Tag

A tag is a key:value label that you assign to a host to describe a facet of its identity, for example region:us-west-1, os:windows, or owner:quality-assurance. A host can carry any number of tags. Tags can be defined ahead of time on the Tags page of the Defined Networking admin panel, or created on-the-fly while creating or editing a host. A tag's key may be up to 20 characters and its value up to 50, with no surrounding whitespace.

Tags serve two main purposes. Like a role, a tag can be referenced in firewall rules, letting you grant access based on an attribute a host carries rather than its role alone. For example, you can allow SSH only to hosts tagged user-type:admin. A tag can also carry configuration that is automatically applied to every host it is assigned to, providing a reusable way to push settings, such as Nebula lighthouse.local_allow_list rules, to groups of hosts.

Because a host may have several tags whose configuration overlaps, tags have a priority order: when two tags set conflicting values, the higher-priority tag wins. Configuration set directly on a host always takes precedence over configuration inherited from a tag.

For a walkthrough of creating, assigning, and ordering tags, see Configuring hosts with tags.