference/examples/acls\\#share-access-with-a-contractor)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nYou can modify this example to work on the Standard plan by using `autogroup:member` instead of a custom group (`group:dev`).\r\n\r\nYour development team can use Tailscale to share access to specific resources, such as a database or a hosted code repository, with a contractor. In this scenario, developers can access internal development resources. Specific devices can be [shared](https://tailscale.com/docs/features/sharing) with a contractor as part of their job.\r\n\r\nWhat this example does:\r\n\r\n- All employees can access their own devices.\r\n- Members of the development team `group:dev` can access devices tagged with `tag:dev` (such as package registries and databases)\r\n- Contractors who have accepted a share invite can access devices tagged with `tag:dev` (that have been shared with them).\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\",\\\r\n        \"autogroup:shared\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:dev:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:dev\": [\\\r\n      \"group:dev\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n## [Remote development](https://tailscale.com/docs/reference/examples/acls\\#remote-development)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [autogroups](https://tailscale.com/docs/reference/syntax/policy-file#autogroups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nYou can modify this example to work on the Standard plan by using `autogroup:member` instead of a custom group (`group:dev`).\r\n\r\nYour development team can use Tailscale as part of their remote development setup. In this scenario, a developer might have a local device, like a laptop, and use it to access a remote workstation, hosted in the cloud or hosted on another device in their network. This is useful if you're accessing a workstation with more processing power, for example, for machine learning or for building. You might also use a remote code environment like [GitHub Codespaces](https://tailscale.com/docs/integrations/github/github-codespaces), [Gitpod](https://tailscale.com/docs/install/cloud/gitpod), or [Coder](https://tailscale.com/docs/install/cloud/coder). From your development environment, you might access a license server, a package registry, a production database, or another development or build resource. You might also access a self-hosted or private code repository.\r\n\r\nWhat this example does:\r\n\r\n- All employees can access their own devices.\r\n- Members of the development team `group:dev` can access devices tagged with `tag:dev` (such as package registries and databases).\r\n- The development team `group:dev` can manage which devices are tagged with `tag:dev`.\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:dev:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:dev\": [\\\r\n      \"group:dev\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n## [Pair programming](https://tailscale.com/docs/reference/examples/acls\\#pair-programming)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nYou can modify this example to work on the Standard plan by using `autogroup:member` and `autogroup:admin` instead of named users.\r\n\r\nYour development team can use Tailscale to pair program on the same device remotely. In this scenario, two or more developers can use SSH to connect to a corporate device, such as a virtual machine (VM), and share a terminal (such as a `tmux` session).\r\n\r\nWhat this example does:\r\n\r\n- Users Alice and Bob can access the corporate device tagged `tag:pair-programming` on port `22` (for SSH).\r\n- Bob can manage which devices are tagged `tag:pair-programming`.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"alice@example.com\",\\\r\n        \"bob@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:pair-programming:22\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:pair-programming\": [\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n## [CI/CD deployment pipeline](https://tailscale.com/docs/reference/examples/acls\\#cicd-deployment-pipeline)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nYour DevOps or infrastructure team can use Tailscale to restrict access to your deployment pipeline. In this scenario, developers can access your development tools, such as your code repository. Then, an automated CI/CD pipeline builds and deploys code. The DevOps team can access the deployment pipeline and production environment.\r\n\r\nWhat this example does:\r\n\r\n- Members of the development team `group:dev` can access the devices tagged with `tag:dev` (such as code repositories and license servers).\r\n- Members of the DevOps team `group:devops` can access the devices tagged with `tag:ci` (such as the build tooling) and `tag:prod` (such as the production environment).\r\n- The DevOps team `group:devops` can manage which devices are tagged with `tag:dev`, `tag:ci`, and `tag:prod`.\r\n- The tag `tag:ci` can manage which device are tagged with `tag:prod` and `tag:dev` (to apply tags as part of the deployment pipeline).\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ],\r\n    \"group:devops\": [\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:dev:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:devops\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:ci:*\",\\\r\n        \"tag:prod:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:ci\": [\\\r\n      \"group:devops\"\\\r\n    ],\r\n    \"tag:dev\": [\\\r\n      \"group:devops\",\\\r\n      \"tag:ci\"\\\r\n    ],\r\n    \"tag:prod\": [\\\r\n      \"group:devops\",\\\r\n      \"tag:ci\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n## [Monitoring access to applications](https://tailscale.com/docs/reference/examples/acls\\#monitoring-access-to-applications)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nYou can modify this example to work on the Standard plan by using `autogroup:member` instead of a custom group (`group:devops`).\r\n\r\nYour DevOps team can use Tailscale to query logs from services in your network and report these as part of your monitoring tooling. In this scenario, your monitoring server (such as Prometheus) can access all applications in your network on common ports.\r\n\r\nWhat this example does:\r\n\r\n- Devices tagged with `tag:monitoring` can access services on ports `80`, `443`, `9100`.\r\n- Devices tagged with `tag:monitoring` can access services tagged `tag:logging`.\r\n- The DevOps team `group:devops` can access devices tagged with `tag:monitoring` and `tag:logging`.\r\n- The DevOps team `group:devops` can manage which devices are tagged with `tag:monitoring` and `tag:logging`.