diff --git a/kube/deploy/core/ingress/ingress-nginx/app/hr-external.yaml b/kube/deploy/core/ingress/ingress-nginx/app/hr-external.yaml
index b52a4c1f..26793d7a 100644
--- a/kube/deploy/core/ingress/ingress-nginx/app/hr-external.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/hr-external.yaml
@@ -27,6 +27,7 @@ spec:
         externalTrafficPolicy: "Cluster"
         annotations:
           "io.cilium/lb-ipam-ips": "${APP_IP_NGINX_EXTERNAL}"
+          tailscale.com/expose: "true"
       extraArgs:
         default-ssl-certificate: "ingress/short-domain-tls"
       ingressClassResource:
diff --git a/kube/deploy/core/ingress/ingress-nginx/app/hr-internal.yaml b/kube/deploy/core/ingress/ingress-nginx/app/hr-internal.yaml
index e1f3b1c4..89f2f737 100644
--- a/kube/deploy/core/ingress/ingress-nginx/app/hr-internal.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/hr-internal.yaml
@@ -26,6 +26,7 @@ spec:
         externalTrafficPolicy: "Cluster"
         annotations:
           "io.cilium/lb-ipam-ips": "${APP_IP_NGINX_INTERNAL}"
+          tailscale.com/expose: "true"
       extraArgs:
         default-ssl-certificate: "ingress/short-domain-tls"
       ingressClassResource:
diff --git a/kube/deploy/core/ingress/ingress-nginx/app/hr-public.yaml b/kube/deploy/core/ingress/ingress-nginx/app/hr-public.yaml
index b43ad169..0b336643 100644
--- a/kube/deploy/core/ingress/ingress-nginx/app/hr-public.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/hr-public.yaml
@@ -27,6 +27,7 @@ spec:
         externalTrafficPolicy: "Cluster"
         annotations:
           "io.cilium/lb-ipam-ips": "${APP_IP_NGINX_PUBLIC}"
+          tailscale.com/expose: "true"
       extraArgs:
         default-ssl-certificate: "ingress/long-domain-tls"
       ingressClassResource:
diff --git a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
index 9a13eb47..5247c74b 100644
--- a/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml
@@ -42,6 +42,10 @@ spec:
               protocol: TCP
             - port: "443"
               protocol: UDP
+    # allow traffic from Tailscale within cluster
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: tailscale
     # allow traffic from external-proxy-x
     - fromEndpoints:
         - matchLabels: