{"slug":"set-up-an-app-connector","title":"Set up an app connector","tags":["tailscale","setup"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Set up an app connector\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nApp connectorsare available for [all plans](https://tailscale.com/pricing).\r\n\r\nApp connectors let you route Tailscale network (known as a tailnet) traffic to your software as a service (SaaS), cloud, and self-hosted applications, letting users and devices on the tailnet access applications by domain names instead of IP addresses. You can also incorporate monitoring, optimization, security, and reliability into your app connector setup.\r\n\r\nFor more in-depth information about app connectors, refer to [How app connectors work](https://tailscale.com/docs/features/app-connectors).\r\n\r\nYou can also [deploy an app connector to your Kubernetes cluster using the Kubernetes Operator](https://tailscale.com/docs/features/kubernetes-operator/how-to/app-connector).\r\n\r\n## [Requirements](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#requirements)\r\n\r\nTo set up an app connector, you must have the following:\r\n\r\n- An existing tailnet and user account with the [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) role for editing the tailnet policy file and managing the app connector settings in the admin console.\r\n- The Linux device to use as the app connector with the following:\r\n  - A publicly accessible IP address.\r\n  - IP forwarding is enabled.\r\n  - You can use a physical device or a VM as the app connector device.\r\n- A SaaS or self-hosted application with administrative access.\r\n\r\n## [Get started](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#get-started)\r\n\r\nTo add a [preset app](https://tailscale.com/docs/features/app-connectors/how-to/setup#add-a-preset-app) type app connector in your tailnet, you must complete the following steps:\r\n\r\n1. Add the app connector in the admin console to route traffic to your application. When you add a preset app, the `nodeAttrs` section of your [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file) will automatically add a new `target` entry for the app connector. The `tagOwners`, `autoApprovers`, and `grants` entries must be manually added in the tailnet policy file.\r\n2. Update your tailnet policy file with the `tagOwners`, `autoApprovers`, and `grants` entries to let devices in your tailnet use the app connector.\r\n3. Configure a Linux node in your tailnet as an app connector device.\r\n4. (Optional) Restrict application access to only the app connector device by configuring an IP allowlist in your application.\r\n\r\nTo add a [custom app](https://tailscale.com/docs/features/app-connectors/how-to/setup#add-a-custom-app) type app connector in your tailnet, you must complete the following steps:\r\n\r\n1. Update your [tailnet policy file](https://tailscale.com/docs/features/tailnet-policy-file) to let devices in your tailnet use the app connector, by adding entries to the `nodeAttrs`, `tagOwners`, `autoApprovers`, and `grants` sections.\r\n2. Configure a Linux node in your tailnet as an app connector device.\r\n3. Add the app connector settings in the admin console to route traffic to your application.\r\n4. (Optional) Restrict application access to only the app connector device by configuring an IP allowlist in your application.\r\n\r\n### [Update the tailnet policy file](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#update-the-tailnet-policy-file)\r\n\r\nConfigure your tailnet policy file with the necessary permissions to let devices use the app connector device.\r\n\r\nYou need to be an [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) to edit a tailnet policy file.\r\n\r\n1. Go to the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console.\r\n\r\n2. Add a [`tagOwners`](https://tailscale.com/docs/features/tags) rule to define the tag name and specify which users can assign that tag to other devices, letting them connect to the app connector. The following example defines the `github-admins` group as an owner of the `github-app-connector` tag.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```json\r\n\"tagOwners\": {\r\n     \"tag:github-app-connector\": [\\\r\n       \"group:github-admins\",\\\r\n     ],\r\n},\r\n```\r\n\r\n\r\n\r\n\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n3. Add an [`autoApprovers`](https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers) rule to automatically approve specific routes for the app connector tag. After you configure app traffic to route through an app connector, any DNS request to the configured app domains triggers route discovery.\r\n\r\n\r\n\r\nPreset apps, in most cases, do not require an `autoApprovers` rule for routes. Tailscale updates and manages the routes for preset apps and these are automatically approved.\r\n\r\n\r\n\r\nHowever, preset apps may also discover new routes through DNS. These learned routes are not automatically approved and will require an `autoApprovers` rule.\r\n\r\n\r\n\r\nCustom apps routes always require an `autoApprovers` rule.\r\n\r\n\r\n\r\nThe following auto-approval policy example automatically approves all IPv4 and IPv6 routes for devices using the `github-app-connector` tag.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```json\r\n\"autoApprovers\": {\r\n     \"routes\": {\r\n       \"0.0.0.0/0\": [\"tag:github-app-connector\"],\r\n       \"::/0\": [\"tag:github-app-connector\"],\r\n     },\r\n},\r\n```\r\n\r\n\r\n\r\n\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n4. Add a [`grants`](https://tailscale.com/docs/reference/syntax/policy-file#grants) rule to route application-specific traffic through the app connector tag.\r\n\r\nYou must allow tailnet devices to access the routes an app connector advertises. One way to do this is to add an access control policy to your tailnet policy file that grants access to `autogroup:internet` (any port number) for members of the tailnet, which will also grant users access to any exit nodes in the tailnet.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```json\r\n\"grants\": [\\\r\n     {\\\r\n       \"src\": [\"autogroup:member\"],\\\r\n       \"dst\": [\"autogroup:internet\"],\\\r\n       \"ip\": [\"*\"]\\\r\n     }\\\r\n]\r\n```\r\n\r\n\r\n\r\n\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n\r\n\r\n\r\n\r\nDevices require access to the app connector tag for DNS discovery. App connectors use the PeerAPI to perform DoH calls. Grant minimal access using TCP or UDP on port `53` to enable peer discovery:\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```json\r\n\"grants\": [\\\r\n     {\\\r\n       \"src\": [\"autogroup:member\"],\\\r\n       \"dst\": [\"tag:github-app-connector\"],\\\r\n       \"ip\": [\"tcp:53\", \"udp:53\"]\\\r\n     }\\\r\n]\r\n```\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n5. Add a [`nodeAttrs`](https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs) rule to map the app connector tag to the application-specific domains. The following example node attribute definition configures the `github-app-connector` tag for GitHub domains.\r\n\r\n\r\n\r\nIf you are configuring a preset app type app connector, the `nodeAttrs` section is in your tailnet policy file is automatically updated, and you can skip this step.\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n```json\r\n\"nodeAttrs\": [\\\r\n     {\\\r\n       \"target\": [\"*\"],\\\r\n       \"app\": {\\\r\n         \"tailscale.com/app-connectors\": [\\\r\n           {\\\r\n             \"name\": \"GitHub\",\\\r\n             \"connectors\": [\"tag:github-app-connector\"],\\\r\n             \"domains\": [\\\r\n               \"github.com\",\\\r\n               \"*.github.com\"\\\r\n             ]\\\r\n           }\\\r\n         ]\\\r\n       }\\\r\n     }\\\r\n]\r\n```\r\n\r\n\r\n\r\n\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n\r\n### [Configure a device as an app connector](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#configure-a-device-as-an-app-connector)\r\n\r\nAfter updating the [tailnet policy file](https://tailscale.com/docs/features/app-connectors/how-to/setup#requirements-for-the-tailnet-policy-file), configure the device to function as an app connector.\r\n\r\nThe app connector device must be running Linux, already added to your tailnet, have a public IP address, and IP port forwarding enabled.\r\n\r\nRun the following Tailscale CLI command, making sure to replace the variables in the angle brackets (`<>`) with the actual app connector tag name.\r\n\r\n```shell\r\ntailscale up --advertise-connector --advertise-tags=tag:<connector-tag-name>\r\n```\r\n\r\nThe `--advertise-connector` flag enables the device to route traffic for specific domains according to the configuration in the tailnet policy file. The `--advertise-tags` flag tells the Tailscale client to authenticate the device with the provided tags.\r\n\r\n#### [Add a preset app](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#add-a-preset-app)\r\n\r\nPreset apps are the applications we support for automatically adding the necessary domains needed for your application, and can reduce the time needed for app connector configuration. After set up, preset apps periodically fetch domains and routes from the application's authoritative configuration and propagate any changes to the tailnet.\r\n\r\nTailscale supports the following preset apps:\r\n\r\n- AWS CloudFront (global)\r\n- AWS Elastic Compute Cloud (EC2) / Elastic Load Balancing (ELB)\r\n- AWS Simple Storage Service (S3)\r\n- Confluence\r\n- GitHub\r\n- Google Workspace\r\n- Jira\r\n- Microsoft 365\r\n- Okta\r\n- Salesforce (Hyperforce environment)\r\n- Salesforce (Salesforce-hosted)\r\n- Stripe\r\n\r\nYou need to be an [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to configure a preset app.\r\n\r\n1. Open the [Apps](https://login.tailscale.com/admin/apps) page of the admin console.\r\n\r\n2. In the **Add an app** dialog, enter the following details.\r\n1. **Name**: Enter a unique name for identifying the application.\r\n2. **Target**: Select a preset app to automatically add the domains for your application.\r\n3. **Connectors**: Select a tag or set of tags that you configured for your app connector in your tailnet policy file.\r\n3. Select **Save**.\r\n\r\n\r\nA green icon next to the app connector name indicates that it is currently active and working as expected.\r\n\r\nSelect the app connector you added for additional details you can use to administer settings on both your tailnet and your application.\r\n\r\n![App connector details for a preset app.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapp-connector-preset.633ee96a.png&w=3840&q=75)\r\n\r\nTraffic to configured domains routes through tagged app connectors before reaching target domains on the internet. This routing occurs even when the originating device uses an exit node. The source IP address for this traffic appears as one of the public IP addresses from the devices running as app connectors.\r\n\r\n#### [Add a custom app](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#add-a-custom-app)\r\n\r\nIf your application is not available as a preset app in the admin console, you can manually configure the settings.\r\n\r\nYou need to be an [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to add and edit app connectors.\r\n\r\n1. Open the [Apps](https://login.tailscale.com/admin/apps) page of the admin console.\r\n\r\n2. In the **Add an app** dialog, enter the following details.\r\n1. **Name**: Enter a unique name for identifying the application.\r\n2. **Target**: Select **Custom** and manually enter the application domain names. If you need to add multiple domain entries, separate each one with a comma. When specifying domains, you can use wildcards for subdomains but not for top-level domains (TLDs). For example, `*.example.com`, `*.example.co.uk`, `*.example.info` are valid while `*.com`, `*.co.uk`, `*.info` are not valid.\r\n3. **Connectors**: Select a tag or set of tags that you configured for your app connector in your tailnet policy file.\r\n3. Select **Save**.\r\n\r\n\r\nA green icon next to the app connector name indicates that it is currently active and working as expected.\r\n\r\nSelect the app connector you added for additional details you can use to administer settings on both your tailnet and your application.\r\n\r\n![App connector details for a custom app.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapp-connector-custom.633b5ac7.png&w=3840&q=75)\r\n\r\n#### [Edit preset apps](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#edit-preset-apps)\r\n\r\nThe [Apps](https://login.tailscale.com/admin/apps) page of the admin console is the primary way to set up a preset app and automatically updates the `presetAppID` when you add an app connector. You can also manually modify the `presetAppID` for an app in your tailnet policy file.\r\n\r\nThe following shows an example snippet with GitHub as a preset app.\r\n\r\n```json\r\n\"nodeAttrs\": [\\\r\n  {\\\r\n    \"target\": [\"*\"],\\\r\n    \"app\": {\\\r\n      \"tailscale.com/app-connectors\": [\\\r\n        {\\\r\n          \"name\": \"github app\",\\\r\n          \"connectors\": [\"tag:code\", \"tag:ci-cd\"],\\\r\n          \"presetAppID\": \"github\"\\\r\n        }\\\r\n      ]\\\r\n    }\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nThe following is the list of the supported preset apps as they appear in the tailnet policy file.\r\n\r\n| **Preset app name** | **`presetAppID` value** |\r\n| --- | --- |\r\n| AWS CloudFront (global) | `aws-cloudfront-global` |\r\n| AWS EC2/ELB | `aws-ec2-<region>-<availability-zone>-<local-zone>` |\r\n| AWS S3 | `aws-s3-<region>-<availability-zone>-<local-zone>` |\r\n| Confluence | `confluence` |\r\n| GitHub | `github` |\r\n| Google Workspace | `google-workspace` |\r\n| Jira | `jira` |\r\n| Microsoft 365 | `microsoft-365` |\r\n| Okta | `okta` |\r\n| Salesforce (Hyperforce environment) | `salesforce-hyperforce` |\r\n| Salesforce (Salesforce-hosted) | `salesforce` |\r\n| Stripe | `stripe` |\r\n\r\n#### [Remove an app connector](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#remove-an-app-connector)\r\n\r\nYou must be an [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to remove an app connector.\r\n\r\n1. Open the [Apps](https://login.tailscale.com/admin/apps) page of the admin console.\r\n2. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu next to the app connector you want to remove, and select **Remove**.\r\n\r\nAfter you remove an app connector, traffic to the application no longer routes through the app connector. Instead, traffic to the application's domain names routes directly from the client device or through an exit node if the device uses one.\r\n\r\nIf you no longer need the app connector device in your tailnet, you can [remove it](https://tailscale.com/docs/features/access-control/device-management/how-to/remove).\r\n\r\n### [Restrict application access by IP address](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#restrict-application-access-by-ip-address)\r\n\r\nMany applications let you control access by specifying which IP addresses can connect to them. When you use an app connector, all traffic from your tailnet to the target application appears to come from the app connector's public egress IP address. This means you can add the app connector's egress IP address to your target application's trusted list of ingress IP addresses (called an IP allowlist). This ensures only users with access to the app connector can access the target application.\r\n\r\nTo set this up, find your application's IP allowlist settings and add the public IP address of each device running as an app connector. If you use multiple app connectors for redundancy, add all their public IP addresses. You can find these IP addresses in your cloud provider's management interface.\r\n\r\nThe following is a list of Tailscale's supported preset apps and links for configuring specific IP addresses (IP allowlisting) for providing exclusive access to your app connector devices.\r\n\r\n- [AWS](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-ip-address.html)\r\n- [Confluence](https://support.atlassian.com/security-and-access-policies/docs/specify-ip-addresses-for-product-access/)\r\n- [GitHub](https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization)\r\n- [Google Workspace](https://support.google.com/a/answer/12642752?hl=en)\r\n- [Jira](https://support.atlassian.com/security-and-access-policies/docs/specify-ip-addresses-for-product-access/)\r\n- [Microsoft 365](https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide)\r\n- [Okta](https://support.okta.com/help/s/article/How-to-Allow-Access-to-the-Okta-Applications-Only-From-a-Specific-IP-Range)\r\n- [Salesforce](https://help.salesforce.com/s/articleView?id=000386441&type=1)\r\n- [Stripe](https://docs.stripe.com/keys#limit-api-secret-keys-ip-address)\r\n\r\nTailscale automatically finds the preset app's IP addresses. Go to the [Apps](https://login.tailscale.com/admin/apps) page in the admin console, select the app details you'd like to configure, and copy the **Egress IPs** listed. This list includes all IP addresses of all connectors configured on the associated tags. Remember to update your IP allowlist if you add new app connectors.\r\n\r\nApp connector devices have two different IP addresses. The [Tailscale IP address](https://tailscale.com/docs/concepts/tailscale-ip-addresses), which is private to your tailnet, and the public IP address, which other applications on the internet can reach. When configuring IP access controls, you need the public IP address, not the Tailscale IP address.\r\n\r\n## [Limitations](https://tailscale.com/docs/features/app-connectors/how-to/setup\\#limitations)\r\n\r\n- Linux is the only operating system that can be used as an app connector device in a tailnet.\r\n- App connectors cannot be shared across multiple tailnets.\r\n- Advertising more than 10K routes on any instance, or across the whole tailnet, will cause significant functionality issues for connecting clients.\r\n- Tailnets are limited to advertising 250 domains across all applications.\r\n- Using frequently changing or [ephemeral](https://tailscale.com/docs/features/ephemeral-nodes) resources as app connectors is not recommended. App connectors learn over time and build routes to connected domains, so using a stable routing infrastructure provides better performance and reliability.\r\n- If you manage your tailnet policy file using an external provider like [Terraform](https://tailscale.com/docs/integrations/terraform-provider) or [GitOps](https://tailscale.com/docs/gitops), any changes you make to app connectors in the admin console will be overwritten during the next sync. Make sure to manage app connectors through your external provider.\r\n","html":"<h1>Set up an app connector</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>App connectorsare available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<p>App connectors let you route Tailscale network (known as a tailnet) traffic to your software as a service (SaaS), cloud, and self-hosted applications, letting users and devices on the tailnet access applications by domain names instead of IP addresses. You can also incorporate monitoring, optimization, security, and reliability into your app connector setup.</p>\n<p>For more in-depth information about app connectors, refer to <a href=\"https://tailscale.com/docs/features/app-connectors\">How app connectors work</a>.</p>\n<p>You can also <a href=\"https://tailscale.com/docs/features/kubernetes-operator/how-to/app-connector\">deploy an app connector to your Kubernetes cluster using the Kubernetes Operator</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#requirements\">Requirements</a></h2>\n<p>To set up an app connector, you must have the following:</p>\n<ul>\n<li>An existing tailnet and user account with the <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> role for editing the tailnet policy file and managing the app connector settings in the admin console.</li>\n<li>The Linux device to use as the app connector with the following:\n<ul>\n<li>A publicly accessible IP address.</li>\n<li>IP forwarding is enabled.</li>\n<li>You can use a physical device or a VM as the app connector device.</li>\n</ul>\n</li>\n<li>A SaaS or self-hosted application with administrative access.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#get-started\">Get started</a></h2>\n<p>To add a <a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#add-a-preset-app\">preset app</a> type app connector in your tailnet, you must complete the following steps:</p>\n<ol>\n<li>Add the app connector in the admin console to route traffic to your application. When you add a preset app, the <code>nodeAttrs</code> section of your <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a> will automatically add a new <code>target</code> entry for the app connector. The <code>tagOwners</code>, <code>autoApprovers</code>, and <code>grants</code> entries must be manually added in the tailnet policy file.</li>\n<li>Update your tailnet policy file with the <code>tagOwners</code>, <code>autoApprovers</code>, and <code>grants</code> entries to let devices in your tailnet use the app connector.</li>\n<li>Configure a Linux node in your tailnet as an app connector device.</li>\n<li>(Optional) Restrict application access to only the app connector device by configuring an IP allowlist in your application.</li>\n</ol>\n<p>To add a <a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#add-a-custom-app\">custom app</a> type app connector in your tailnet, you must complete the following steps:</p>\n<ol>\n<li>Update your <a href=\"https://tailscale.com/docs/features/tailnet-policy-file\">tailnet policy file</a> to let devices in your tailnet use the app connector, by adding entries to the <code>nodeAttrs</code>, <code>tagOwners</code>, <code>autoApprovers</code>, and <code>grants</code> sections.</li>\n<li>Configure a Linux node in your tailnet as an app connector device.</li>\n<li>Add the app connector settings in the admin console to route traffic to your application.</li>\n<li>(Optional) Restrict application access to only the app connector device by configuring an IP allowlist in your application.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#update-the-tailnet-policy-file\">Update the tailnet policy file</a></h3>\n<p>Configure your tailnet policy file with the necessary permissions to let devices use the app connector device.</p>\n<p>You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> to edit a tailnet policy file.</p>\n<ol>\n<li>\n<p>Go to the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console.</p>\n</li>\n<li>\n<p>Add a <a href=\"https://tailscale.com/docs/features/tags\"><code>tagOwners</code></a> rule to define the tag name and specify which users can assign that tag to other devices, letting them connect to the app connector. The following example defines the <code>github-admins</code> group as an owner of the <code>github-app-connector</code> tag.</p>\n</li>\n</ol>\n<pre><code class=\"language-json\">\"tagOwners\": {\r\n     \"tag:github-app-connector\": [\\\r\n       \"group:github-admins\",\\\r\n     ],\r\n},\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<ol start=\"3\">\n<li>Add an <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#autoapprovers\"><code>autoApprovers</code></a> rule to automatically approve specific routes for the app connector tag. After you configure app traffic to route through an app connector, any DNS request to the configured app domains triggers route discovery.</li>\n</ol>\n<p>Preset apps, in most cases, do not require an <code>autoApprovers</code> rule for routes. Tailscale updates and manages the routes for preset apps and these are automatically approved.</p>\n<p>However, preset apps may also discover new routes through DNS. These learned routes are not automatically approved and will require an <code>autoApprovers</code> rule.</p>\n<p>Custom apps routes always require an <code>autoApprovers</code> rule.</p>\n<p>The following auto-approval policy example automatically approves all IPv4 and IPv6 routes for devices using the <code>github-app-connector</code> tag.