\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:devops\": [\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:monitoring\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"*:80,443,9100\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:devops\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:monitoring:*\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:monitoring\": [\\\r\n      \"group:devops\"\\\r\n    ],\r\n    \"tag:logging\": [\\\r\n      \"group:devops\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n## [Application peering](https://tailscale.com/docs/reference/examples/acls\\#application-peering)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) |\r\n\r\nYou can modify this example to work on the Standard plan by using `autogroup:member` instead of a custom group (`group:infra`).\r\n\r\nYour infrastructure team can use Tailscale to connect applications or services running in multiple cloud providers or SaaS applications together. In this scenario, one application can connect with another application in your network, for example, to stream from one database to another, such as with\r\n[Materialize](https://materialize.com/introducing-tailscale-materialize).\r\n\r\nWhat this example does:\r\n\r\n- Devices tagged with `tag:database` can access other devices tagged with `tag:database`.\r\n- Devices tagged with `tag:gcp` and `tag:aws` can access devices tagged with `tag:database`, but not vice versa.\r\n- The infrastructure team `group:infra` can manage which devices are tagged with `tag:database`, `tag:gcp`, and `tag:aws`.\r\n\r\n```json\r\n{\r\n  \"groups\": {\r\n    \"group:infra\": [\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:database\",\\\r\n        \"tag:gcp\",\\\r\n        \"tag:aws\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:database:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:database\": [\\\r\n      \"group:infra\"\\\r\n    ],\r\n    \"tag:gcp\": [\\\r\n      \"group:infra\"\\\r\n    ],\r\n    \"tag:aws\": [\\\r\n      \"group:infra\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n## [Network microsegmentation](https://tailscale.com/docs/reference/examples/acls\\#network-microsegmentation)\r\n\r\n**Prefer grant examples**\r\n\r\nGrants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the [grant examples](https://tailscale.com/docs/reference/examples/grants).\r\n\r\n| [Plan availability](https://tailscale.com/pricing) | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | [ACLs](https://tailscale.com/docs/features/access-control/acls), [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups), [tags](https://tailscale.com/docs/features/tags), [tag owners](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners), [tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) |\r\n\r\n[Network microsegmentation](https://tailscale.com/learn/network-microsegmentation) is a security technique that divides network devices, access, and communications into unique logical units. There are many use cases for this—segmenting data centers, virtual networks, customer deployments, and others. Each microsegment is a logical unit that cannot access other microsegments. In some cases, you might still need a support team or tagged devices that can access all segments.\r\n\r\nWhat this example does:\r\n\r\n- Members of the support team `group:support` can access devices tagged `tag:segment-abc` and `tag:segment-xyz` on port `443`.\r\n- Devices tagged with `tag:support` can access devices tagged `tag:segment-abc` and `tag:segment-xyz` on port `443`.\r\n- [Tests](https://tailscale.com/docs/reference/syntax/policy-file#tests)ensure that if ACLs change:\r\n  - Members of the support team `group:support` will still be able to access devices tagged `tag:segment-abc` and `tag:segment-xyz` on port `443`.\r\n  - Devices tagged with `tag:support` will still be able to access devices tagged `tag:segment-abc` and `tag:segment-xyz` on port `443`.\r\n  - Devices tagged with `tag:segment-abc` are denied access to devices tagged `tag:segment-xyz` on port `443`.\r\n  - Devices tagged with `tag:segment-xyz` are denied access to devices tagged `tag:segment-abc` on port `443`.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:support\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:segment-abc:443\",\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:support\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:segment-abc:443\",\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tests\": [\\\r\n    {\\\r\n      \"src\": \"group:support\",\\\r\n      \"accept\": [\\\r\n        \"tag:segment-abc:443\",\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"src\": \"tag:support\",\\\r\n      \"accept\": [\\\r\n        \"tag:segment-abc:443\",\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"src\": \"tag:segment-abc\",\\\r\n      \"deny\": [\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"src\": \"tag:segment-xyz\",\\\r\n      \"deny\": [\\\r\n        \"tag:segment-abc:443\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"groups\": {\r\n    \"group:support\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"tagOwners\": {\r\n    \"tag:support\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  }\r\n}\r\n```\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>ACL policy examples</h1>\n<p>Last validated: Feb 2, 2026</p>\n<p>Tailscale now secures access to resources using <a href=\"https://tailscale.com/docs/features/access-control/grants\">grants</a>, a next-generation access control policy syntax. Grants provide <a href=\"https://tailscale.com/docs/reference/grants-vs-acls\">all original ACL functionality plus additional capabilities</a>.</p>\n<p>ACLs will continue to work <strong>indefinitely</strong>; Tailscale will not remove support for this first-generation syntax from the product. However, Tailscale recommends <a href=\"https://tailscale.com/docs/reference/migrate-acls-grants\">migrating to grants</a> and using grants for all new tailnet policy file configurations because ACLs will not receive any new features.</p>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>This topic provides example <a href=\"https://tailscale.com/docs/features/access-control/acls\">access controls (ACLs)</a> for common scenarios. For information about the syntax, refer to the <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">tailnet policy syntax</a>.</p>\n<p>| <strong>Example</strong> | <strong>Description</strong> | <strong>Uses</strong> |\r\n| --- | --- | --- |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#allow-all-default-acl\">Allow all</a> | The default tailnet policy that lets all devices within the tailnet access other devices in the tailnet. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">SSH</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#deny-all\">Deny all</a> | Deny all connections. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#users-can-access-their-own-devices\">Users can access their own devices</a> | All tailnet users can access devices they own unless another policy prevents it. