Creating a Hybrid Cloud: Integrate AWS and Proxmox Homelab Using Tailscale
Learn How to Seamlessly Connect On-Premises and Cloud Resources with Tailscale for a Powerful Hybrid Cloud Setup.
This guide walks you through setting up a clean, reliable hybrid cloud between AWS and a Proxmox homelab using Tailscale. It covers the end‑to‑end network path, on‑prem provisioning (Proxmox + LXC), routing/NAT, verification, and a comprehensive troubleshooting section for network connectivity and database integration.
Use this as the foundation. For the application deployment (frontend, backend, DB schema, monitoring), continue in Article 2 in soon.
Table of contents
Install Proxmox on your homelab PC
Access the Proxmox dashboard from another PC
Proxmox components at a glance
Overview and architecture (basic flow)
Create LXC container (ct-db)
Create an AWS EC2 instance
Tailscale setup (Proxmox host + EC2)
Enable forwarding and NAT on Proxmox
Verify EC2-to-container connectivity
Troubleshooting: Network connectivity & DB integration
Install Proxmox on your homelab PC
Download Proxmox VE ISO
Create a bootable USB from the ISO (Rufus, balenaEtcher, or dd)
Boot your homelab PC from USB and follow the Proxmox installer
During network setup:
Set a static IP in your LAN (e.g., 192.168.8.100)
Gateway = your router (e.g., 192.168.8.1)
DNS = your router or 8.8.8.8
Finish install and reboot. On the host console you’ll see something like:
Management URL: https://<proxmox-ip>:8006/
Login with the credentials you created
Tip: The first login may show a subscription warning; you can still proceed without a subscription.
Access the Proxmox dashboard from another PC
From another PC in the same network:
Open a browser and go to: https://<proxmox_ip>:8006/
Accept the self-signed certificate warning
Login as the user created during install
Now have access to the Proxmox web UI to create containers and manage networking, storage, and backups.
Proxmox components at a glance
Node (proxmox): the physical host that runs everything (VMs/containers)
LXC containers (CTs): lightweight OS environments sharing the host kernel; fast and efficient for services like DBs and monitoring
SDN: optional virtual networking features (VLANs, overlays); can be ignored initially
Storage:
local (/var/lib/vz): ISOs, templates, backups
local-lvm: VM/CT disks (faster for root disks)
Conceptual layout:
Datacenter
└── Node: proxmox (your physical server)
├── Containers:
│ ├── 101 (ct-db)
├── Networks:
│ └── vmbr0 (LAN bridge)
└── Storages:
├── local (ISO/backups)
└── local-lvm (VM/CT disks)
Overview and architecture (basic flow)
Minimal hybrid layout: one EC2 instance in AWS talks privately (via Tailscale) to a single LXC container (ct-db) on your Proxmox host.
🌩️ AWS Cloud
┌─────────────────┐
│ EC2 Instance │ (App / Test Client)
└─────────┬───────┘
│
(Tailscale VPN)
│
┌─────────┴────────-┐
│ Proxmox Host │
│ ┌─────────────┐ │
│ │ LXC: ct-db │ │ (MariaDB / PostgreSQL)
│ └─────────────┘ │
└───────────────────┘
Goal: Secure, low-latency private connectivity between cloud and homelab for development and experimentation.
Create LXC container (ct-db)
Create a single lightweight LXC container for the database.
Suggested specs:
- ct-db: 2 vCPU, 2–3 GB RAM, Disk 10 GB, static IP (e.g., 192.168.8.101/24), gateway 192.168.8.1
Steps:
Datacenter → proxmox → local (storage) → Templates → download Ubuntu template
Create CT → set Hostname ct-db, assign static IP 192.168.8.101/24, gateway 192.168.8.1, bridge vmbr0
Resources: 2 cores, 2048 MB RAM, optional 512 MB swap
Finish → Start container → Console → verify network:
ping 8.8.8.8 -c 5Enable “Start at boot” (ct-db → Options → Start at boot → Enable)
Create an AWS EC2 instance
Create a minimal EC2 instance (for testing)
AMI: Amazon Linux 2023 (or Ubuntu 22.04 LTS)
Type: t2.nano or t2.micro
Network: place in your VPC (public or private subnet is fine for testing)
Security Group: allow SSH from your IP (port 22)
Connect via SSH using your key pair
Tailscale setup (Proxmox host + EC2)
Install and authenticate Tailscale on both the Proxmox host and the EC2 instance using the SAME account.
On Proxmox host (advertise the LXC subnet):
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --advertise-routes=192.168.8.0/24
On EC2 (accept advertised routes):
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --accept-routes
Validation:
tailscale status # both peers listed
ip route get 192.168.8.101 # should show dev tailscale0
If the route does not appear, re-run EC2 command with --accept-routes or check ACLs in the Tailscale admin console.
Enable forwarding and NAT on Proxmox
By default, Tailscale traffic terminates at the Proxmox host. Enable Linux forwarding and NAT so traffic can reach the LXC bridge (vmbr0) and flow back.
On Proxmox host:
- Enable forwarding (persistent)
- sysctl: net.ipv4.ip_forward=1
- NAT and forward rules (iptables examples)
NAT: iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o vmbr0 -j MASQUERADE
Forward allow: iptables -I FORWARD -s 100.64.0.0/10 -d 192.168.8.0/24 -j ACCEPT
Forward return: iptables -I FORWARD -s 192.168.8.0/24 -d 100.64.0.0/10 -m state --state RELATED,ESTABLISHED -j ACCEPT
Note: 100.64.0.0/10 is the Tailscale CGNAT range. Adjust if you use a different mesh range.
Verify EC2-to-container connectivity
Run these quick checks after enabling routes and NAT:
From EC2 (after Tailscale + NAT):
ping 192.168.8.101
From Proxmox host:
tcpdump -i vmbr0 host 192.168.8.101
Troubleshooting: Network connectivity & DB integration
All connectivity issues from “Network Connectivity & Database Integration Troubleshooting” have been consolidated here.
Symptoms and quick diagnoses
EC2 → Proxmox host: ping works, but EC2 → ct-db: ping fails
- Likely cause: EC2 not accepting Tailscale subnet routes; or Proxmox not forwarding/NATing
App timeout on DB connection
- Likely causes: wrong host IP, DB bound to localhost, missing user/privileges, route not via tailscale0
Fix 1: Accept subnet routes on EC2
sudo tailscale up --accept-routes
Confirm: tailscale status shows accepted routes; ip route get 192.168.8.101 returns dev tailscale0 (table 52)
Fix 2: Enable IP forwarding and NAT on Proxmox
sysctl: net.ipv4.ip_forward=1 (persist via /etc/sysctl.conf)
iptables NAT: -t nat -A POSTROUTING -s 100.64.0.0/10 -d 192.168.8.0/24 -j MASQUERADE
iptables FORWARD: allow 100.64.0.0/10 ↔ 192.168.8.0/24 as shown above
Verification commands
EC2:
ping 192.168.8.101
ip route get 192.168.8.101
Proxmox host:
tailscale status
iptables -L -v -n
iptables -t nat -L -v -n
Final checklist
✅ Proxmox host advertises 192.168.8.0/24 via Tailscale
✅ EC2 accepts routes (ip route shows tailscale0 for 192.168.8.101)
✅ IP forwarding enabled; NAT + FORWARD rules applied
✅ ct-db reachable from EC2 (ping, optional DB port test)
✅ (Optional) MariaDB/PostgreSQL installed and listening on container interface
Next: deploy the frontend/backend, database schema, and monitoring in Article 2.
