Baseguard
Web ConsoleAccess Control

Tags

Organize nodes with tags for access control

Tags are labels you assign to nodes to group them for access control purposes. They form the foundation of Baseguard's zero-trust security model.

What are Tags?

Tags are simple strings that categorize nodes:

  • production - Production servers
  • staging - Staging environment
  • database - Database servers
  • team-backend - Backend team's devices

A node can have multiple tags.

Why Use Tags?

Tags provide several advantages over IP-based access control:

IP-BasedTag-Based
10.0.1.5 → 10.0.2.10[web] → [database]
Breaks when IPs changeStable across changes
Hard to understandSelf-documenting
Manual updates neededAutomatic application

Creating Tags

In the Console

In the Baseguard console:

Tags management in Baseguard Console

  1. Navigate to Access Control > Tags
  2. Click Create Tag
  3. Enter the tag name
  4. Click Create

Create Tag dialog

You can also create tags via the API.

Naming Conventions

Recommended patterns:

PatternExamples
Environmentproduction, staging, development
Functionweb, api, database, cache
Teamteam-platform, team-security
Locationus-east, eu-west
Security levelpci, hipaa, internal

Best practices:

  • Use lowercase with hyphens: web-frontend
  • Be descriptive: postgres-primary over db1
  • Keep consistent: Pick a convention and stick to it

Assigning Tags to Nodes

In the Console

  1. Go to Nodes
  2. Click on a node
  3. In the Tags section, click Add Tag
  4. Select existing tag or create new
  5. Save changes

Via Auth Keys

Tags can also be pre-assigned through node auth keys.

Tag Usage in ACLs

Tags define the source and destination in ACL rules:

Rule: Allow web to database
Source Tags: [web]
Destination Tags: [database]
Protocol: TCP
Ports: 5432

Special Cases

Empty source tags = All nodes

Source: []
Destination: [database]
→ Any node can reach database nodes

Empty destination tags = All nodes

Source: [admin]
Destination: []
→ Admin nodes can reach any node

Both empty = All to all

Source: []
Destination: []
→ All nodes can reach all nodes

Viewing Tag Usage

See Which Nodes Have a Tag

  1. Go to Access Control > Tags
  2. Click on a tag
  3. View list of nodes with this tag

See Which ACLs Use a Tag

  1. Go to Access Control > Tags
  2. Click on a tag
  3. View list of ACLs referencing this tag

Managing Tags

Deleting Tags

  1. Go to Access Control > Tags
  2. Click on the tag
  3. Click Delete
  4. Confirm

Troubleshooting

See Troubleshooting — Access Control Issues for solutions to ACL matching and tag problems.

See Also

Access Control

Tag-based network access control in Baseguard

Network Rules

Configure network access control rules

On this page

What are Tags?Why Use Tags?Creating TagsIn the ConsoleNaming ConventionsAssigning Tags to NodesIn the ConsoleVia Auth KeysTag Usage in ACLsSpecial CasesViewing Tag UsageSee Which Nodes Have a TagSee Which ACLs Use a TagManaging TagsDeleting TagsTroubleshootingSee Also