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">SSH</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#resource-level-access-policies\">Resource-level access policies</a> | Allow specific devices to access specific resources within the tailnet. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#hosts\">hosts</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#restrict-based-on-purpose-tags\">Restrict based on purpose (tags)</a> | Allow specific devices to access specific resources within the tailnet using tags. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#restrict-based-on-group\">Restrict based on group</a> | Manage access to resources using autogroups, custom groups, and provisioned groups. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#restrict-based-on-individual-user\">Restrict based on individual users</a> | Manage access to resources for specific users. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#standard-plan-acl\">Standard plan ACL</a> | Use a basic standard plan that lets employees access their own devices and devices tagged with <code>corp</code> and lets admins access devices tagged with <code>corp</code> or <code>prod</code>. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#access-to-an-internal-application-vpn\">Access to an internal application (VPN)</a> | Manage user access applications based on their job role. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#access-to-an-internal-application-vpn-with-synced-groups\">Access to an internal application (VPN) with synced groups</a> | Manage access to internal resources using groups synced to an identity provider. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#remote-access-to-production-environment\">Remote access to a production environment</a> | Manage user access to the production environment based on their job role. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">tests</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#vpc-access-vpc-peering\">VPC access (VPC peering)</a> | Manage access to a virtual private cloud using access control lists. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\">auto approvers</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#share-access-with-a-contractor\">Share access with a contractor</a> | Allow a third-party contractor to access shared resources in the development environment. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#remote-development\">Remote development</a> | Manage access to a remote development environment. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#pair-programming\">Pair programming</a> | Create a paired programming environment multiple engineers can connect to using SSH. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#cicd-deployment-pipeline\">CI/CD deployment pipeline</a> | Manage access to resources based on job roles. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#monitoring-access-to-applications\">Monitoring access to applications</a> | Allow a monitoring server to access all applications on common ports. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#application-peering\">Application peering</a> | Allow multiple cloud providers or applications to access each other. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |\r\n| <a href=\"https://tailscale.com/docs/reference/examples/acls#network-microsegmentation\">Network microsegmentation</a> | Allow access to network microsegments, but deny access between them. | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">tests</a> |</p>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#allow-all-default-acl\">Allow all (default ACL)</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| All plans | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">SSH</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a> |</p>\n<p>When you first create your Tailscale network (known as a tailnet), Tailscale initializes it with a default <em>allow all</em> access policy to make it easy to connect to and use Tailscale without restricting any traffic in your network.</p>\n<p>You can reset your ACL policy file to the original default by deleting the existing policy file contents and selecting <strong>Reset to default</strong>. Policy file changes can also be <a href=\"https://tailscale.com/docs/features/tailnet-policy-file/manage-tailnet-policies#revert-changes\">reverted</a> from the <a href=\"https://login.tailscale.com/admin/logs\">Configuration logs</a> page of the admin console.</p>\n<p>Here's a breakdown of what the default policy does:</p>\n<ul>\n<li>Lets all devices in the tailnet access all other devices in the tailnet.</li>\n<li>Lets all users establish a <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> session to their own devices using <a href=\"https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh-with-check-mode\">check mode</a>, as either root or non-root.</li>\n<li>If you have a <a href=\"https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading\">subnet router initialized with <code>--snat-subnet-routes=false</code></a> (Linux only), then any devices on the same local network as the subnet router can also access all devices in the tailnet.</li>\n<li>If you have a <a href=\"https://tailscale.com/docs/features/sharing#sharing-and-access-control-lists-acls\">device shared from another network</a> in your tailnet, that device cannot access any devices in the tailnet. The device <a href=\"https://tailscale.com/docs/features/sharing#quarantine\">can only respond to incoming connections</a> from the tailnet.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"*\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"*:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"ssh\": [\\\r\n    {\\\r\n      \"action\": \"check\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self\"\\\r\n      ],\\\r\n      \"users\": [\\\r\n        \"autogroup:nonroot\",\\\r\n        \"root\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n}\n</code></pre>\n<p>Omitting the <code>acls</code> field from the tailnet policy file is equivalent to the default allow all policy. To deny all connections, <a href=\"https://tailscale.com/docs/reference/examples/acls#deny-all\">use an empty object for the <code>acls</code> field</a> in your policy file.</p>\n<pre><code class=\"language-json\">{} // Tailscale applies the default allow all policy if the acls section is empty.\n</code></pre>\n<p>In the default ACL, the <code>ssh</code> rule uses <code>autogroup:self</code> for the <code>dst</code> field and<code>autogroup:nonroot</code> in the <code>users</code> field. If you change the <code>dst</code> field from<code>autogroup:self</code> to some other destination, such as an <a href=\"https://tailscale.com/docs/features/tags/\">ACL tag</a>, also consider replacing<code>autogroup:nonroot</code> in the <code>users</code> field. If you don't remove<code>autogroup:nonroot</code> from the <code>users</code> field, then anyone permitted by the <code>src</code> setting will be able to SSH in as any nonroot user on the <code>dst</code> device.