[stavros]

Does Nebula have anything like Tailscale's rules engine? I am absolutely in love with being able to configure all my connections by just specifying a JSON file somewhere. No need to have firewalls, the configuration specifies which service or user can talk to which.

That having been said, I also am wary of using Tailscale for the same reasons as above, I have to trust Tailscale and Github? I can maybe justify trusting Tailscale, but trusting GH/Microsoft/other SSO provider is a bridge too far.

[rhuber]

It does! In fact replacing AWS security groups and making them cross region and cross platform was probably the first goal of the project. My coauthor, Nate, wrote Nebula's internal firewall code before we wrote a single line of the actual protocol, because he wanted to ensure it was performant enough for massive scale.

[stavros]

Well that is great, thank you! I will play with it today.

[stavros]

Ah, it looks like the firewall rules need to be copied to each host separately. That's not a dealbreaker, but not as easy to deploy as having them managed centrally (by the lighthouse, I guess?).