A new generation of Tailscale access controls

Today, we’re announcing the general availability of grants, Tailscale’s next generation of access controls that combine network and application capabilities into a single syntax. Grants are a superset of our original ACLs — anything you can write as an ACL can be expressed as a grant. In most scenarios, grants are easier to write and read than the ACL syntax. Let’s take a look: "acls" : [ { "action" : "accept" , "src" : [ "group:eng" ] , "dst" : [ "tag:internal-tool:443" ] , "proto" : [ "tcp" ] } ] , "grants" : [ { "src" : [ "group:eng" ] , "dst" : [ "tag:internal-tool" ] "ip" : [ "tcp:443" ] } ] Grants are designed to be easy to write and easy to read, for both humans and computers. We combined ports and protocols into a single ip field, and removed the redundant action field. This simplifies our original ACL syntax, where these fields were needed in every rule. Grants go beyond simplifying the ACL syntax, they also add new tools that you can use for more powerful access controls. ... Read full article.