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#deny-all\">Deny all</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| All plans | <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">ACLs</a> |</p>\n<p>You can deny all connections in your tailnet by using an empty option for the <code>acls</code> field in your policy file. This configuration prevents all devices from communicating with each other. This configuration is not recommended for general use because nothing in the tailnet will work.</p>\n<pre><code class=\"language-json\">{\r\n  \"acls\": []\r\n}\n</code></pre>\n<p>Omitting the <code>acls</code> field from the tailnet policy file is not the equivalent of a \"deny all\" policy. Instead, Tailscale applies the <a href=\"https://tailscale.com/docs/reference/examples/acls#allow-all-default-acl\">default allow all policy</a>, which allows all devices within the tailnet to access other devices in the tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#users-can-access-their-own-devices\">Users can access their own devices</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| All plans | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>This example lets all users access their own devices. It is suitable for many use cases where you want to allow users to access their own devices, but not other devices in the tailnet.</p>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#resource-level-access-policies\">Resource-level access policies</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| All plans | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#hosts\">hosts</a> |</p>\n<p>You can enable connectivity from one device or network to another using their IP addresses. Additionally, the <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#hosts\"><code>hosts</code></a> section lets you define a human-friendly name for an IP address or CIDR range, to make access rules more readable.</p>\n<p>What this example does:</p>\n<ul>\n<li>The device with the IP address <code>100.100.123.124</code> can access the device with the IP address <code>100.100.123.123</code>.</li>\n<li>The device with the IP address <code>100.100.123.124</code> can access devices in the subnet <code>192.0.2.0/24</code> through a <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet router</a>.</li>\n<li>The device with the hostname <code>frontend-server-01</code> can access devices in the subnet <code>192.0.2.0/24</code>.</li>\n<li>The device with the hostname <code>frontend-server-01</code> can access the device with the hostname <code>dev-network-01</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"100.100.123.124\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"100.100.123.123:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"100.100.123.124\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"192.0.2.0/24:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"frontend-server-01\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"192.0.2.0/24:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"frontend-server-01\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"dev-network-01:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"hosts\": {\r\n    \"frontend-server-01\": \"100.100.123.123\",\r\n    \"dev-network-01\": \"203.0.113.0/24\"\r\n  }\r\n}\n</code></pre>\n<p>When writing access control rules targeting resources behind a <a href=\"https://tailscale.com/docs/features/subnet-routers/4via6-subnets\">4via6 subnet</a> router, use the IPv6 CIDR or address as the destination, not the IPv4 address.</p>\n<p>Use <code>tailscale debug via</code> to get the IPv6 CIDR.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#restrict-based-on-purpose-tags\">Restrict based on purpose (tags)</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| All plans | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a> |</p>\n<p><a href=\"https://tailscale.com/docs/features/tags\">Tags</a> let you assign an identity to a device that is separate from human users, and use that identity as part of an ACL to restrict access. Tags should be used when adding servers to your Tailscale network, so that their access is based on their purpose, not based on which member of your operations team enrolled them.</p>\n<p>What this example does:</p>\n<ul>\n<li>Devices tagged with <code>tag:frontend</code> can access devices tagged with <code>tag:backend</code>.</li>\n<li>Devices tagged with <code>tag:backend</code> can access devices tagged with <code>tag:logging</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:frontend\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:backend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:backend\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#restrict-based-on-group\">Restrict based on group</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>You can enable access to resources in your tailnet with <a href=\"https://tailscale.com/docs/reference/examples/acls#with-autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/reference/examples/acls#with-custom-groups\">custom groups</a>, or <a href=\"https://tailscale.com/docs/reference/examples/acls#with-provisioned-groups\">groups provisioned from supported identity providers</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/examples/acls#with-autogroups\">With autogroups</a></h3>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| All plans | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a> |</p>\n<p><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">Autogroups</a> are built-in groups that automatically include users, destinations, or usernames with the same properties.</p>\n<p>What this example does:</p>\n<ul>\n<li>All tailnet members <code>autogroup:member</code> can access devices tagged with <code>tag:frontend</code>.</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) can access devices tagged with <code>tag:backend</code> or <code>tag:logging</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:admin\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:backend:*\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<h3><a href=\"https://tailscale.com/docs/reference/examples/acls#with-custom-groups\">With custom groups</a></h3>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a> |</p>\n<p><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">Custom groups</a> let you define a shorthand for a group of users, which you can then use in access rules instead of listing users out explicitly.</p>\n<p>What this example does:</p>\n<ul>\n<li>The Engineering team <code>group:engineering</code> consists of <code>alice@example.com</code> and <code>bob@example.com</code>.