</p>\n<pre><code class=\"language-json\">\"autoApprovers\": {\r\n     \"routes\": {\r\n       \"0.0.0.0/0\": [\"tag:github-app-connector\"],\r\n       \"::/0\": [\"tag:github-app-connector\"],\r\n     },\r\n},\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<ol start=\"4\">\n<li>Add a <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#grants\"><code>grants</code></a> rule to route application-specific traffic through the app connector tag.</li>\n</ol>\n<p>You must allow tailnet devices to access the routes an app connector advertises. One way to do this is to add an access control policy to your tailnet policy file that grants access to <code>autogroup:internet</code> (any port number) for members of the tailnet, which will also grant users access to any exit nodes in the tailnet.</p>\n<pre><code class=\"language-json\">\"grants\": [\\\r\n     {\\\r\n       \"src\": [\"autogroup:member\"],\\\r\n       \"dst\": [\"autogroup:internet\"],\\\r\n       \"ip\": [\"*\"]\\\r\n     }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>Devices require access to the app connector tag for DNS discovery. App connectors use the PeerAPI to perform DoH calls. Grant minimal access using TCP or UDP on port <code>53</code> to enable peer discovery:</p>\n<pre><code class=\"language-json\">\"grants\": [\\\r\n     {\\\r\n       \"src\": [\"autogroup:member\"],\\\r\n       \"dst\": [\"tag:github-app-connector\"],\\\r\n       \"ip\": [\"tcp:53\", \"udp:53\"]\\\r\n     }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<ol start=\"5\">\n<li>Add a <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#nodeattrs\"><code>nodeAttrs</code></a> rule to map the app connector tag to the application-specific domains. The following example node attribute definition configures the <code>github-app-connector</code> tag for GitHub domains.</li>\n</ol>\n<p>If you are configuring a preset app type app connector, the <code>nodeAttrs</code> section is in your tailnet policy file is automatically updated, and you can skip this step.</p>\n<pre><code class=\"language-json\">\"nodeAttrs\": [\\\r\n     {\\\r\n       \"target\": [\"*\"],\\\r\n       \"app\": {\\\r\n         \"tailscale.com/app-connectors\": [\\\r\n           {\\\r\n             \"name\": \"GitHub\",\\\r\n             \"connectors\": [\"tag:github-app-connector\"],\\\r\n             \"domains\": [\\\r\n               \"github.com\",\\\r\n               \"*.github.com\"\\\r\n             ]\\\r\n           }\\\r\n         ]\\\r\n       }\\\r\n     }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h3><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#configure-a-device-as-an-app-connector\">Configure a device as an app connector</a></h3>\n<p>After updating the <a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#requirements-for-the-tailnet-policy-file\">tailnet policy file</a>, configure the device to function as an app connector.</p>\n<p>The app connector device must be running Linux, already added to your tailnet, have a public IP address, and IP port forwarding enabled.</p>\n<p>Run the following Tailscale CLI command, making sure to replace the variables in the angle brackets (<code>&#x3C;></code>) with the actual app connector tag name.</p>\n<pre><code class=\"language-shell\">tailscale up --advertise-connector --advertise-tags=tag:&#x3C;connector-tag-name>\n</code></pre>\n<p>The <code>--advertise-connector</code> flag enables the device to route traffic for specific domains according to the configuration in the tailnet policy file. The <code>--advertise-tags</code> flag tells the Tailscale client to authenticate the device with the provided tags.</p>\n<h4><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#add-a-preset-app\">Add a preset app</a></h4>\n<p>Preset apps are the applications we support for automatically adding the necessary domains needed for your application, and can reduce the time needed for app connector configuration. After set up, preset apps periodically fetch domains and routes from the application's authoritative configuration and propagate any changes to the tailnet.</p>\n<p>Tailscale supports the following preset apps:</p>\n<ul>\n<li>AWS CloudFront (global)</li>\n<li>AWS Elastic Compute Cloud (EC2) / Elastic Load Balancing (ELB)</li>\n<li>AWS Simple Storage Service (S3)</li>\n<li>Confluence</li>\n<li>GitHub</li>\n<li>Google Workspace</li>\n<li>Jira</li>\n<li>Microsoft 365</li>\n<li>Okta</li>\n<li>Salesforce (Hyperforce environment)</li>\n<li>Salesforce (Salesforce-hosted)</li>\n<li>Stripe</li>\n</ul>\n<p>You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> of a tailnet to configure a preset app.</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/apps\">Apps</a> page of the admin console.</p>\n</li>\n<li>\n<p>In the <strong>Add an app</strong> dialog, enter the following details.</p>\n</li>\n<li>\n<p><strong>Name</strong>: Enter a unique name for identifying the application.