Private Networking on Hetzner Cloud with Tailscale
The article describes setting up a private network on Hetzner Cloud using Tailscale to create a VPC-style environment for a self-hosted Kubernetes cluster. The architecture ensures cluster nodes have no public IPs, with all egress routed through a single NAT gateway. Access to the cluster is secured via Tailscale, allowing private-only connectivity for internal tools while keeping public applications accessible over the internet.
- ▪The Kubernetes cluster is deployed in a private network (10.0.0.0/16) with no public IPs except for a single NAT gateway.
- ▪Tailscale is used to enable secure access to the private network through subnet routing and device authentication.
- ▪Public applications are exposed via a public load balancer, while internal services remain accessible only within the Tailnet.
- ▪The NAT gateway performs MASQUERADE NAT and advertises the private subnet to the Tailnet using Tailscale's routing features.
- ▪Terraform manages the infrastructure, including network configuration, firewall rules, and Tailscale ACLs for access control.
Opening excerpt (first ~120 words) tap to expand
Private Networking on Hetzner Cloud with Tailscale January 28, 2026 • 5 min read infrastructure kubernetes networking terraform tailscale hetzner This is a follow up to Why I Built My Own Kubernetes Cluster The cluster post was about why I built my own Kubernetes cluster. This one is about the private network that makes the rest possible. I wanted the cluster to live in a VPC-style network with zero public node IPs, reachable only from my own internal network. Tailscale is the bridge here. I keep Raspberry Pi Zero exit nodes across Europe with friends for VPN use, so I already use Tailscale a lot. That’s why it was the obvious choice for private access. What I Wanted from the Network I wanted three things: Private-only cluster nodes: no public IPs anywhere except one gateway.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Onat Mercan’s Blog.
Discussion
0 commentsMore from Onat Mercan’s Blog