</li>\n<li>The DevOps team <code>group:engineering</code> consists of <code>amelie@example.com</code> and <code>carl@example.com</code>.</li>\n<li>The Engineering team <code>group:engineering</code> can access devices tagged with <code>tag:frontend</code> or <code>tag:backend</code>.</li>\n<li>The DevOps team <code>group:devops</code> can access devices tagged with <code>tag:frontend</code>, <code>tag:backend</code>, or <code>tag:logging</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:engineering\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ],\r\n    \"group:devops\": [\\\r\n      \"amelie@example.com\",\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:engineering\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\",\\\r\n        \"tag:backend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:devops\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\",\\\r\n        \"tag:backend:*\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<h3><a href=\"https://tailscale.com/docs/reference/examples/acls#with-provisioned-groups\">With provisioned groups</a></h3>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>You can use <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">group provisioning from supported identity providers</a> and avoid maintaining custom groups in your ACLs.</p>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:engineering@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\",\\\r\n        \"tag:backend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:devops@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\",\\\r\n        \"tag:backend:*\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#restrict-based-on-individual-user\">Restrict based on individual user</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a> |</p>\n<p>You can enable access to resources based on individual users.</p>\n<p>What this example does:</p>\n<ul>\n<li>User Alice can access devices tagged with <code>tag:frontend</code>.</li>\n<li>User Bob can access devices tagged with <code>tag:backend</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"amelie@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:frontend:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"bob@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:backend:*\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#standard-plan-acl\">Standard plan ACL</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| All plans | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>This example provides remote access to corp and prod devices. It is suitable for many Standard plan use cases.</p>\n<p>Your team can use Tailscale to access remote devices. In this scenario, all users can access their own remote devices, as well as any common corporate devices, such as servers, that are tagged. Only Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> can access production devices. Admins can configure which devices are tagged. No corporate or production devices can access each other, and no shared users can access devices.</p>\n<p>What this example does:</p>\n<ul>\n<li>All employees can access their own devices.</li>\n<li>All employees can access corporate devices tagged with <code>tag:corp</code>.</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) can access devices tagged with <code>tag:prod</code>.</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> can manage which devices are tagged with <code>tag:corp</code> and <code>tag:prod</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:corp:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:admin\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:prod:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:corp\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:prod\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#access-to-an-internal-application-vpn\">Access to an internal application (VPN)</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>You can use Tailscale to allow users to access internal applications, including both custom internal applications and third-party applications hosted internally. In this scenario, users in your tailnet can access applications based on their job role. The IT team can set up internal applications.</p>\n<p>What this example does:</p>\n<ul>\n<li>Members of the engineering team <code>group:engineering</code> can access the devices tagged with <code>tag:engineering</code>.</li>\n<li>Members of the finance team <code>group:finance</code> can access the devices tagged with <code>tag:finance</code>.</li>\n<li>Members of the legal team <code>group:legal</code> can access the devices tagged with <code>tag:legal</code>.</li>\n<li>All employees can access the devices tagged with <code>tag:internal</code>.</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) (such as the IT team) can manage which devices are tagged with <code>tag:engineering</code>, <code>tag:finance</code>, <code>tag:legal</code>, and <code>tag:internal</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:engineering\": [\\\r\n      \"alice@example.com\"\\\r\n    ],\r\n    \"group:finance\": [\\\r\n      \"bob@example.com\"\\\r\n    ],\r\n    \"group:legal\": [\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:engineering\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:engineering:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:finance\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:finance:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:legal\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:legal:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:internal:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:engineering\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:finance\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:legal\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:internal\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h3><a href=\"https://tailscale.com/docs/reference/examples/acls#access-to-an-internal-application-vpn-with-synced-groups\">Access to an internal application (VPN) with synced groups</a></h3>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>You can use <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">user and group provisioning</a> to include groups synced from your identity provider in access rules. Tailscale treats synced group names as lowercase. They can include spaces, but not the <code>@</code> symbol.</p>\n<p>What this example does:</p>\n<ul>\n<li>Members of the engineering team in the synced group <code>group:engineering@example.com</code> can access the devices tagged with <code>tag:engineering</code>.</li>\n<li>Members of the finance team in the synced group <code>group:finance team@example.com</code> can access the devices tagged with <code>tag:finance</code>.