</p>\n</li>\n<li>\n<p><strong>Target</strong>: Select a preset app to automatically add the domains for your application.</p>\n</li>\n<li>\n<p><strong>Connectors</strong>: Select a tag or set of tags that you configured for your app connector in your tailnet policy file.</p>\n</li>\n<li>\n<p>Select <strong>Save</strong>.</p>\n</li>\n</ol>\n<p>A green icon next to the app connector name indicates that it is currently active and working as expected.</p>\n<p>Select the app connector you added for additional details you can use to administer settings on both your tailnet and your application.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapp-connector-preset.633ee96a.png&#x26;w=3840&#x26;q=75\" alt=\"App connector details for a preset app.\"></p>\n<p>Traffic to configured domains routes through tagged app connectors before reaching target domains on the internet. This routing occurs even when the originating device uses an exit node. The source IP address for this traffic appears as one of the public IP addresses from the devices running as app connectors.</p>\n<h4><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#add-a-custom-app\">Add a custom app</a></h4>\n<p>If your application is not available as a preset app in the admin console, you can manually configure the settings.</p>\n<p>You need to be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> of a tailnet to add and edit app connectors.</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/apps\">Apps</a> page of the admin console.</p>\n</li>\n<li>\n<p>In the <strong>Add an app</strong> dialog, enter the following details.</p>\n</li>\n<li>\n<p><strong>Name</strong>: Enter a unique name for identifying the application.</p>\n</li>\n<li>\n<p><strong>Target</strong>: Select <strong>Custom</strong> and manually enter the application domain names. If you need to add multiple domain entries, separate each one with a comma. When specifying domains, you can use wildcards for subdomains but not for top-level domains (TLDs). For example, <code>*.example.com</code>, <code>*.example.co.uk</code>, <code>*.example.info</code> are valid while <code>*.com</code>, <code>*.co.uk</code>, <code>*.info</code> are not valid.</p>\n</li>\n<li>\n<p><strong>Connectors</strong>: Select a tag or set of tags that you configured for your app connector in your tailnet policy file.</p>\n</li>\n<li>\n<p>Select <strong>Save</strong>.</p>\n</li>\n</ol>\n<p>A green icon next to the app connector name indicates that it is currently active and working as expected.</p>\n<p>Select the app connector you added for additional details you can use to administer settings on both your tailnet and your application.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapp-connector-custom.633b5ac7.png&#x26;w=3840&#x26;q=75\" alt=\"App connector details for a custom app.\"></p>\n<h4><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#edit-preset-apps\">Edit preset apps</a></h4>\n<p>The <a href=\"https://login.tailscale.com/admin/apps\">Apps</a> page of the admin console is the primary way to set up a preset app and automatically updates the <code>presetAppID</code> when you add an app connector. You can also manually modify the <code>presetAppID</code> for an app in your tailnet policy file.</p>\n<p>The following shows an example snippet with GitHub as a preset app.</p>\n<pre><code class=\"language-json\">\"nodeAttrs\": [\\\r\n  {\\\r\n    \"target\": [\"*\"],\\\r\n    \"app\": {\\\r\n      \"tailscale.com/app-connectors\": [\\\r\n        {\\\r\n          \"name\": \"github app\",\\\r\n          \"connectors\": [\"tag:code\", \"tag:ci-cd\"],\\\r\n          \"presetAppID\": \"github\"\\\r\n        }\\\r\n      ]\\\r\n    }\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>The following is the list of the supported preset apps as they appear in the tailnet policy file.</p>\n<p>| <strong>Preset app name</strong> | <strong><code>presetAppID</code> value</strong> |\r\n| --- | --- |\r\n| AWS CloudFront (global) | <code>aws-cloudfront-global</code> |\r\n| AWS EC2/ELB | <code>aws-ec2-&#x3C;region>-&#x3C;availability-zone>-&#x3C;local-zone></code> |\r\n| AWS S3 | <code>aws-s3-&#x3C;region>-&#x3C;availability-zone>-&#x3C;local-zone></code> |\r\n| Confluence | <code>confluence</code> |\r\n| GitHub | <code>github</code> |\r\n| Google Workspace | <code>google-workspace</code> |\r\n| Jira | <code>jira</code> |\r\n| Microsoft 365 | <code>microsoft-365</code> |\r\n| Okta | <code>okta</code> |\r\n| Salesforce (Hyperforce environment) | <code>salesforce-hyperforce</code> |\r\n| Salesforce (Salesforce-hosted) | <code>salesforce</code> |\r\n| Stripe | <code>stripe</code> |</p>\n<h4><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#remove-an-app-connector\">Remove an app connector</a></h4>\n<p>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> of a tailnet to remove an app connector.