Skip to main content

Configuring Hosts with Tags

Tags in Managed Nebula can be created on-the-fly when creating hosts or explicitly via the Tags page, and are used to identify hosts by their various facets (e.g. region:us-west-1, os:windows, or owner:quality-assurance) as well as to assign config to hosts. This guide will walk you through configuring hosts by tags.

As you roll Managed Nebula out to your hosts, you may discover that some hosts benefit from a bit of extra configuration. For example, you may notice that nodes which run Docker will, by default, advertise their local Docker networking IPs to the Lighthouse - IPs which will never be routable from another node - leading to inefficient handshakes and in some cases, failures to communicate altogether. Or, you may want to ensure that nodes in a specific datacenter (DC) only ever speak over their local private network. For these use cases and more, tags are a great way to apply this config to your hosts in a reusable manner.

Tag Basics

Creating tags

To manually create a tag, visit the Tags page of the Defined Networking admin panel. Let's create an example tag called example:true by clicking on the Add button on the top right of the page.

Tags always consist of a key and value, separated by a colon. You can optionally give the tag a description in order to clarify the tag's purpose - we recommend including a description that will help others on your team understand when to apply the tag to new hosts.

Add a new tag form, requiring a name and an optional descriptionAdd a new tag form, requiring a name and an optional description

Using Host advanced config, you can specify config which will be applied to hosts that have the tag assigned. Let's set the Logging > Level option to Debug now.

Add host config to tag modal, requiring an option and a valueAdd host config to tag modal, requiring an option and a value

When you're all finished, click "Save" to create the tag.

Assigning tags

Now that we have a tag carrying configuration, we can assign it to both existing and new hosts. To assign the tag to an existing host, find the target host in your Hosts list, click the three dots on the far right of its row, and choose Edit. Find the Tags field in the form and add example:true.

Edit host form, showing the newly created tag in the tags fieldEdit host form, showing the newly created tag in the tags field

Once the host is saved, it will automatically fetch a new configuration from the server. You may view the dnclient logs on the host to verify that it is now in debug mode.

For new hosts, simply specify the tag at host creation time through the form in the admin panel or in the JSON payload of the create host API request.

Tag Precedence

Config specified on hosts always take precedence over tags. However, since hosts can be assigned many tags, you may find yourself in a situation where a host is assigned two tags with conflicting config values. In this case, the tag priority is used to determine which value will prevail.

As a rather contrived example, let's assume you have two tags assigned to a single host: debug:true and debug:false. The former sets the "Logging > Level" to "debug" while the latter sets the same option to "info." So, which value will actually be set?

We can check which tag a higher precedence by clicking the "Reorder" button at the top right of the Tags page. Since debug:true is listed before debug:false, its config has a higher precedence and so a host assigned both tags will be set to "debug" log level.

Tag reorder page showing debug:true above debug:falseTag reorder page showing debug:true above debug:false

Let's reorder the tags now so that debug:false has a higher precedence.

Tag reorder page showing debug:false reordered to be above debug:trueTag reorder page showing debug:false reordered to be above debug:true

If we want to be sure that a host has been configured with the options we expect, we can navigate to its detail page and find the "Advanced config" section. Here we can see that the host is using the value set by the debug:false tag.

Host detail page showing the config value set by the debug:false tagHost detail page showing the config value set by the debug:false tag


Now that we have a general understanding of how to use tags, let's look at some specific examples.

Docker Networking

When using Docker, it's common to create internal networks allowing containers to communicate with each other.

For example, let's create a new bridge network, a container for it, and check our IP addresses:

# docker network create my-network

# docker create --network my-network nginx:latest

# ip --brief addr
lo UNKNOWN ::1/128
docker0 DOWN fe80::42:feff:fe03:e78f/64
br-c977d98f4e53 UP fe80::42:36ff:fede:9d4d/64
veth91adfec@if7 UP fe80::dc9b:79ff:feab:19c0/64
eth0@if30 UP metric 100 fe80::216:3eff:fe45:54a9/64

Here we can see the default docker0 bridge device, br-c977d98f4e53 corresponding to the bridge network we created, and veth91adfec corresponding to the host we created. As the count of Docker networks and containers increases, so do the number of IP addresses registered to this machine.

While none of these IP addresses are routable from another host, Nebula doesn't know that, and so they are reported to the Lighthouse at the regular interval. This will eventually become a problem because the Lighthouse will only track 20 IPs per host. If you have 20 or more Docker IP addresses, the address assigned to eth0@if30 may not make the cut, and the Lighthouse would have 0 routable IP addresses for the node.

To overcome this, we can block these interfaces using the lighthouse.local_allow_list option. Let's create a tag called docker:host and define three rules to disallow interfaces with the prefixes docker, br- or veth. Because this option takes regular expressions, we'll use docker.*, br-.* and veth.* as our deny rules. When all rules are set to "deny," the default will be to "allow" when interfaces don't match any of these patterns.

Edit tag form showing Docker network exclusion configurationEdit tag form showing Docker network exclusion configuration

Lastly, assign the tag to any Docker hosts in your environment to ensure they don't report their Docker IP addresses to the Lighthouse.

Private Networking

While Nebula encrypts all traffic between nodes, some users may find it desirable to have Nebula only send traffic over private (RFC 1918) networks. For this we can use the lighthouse.remote_allow_list option. This restricts which IP addresses nodes will consider when handshaking with peers.

Create a tag (e.g. private-only:true) and then create allow rules for each of '',, and When all rules are set to "allow," the default will be to "deny" IP addresses that don't match these CIDRs.

Edit tag form showing private networking configurationEdit tag form showing private networking configuration

Now any hosts assigned the private-only:true tag will communicate to other Nebula nodes only over private IP space.