</li>\n<li>Members of the legal team in the synced group <code>group:Legal@example.com</code> can access the devices tagged with <code>tag:legal</code>.</li>\n<li>All employees can access the devices tagged with <code>tag:internal</code>.</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) (such as the IT team) can manage which devices are tagged with <code>tag:engineering</code>, <code>tag:finance</code>, <code>tag:legal</code>, and <code>tag:internal</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {},\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:engineering@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:engineering:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:finance team@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:finance:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:legal@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:legal:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:internal:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:engineering\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:finance\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:legal\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:internal\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#remote-access-to-production-environment\">Remote access to production environment</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">tests</a> |</p>\n<p>You can modify this example to work on the Standard plan by using <code>autogroup:member</code> instead of a custom group (<code>group:dev</code>).</p>\n<p>Your DevOps, infrastructure, or SRE team can use Tailscale to access their sensitive and highly protected production environment. In this scenario, a DevOps team might be able to access the production environment, whereas other developers might only be able to access resources in a development environment. All developers are able to access monitoring tools, such as <a href=\"https://tailscale.com/blog/grafana-auth\">Grafana</a>.</p>\n<p>What this example does:</p>\n<ul>\n<li>All employees can access their own devices (such as remote workstations).</li>\n<li>Members of the development team <code>group:dev</code> can access the devices tagged with <code>tag:dev</code> (such as license servers).</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) (such as members of the DevOps team) can access the devices tagged with <code>tag:prod</code> (such as the production environment).</li>\n<li>All employees can access devices tagged with <code>tag:monitoring</code> on ports <code>80</code> and <code>443</code> (such as monitoring dashboards).</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) can manage which devices are tagged with <code>tag:dev</code>, <code>tag:prod</code>, and <code>tag:monitoring</code></li>\n<li><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">Tests</a>ensure that if ACLs change:\n<ul>\n<li>Carl will still be able to access devices tagged with <code>tag:prod</code> on port <code>80</code>.</li>\n<li>Alice will still be able to access devices tagged with <code>tag:dev</code> (but not devices tagged with <code>tag:prod</code>) on port <code>80</code>.</li>\n</ul>\n</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:dev:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:admin\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:prod:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:monitoring:80,443\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:monitoring\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:dev\": [\\\r\n      \"autogroup:admin\"\\\r\n    ],\r\n    \"tag:prod\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  },\r\n  \"tests\": [\\\r\n    {\\\r\n      \"src\": \"carl@example.com\",\\\r\n      \"accept\": [\\\r\n        \"tag:prod:80\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"src\": \"alice@example.com\",\\\r\n      \"accept\": [\\\r\n        \"tag:dev:80\"\\\r\n      ],\\\r\n      \"deny\": [\\\r\n        \"tag:prod:80\"\\\r\n      ]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#vpc-access-vpc-peering\">VPC access (VPC peering)</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\">auto approvers</a> |</p>\n<p>You can modify this example to work on the Standard plan by using <code>autogroup:member</code> instead of a custom group (<code>group:dev</code>).</p>\n<p>Your DevOps team can use Tailscale to allow developers to access existing internal applications running in a Virtual Private Cloud (VPC) on a private or hosted cloud provider. In this scenario, developers can access resources in the VPC, and the DevOps team is able to manage access to the VPC. VPCs can be peered to each other if they don't have <a href=\"https://tailscale.com/docs/features/subnet-routers/4via6-subnets\">overlapping IP ranges</a>. To connect an existing subnet to your Tailscale network without installing Tailscale on every device, you can use a <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet router</a>. Run a subnet router in the subnet, and advertise the routes so that Tailscale can route traffic for the subnet to the device for forwarding. For devices on a subnet to connect to devices in your tailnet, <a href=\"https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading\">disable subnet route masquerading</a>. You can also use <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\">auto approvers</a> to automatically approve routes.</p>\n<p>What this example does:</p>\n<ul>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) (such as the IT team) can access the devices tagged with <code>tag:vpc-peering</code> (for maintenance).</li>\n<li>Members of the development team <code>group:dev</code> can access devices in the subnets <code>192.0.2.0/24</code> and <code>198.51.100.0/24</code>.</li>\n<li>The subnet <code>192.0.2.0/24</code> can access the subnet <code>198.51.100.0/24</code> and vice versa (if <a href=\"https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading\">subnet route masquerading is disabled</a>).</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) (such as the IT team) can manage which devices are tagged with <code>tag:vpc-peering</code>.