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/apps\">Apps</a> page of the admin console.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu next to the app connector you want to remove, and select <strong>Remove</strong>.</li>\n</ol>\n<p>After you remove an app connector, traffic to the application no longer routes through the app connector. Instead, traffic to the application's domain names routes directly from the client device or through an exit node if the device uses one.</p>\n<p>If you no longer need the app connector device in your tailnet, you can <a href=\"https://tailscale.com/docs/features/access-control/device-management/how-to/remove\">remove it</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#restrict-application-access-by-ip-address\">Restrict application access by IP address</a></h3>\n<p>Many applications let you control access by specifying which IP addresses can connect to them. When you use an app connector, all traffic from your tailnet to the target application appears to come from the app connector's public egress IP address. This means you can add the app connector's egress IP address to your target application's trusted list of ingress IP addresses (called an IP allowlist). This ensures only users with access to the app connector can access the target application.</p>\n<p>To set this up, find your application's IP allowlist settings and add the public IP address of each device running as an app connector. If you use multiple app connectors for redundancy, add all their public IP addresses. You can find these IP addresses in your cloud provider's management interface.</p>\n<p>The following is a list of Tailscale's supported preset apps and links for configuring specific IP addresses (IP allowlisting) for providing exclusive access to your app connector devices.</p>\n<ul>\n<li><a href=\"https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-ip-address.html\">AWS</a></li>\n<li><a href=\"https://support.atlassian.com/security-and-access-policies/docs/specify-ip-addresses-for-product-access/\">Confluence</a></li>\n<li><a href=\"https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization\">GitHub</a></li>\n<li><a href=\"https://support.google.com/a/answer/12642752?hl=en\">Google Workspace</a></li>\n<li><a href=\"https://support.atlassian.com/security-and-access-policies/docs/specify-ip-addresses-for-product-access/\">Jira</a></li>\n<li><a href=\"https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide\">Microsoft 365</a></li>\n<li><a href=\"https://support.okta.com/help/s/article/How-to-Allow-Access-to-the-Okta-Applications-Only-From-a-Specific-IP-Range\">Okta</a></li>\n<li><a href=\"https://help.salesforce.com/s/articleView?id=000386441&#x26;type=1\">Salesforce</a></li>\n<li><a href=\"https://docs.stripe.com/keys#limit-api-secret-keys-ip-address\">Stripe</a></li>\n</ul>\n<p>Tailscale automatically finds the preset app's IP addresses. Go to the <a href=\"https://login.tailscale.com/admin/apps\">Apps</a> page in the admin console, select the app details you'd like to configure, and copy the <strong>Egress IPs</strong> listed. This list includes all IP addresses of all connectors configured on the associated tags. Remember to update your IP allowlist if you add new app connectors.</p>\n<p>App connector devices have two different IP addresses. The <a href=\"https://tailscale.com/docs/concepts/tailscale-ip-addresses\">Tailscale IP address</a>, which is private to your tailnet, and the public IP address, which other applications on the internet can reach. When configuring IP access controls, you need the public IP address, not the Tailscale IP address.</p>\n<h2><a href=\"https://tailscale.com/docs/features/app-connectors/how-to/setup#limitations\">Limitations</a></h2>\n<ul>\n<li>Linux is the only operating system that can be used as an app connector device in a tailnet.</li>\n<li>App connectors cannot be shared across multiple tailnets.</li>\n<li>Advertising more than 10K routes on any instance, or across the whole tailnet, will cause significant functionality issues for connecting clients.</li>\n<li>Tailnets are limited to advertising 250 domains across all applications.</li>\n<li>Using frequently changing or <a href=\"https://tailscale.com/docs/features/ephemeral-nodes\">ephemeral</a> resources as app connectors is not recommended. App connectors learn over time and build routes to connected domains, so using a stable routing infrastructure provides better performance and reliability.</li>\n<li>If you manage your tailnet policy file using an external provider like <a href=\"https://tailscale.com/docs/integrations/terraform-provider\">Terraform</a> or <a href=\"https://tailscale.com/docs/gitops\">GitOps</a>, any changes you make to app connectors in the admin console will be overwritten during the next sync. Make sure to manage app connectors through your external provider.</li>\n</ul>\n"}