Skip to content

MagicDNS & Hostname Conventions

Tailscale MagicDNS hostnames use dashes to represent dots in domain names. Using the FQDN (with dots) instead of the Tailscale hostname is a common and critical mistake when configuring cross-VPC services.

Use dashes, NOT dots for Tailscale hostnames

When configuring any service to push data or connect to another server over Tailscale, always use the dash-format Tailscale hostname, not the FQDN with dots.

CORRECT:   loki-shared-cwiq-io         (Tailscale MagicDNS)
WRONG:     loki.shared.cwiq.io         (FQDN — resolves to VPC IP, not routable cross-VPC)

The FQDN (loki.shared.cwiq.io) resolves to the VPC private IP (10.0.15.157). That IP is not routable from the dev VPC over a Tailscale connection — it requires the subnet router. The Tailscale hostname resolves to the Tailscale IP (100.x.x.x) and routes correctly through the mesh.

Observability Stack Connection Reference

This table is the authoritative reference for connecting to shared-services observability from any non-shared-services server (dev, demo, or developer laptop):

Service Tailscale Hostname (USE THIS) FQDN (DO NOT USE cross-VPC) VPC IP Port Protocol
Loki (log push) loki-shared-cwiq-io loki.shared.cwiq.io 10.0.15.157 3100 HTTP
Prometheus (metric push) prometheus-shared-cwiq-io prometheus.shared.cwiq.io 10.0.15.9 9009 HTTP (remote write)
Prometheus (query) prometheus-shared-cwiq-io prometheus.shared.cwiq.io 10.0.15.9 9090 HTTP
AlertManager prometheus-shared-cwiq-io prometheus.shared.cwiq.io 10.0.15.9 9093 HTTP
Grafana grafana-shared-cwiq-io grafana.shared.cwiq.io 10.0.15.186 3000 HTTP
Icinga (master) icinga-shared-cwiq-io icinga.shared.cwiq.io 5665 Icinga2 API
Icinga (dev satellite) icinga-dev-cwiq-io 5665 Icinga2 API

When to Use Each DNS Type

Access Pattern DNS to Use Reason
Dev/Demo server → observability stack Tailscale hostname (loki-shared-cwiq-io) Cross-VPC; Tailscale routes correctly
Server within Shared-services VPC → same VPC Either FQDN or Tailscale hostname Same VPC; FQDN resolves to VPC IP (works)
EKS runner pod → Nexus/SonarQube FQDN (nexus.shared.cwiq.io) Resolves to VPC private IP via private Route53 zone; pods use VPC peering
Browser / human access HTTPS FQDN Routed via HTTPS through ALB or nginx
Ansible playbook on any server Tailscale hostname Consistent cross-environment

Alloy Agent Configuration

Alloy agents (deployed on all servers) send logs to Loki and metrics to Prometheus. The correct configuration in alloy/group_vars/all.yml:

# DEV/Demo servers — use Tailscale hostnames
alloy_loki_url: "http://loki-shared-cwiq-io:3100/loki/api/v1/push"
alloy_prometheus_remote_write_url: "http://prometheus-shared-cwiq-io:9009/api/v1/write"

# Shared-services servers — Tailscale hostname preferred for consistency
alloy_loki_url: "http://loki-shared-cwiq-io:3100/loki/api/v1/push"
alloy_prometheus_remote_write_url: "http://prometheus-shared-cwiq-io:9009/api/v1/write"

Full Server Hostname Reference

DNS Hostname Tailscale Hostname Purpose
gitlab.shared.cwiq.io gitlab-shared-cwiq-io GitLab (also ALB for public access)
vault.shared.cwiq.io vault-shared-cwiq-io Vault secrets
nexus.shared.cwiq.io nexus-shared-cwiq-io Nexus artifacts
sonarqube.shared.cwiq.io sonarqube-shared-cwiq-io SonarQube
defectdojo.shared.cwiq.io defectdojo-shared-cwiq-io DefectDojo
ansible-shared-cwiq-io ansible-shared-cwiq-io Ansible server
icinga.shared.cwiq.io icinga-shared-cwiq-io Icinga master
grafana.shared.cwiq.io grafana-shared-cwiq-io Grafana
prometheus.shared.cwiq.io prometheus-shared-cwiq-io Prometheus + AlertManager
loki.shared.cwiq.io loki-shared-cwiq-io Loki
orchestrator.dev.cwiq.io orchestrator-dev-cwiq-io Orchestrator DEV
langfuse.dev.cwiq.io langfuse-dev-cwiq-io LangFuse
orchestrator.demo.cwiq.io orchestrator-demo-cwiq-io Demo
identity-db.dev.cwiq.io identity-db-dev-cwiq-io Identity DB