</li>\n<li>All Tailscale <a href=\"https://tailscale.com/docs/reference/user-roles\">Admins</a> (<code>autogroup:admin</code>) and devices tagged with <code>tag:vpc-peering</code> can auto-approve routes for <code>192.0.2.0/24</code> and <code>198.51.100.0/24</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:admin\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:vpc-peering:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\",\\\r\n        \"192.0.2.0/24\",\\\r\n        \"198.51.100.0/24\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"192.0.2.0/24:*\",\\\r\n        \"198.51.100.0/24:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:vpc-peering\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  },\r\n  \"autoApprovers\": {\r\n    \"routes\": {\r\n      \"192.0.2.0/24\": [\\\r\n        \"tag:vpc-peering\",\\\r\n        \"autogroup:admin\"\\\r\n      ],\r\n      \"198.51.100.0/24\": [\\\r\n        \"tag:vpc-peering\",\\\r\n        \"autogroup:admin\"\\\r\n      ]\r\n    }\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#share-access-with-a-contractor\">Share access with a contractor</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>You can modify this example to work on the Standard plan by using <code>autogroup:member</code> instead of a custom group (<code>group:dev</code>).</p>\n<p>Your development team can use Tailscale to share access to specific resources, such as a database or a hosted code repository, with a contractor. In this scenario, developers can access internal development resources. Specific devices can be <a href=\"https://tailscale.com/docs/features/sharing\">shared</a> with a contractor as part of their job.</p>\n<p>What this example does:</p>\n<ul>\n<li>All employees can access their own devices.</li>\n<li>Members of the development team <code>group:dev</code> can access devices tagged with <code>tag:dev</code> (such as package registries and databases)</li>\n<li>Contractors who have accepted a share invite can access devices tagged with <code>tag:dev</code> (that have been shared with them).</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\",\\\r\n        \"autogroup:shared\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:dev:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:dev\": [\\\r\n      \"group:dev\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#remote-development\">Remote development</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autogroups\">autogroups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>You can modify this example to work on the Standard plan by using <code>autogroup:member</code> instead of a custom group (<code>group:dev</code>).</p>\n<p>Your development team can use Tailscale as part of their remote development setup. In this scenario, a developer might have a local device, like a laptop, and use it to access a remote workstation, hosted in the cloud or hosted on another device in their network. This is useful if you're accessing a workstation with more processing power, for example, for machine learning or for building. You might also use a remote code environment like <a href=\"https://tailscale.com/docs/integrations/github/github-codespaces\">GitHub Codespaces</a>, <a href=\"https://tailscale.com/docs/install/cloud/gitpod\">Gitpod</a>, or <a href=\"https://tailscale.com/docs/install/cloud/coder\">Coder</a>. From your development environment, you might access a license server, a package registry, a production database, or another development or build resource. You might also access a self-hosted or private code repository.</p>\n<p>What this example does:</p>\n<ul>\n<li>All employees can access their own devices.</li>\n<li>Members of the development team <code>group:dev</code> can access devices tagged with <code>tag:dev</code> (such as package registries and databases).</li>\n<li>The development team <code>group:dev</code> can manage which devices are tagged with <code>tag:dev</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"autogroup:member\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"autogroup:self:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:dev:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:dev\": [\\\r\n      \"group:dev\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#pair-programming\">Pair programming</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>You can modify this example to work on the Standard plan by using <code>autogroup:member</code> and <code>autogroup:admin</code> instead of named users.</p>\n<p>Your development team can use Tailscale to pair program on the same device remotely. In this scenario, two or more developers can use SSH to connect to a corporate device, such as a virtual machine (VM), and share a terminal (such as a <code>tmux</code> session).</p>\n<p>What this example does:</p>\n<ul>\n<li>Users Alice and Bob can access the corporate device tagged <code>tag:pair-programming</code> on port <code>22</code> (for SSH).</li>\n<li>Bob can manage which devices are tagged <code>tag:pair-programming</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"alice@example.com\",\\\r\n        \"bob@example.com\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:pair-programming:22\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:pair-programming\": [\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#cicd-deployment-pipeline\">CI/CD deployment pipeline</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>Your DevOps or infrastructure team can use Tailscale to restrict access to your deployment pipeline. In this scenario, developers can access your development tools, such as your code repository. Then, an automated CI/CD pipeline builds and deploys code. The DevOps team can access the deployment pipeline and production environment.</p>\n<p>What this example does:</p>\n<ul>\n<li>Members of the development team <code>group:dev</code> can access the devices tagged with <code>tag:dev</code> (such as code repositories and license servers).</li>\n<li>Members of the DevOps team <code>group:devops</code> can access the devices tagged with <code>tag:ci</code> (such as the build tooling) and <code>tag:prod</code> (such as the production environment).</li>\n<li>The DevOps team <code>group:devops</code> can manage which devices are tagged with <code>tag:dev</code>, <code>tag:ci</code>, and <code>tag:prod</code>.</li>\n<li>The tag <code>tag:ci</code> can manage which device are tagged with <code>tag:prod</code> and <code>tag:dev</code> (to apply tags as part of the deployment pipeline).</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:dev\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ],\r\n    \"group:devops\": [\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:dev\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:dev:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:devops\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:ci:*\",\\\r\n        \"tag:prod:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:ci\": [\\\r\n      \"group:devops\"\\\r\n    ],\r\n    \"tag:dev\": [\\\r\n      \"group:devops\",\\\r\n      \"tag:ci\"\\\r\n    ],\r\n    \"tag:prod\": [\\\r\n      \"group:devops\",\\\r\n      \"tag:ci\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#monitoring-access-to-applications\">Monitoring access to applications</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>You can modify this example to work on the Standard plan by using <code>autogroup:member</code> instead of a custom group (<code>group:devops</code>).</p>\n<p>Your DevOps team can use Tailscale to query logs from services in your network and report these as part of your monitoring tooling. In this scenario, your monitoring server (such as Prometheus) can access all applications in your network on common ports.</p>\n<p>What this example does:</p>\n<ul>\n<li>Devices tagged with <code>tag:monitoring</code> can access services on ports <code>80</code>, <code>443</code>, <code>9100</code>.</li>\n<li>Devices tagged with <code>tag:monitoring</code> can access services tagged <code>tag:logging</code>.</li>\n<li>The DevOps team <code>group:devops</code> can access devices tagged with <code>tag:monitoring</code> and <code>tag:logging</code>.</li>\n<li>The DevOps team <code>group:devops</code> can manage which devices are tagged with <code>tag:monitoring</code> and <code>tag:logging</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:devops\": [\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:monitoring\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"*:80,443,9100\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:devops\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:monitoring:*\",\\\r\n        \"tag:logging:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:monitoring\": [\\\r\n      \"group:devops\"\\\r\n    ],\r\n    \"tag:logging\": [\\\r\n      \"group:devops\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#application-peering\">Application peering</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a> |</p>\n<p>You can modify this example to work on the Standard plan by using <code>autogroup:member</code> instead of a custom group (<code>group:infra</code>).</p>\n<p>Your infrastructure team can use Tailscale to connect applications or services running in multiple cloud providers or SaaS applications together. In this scenario, one application can connect with another application in your network, for example, to stream from one database to another, such as with\r\n<a href=\"https://materialize.com/introducing-tailscale-materialize\">Materialize</a>.</p>\n<p>What this example does:</p>\n<ul>\n<li>Devices tagged with <code>tag:database</code> can access other devices tagged with <code>tag:database</code>.</li>\n<li>Devices tagged with <code>tag:gcp</code> and <code>tag:aws</code> can access devices tagged with <code>tag:database</code>, but not vice versa.</li>\n<li>The infrastructure team <code>group:infra</code> can manage which devices are tagged with <code>tag:database</code>, <code>tag:gcp</code>, and <code>tag:aws</code>.</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"groups\": {\r\n    \"group:infra\": [\\\r\n      \"carl@example.com\"\\\r\n    ]\r\n  },\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:database\",\\\r\n        \"tag:gcp\",\\\r\n        \"tag:aws\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:database:*\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tagOwners\": {\r\n    \"tag:database\": [\\\r\n      \"group:infra\"\\\r\n    ],\r\n    \"tag:gcp\": [\\\r\n      \"group:infra\"\\\r\n    ],\r\n    \"tag:aws\": [\\\r\n      \"group:infra\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<h2><a href=\"https://tailscale.com/docs/reference/examples/acls#network-microsegmentation\">Network microsegmentation</a></h2>\n<p><strong>Prefer grant examples</strong></p>\n<p>Grants provide all the capabilities of ACLs plus application-layer permissions. For modern access control patterns, refer to the <a href=\"https://tailscale.com/docs/reference/examples/grants\">grant examples</a>.</p>\n<p>| <a href=\"https://tailscale.com/pricing\">Plan availability</a> | Features |\r\n| --- | --- |\r\n| Personal, Premium, and Enterprise | <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a>, <a href=\"https://tailscale.com/docs/features/tags\">tags</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\">tag owners</a>, <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">tests</a> |</p>\n<p><a href=\"https://tailscale.com/learn/network-microsegmentation\">Network microsegmentation</a> is a security technique that divides network devices, access, and communications into unique logical units. There are many use cases for this—segmenting data centers, virtual networks, customer deployments, and others. Each microsegment is a logical unit that cannot access other microsegments. In some cases, you might still need a support team or tagged devices that can access all segments.</p>\n<p>What this example does:</p>\n<ul>\n<li>Members of the support team <code>group:support</code> can access devices tagged <code>tag:segment-abc</code> and <code>tag:segment-xyz</code> on port <code>443</code>.</li>\n<li>Devices tagged with <code>tag:support</code> can access devices tagged <code>tag:segment-abc</code> and <code>tag:segment-xyz</code> on port <code>443</code>.</li>\n<li><a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">Tests</a>ensure that if ACLs change:\n<ul>\n<li>Members of the support team <code>group:support</code> will still be able to access devices tagged <code>tag:segment-abc</code> and <code>tag:segment-xyz</code> on port <code>443</code>.</li>\n<li>Devices tagged with <code>tag:support</code> will still be able to access devices tagged <code>tag:segment-abc</code> and <code>tag:segment-xyz</code> on port <code>443</code>.</li>\n<li>Devices tagged with <code>tag:segment-abc</code> are denied access to devices tagged <code>tag:segment-xyz</code> on port <code>443</code>.</li>\n<li>Devices tagged with <code>tag:segment-xyz</code> are denied access to devices tagged <code>tag:segment-abc</code> on port <code>443</code>.</li>\n</ul>\n</li>\n</ul>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"group:support\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:segment-abc:443\",\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\\\r\n        \"tag:support\"\\\r\n      ],\\\r\n      \"dst\": [\\\r\n        \"tag:segment-abc:443\",\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"tests\": [\\\r\n    {\\\r\n      \"src\": \"group:support\",\\\r\n      \"accept\": [\\\r\n        \"tag:segment-abc:443\",\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"src\": \"tag:support\",\\\r\n      \"accept\": [\\\r\n        \"tag:segment-abc:443\",\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"src\": \"tag:segment-abc\",\\\r\n      \"deny\": [\\\r\n        \"tag:segment-xyz:443\"\\\r\n      ]\\\r\n    },\\\r\n    {\\\r\n      \"src\": \"tag:segment-xyz\",\\\r\n      \"deny\": [\\\r\n        \"tag:segment-abc:443\"\\\r\n      ]\\\r\n    }\\\r\n  ],\r\n  \"groups\": {\r\n    \"group:support\": [\\\r\n      \"alice@example.com\",\\\r\n      \"bob@example.com\"\\\r\n    ]\r\n  },\r\n  \"tagOwners\": {\r\n    \"tag:support\": [\\\r\n      \"autogroup:admin\"\\\r\n    ]\r\n  }\r\n}\n</code></pre>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}