I have an MLflow server running as an ECS task behind an application load balancer, which I would like to make accessible to other users on our Tailscale network. I have set up a Tailscale subnet router which advertises the private CIDR range the ECS tasks deploy in, and I have configured a security group which should only allow the tasks to accept traffic which comes from this subnet router.
The problem I am facing is I would now like to expose this service to other users with a convenient DNS name pointing at the load balancer. Using Route 53 with a public hosted zone for this only gives me the public IP instead of the private one (and thus is not advertised by the subnet router). Using a Route 53 private hosted zone exposes the DNS record only to other entities in the VPC, and thus not the user machines on the Tailnet.
In an ideal world I would like to just use Tailscale's MagicDNS to assign a name to the service load balancer, and have that load balancer return the internal, advertised IP address (or better yet, a Tailnet assigned IP for the ECS task so that I don't even have to do this advertising, but I'm not sure if that's supported by ephemeral ECS tasks).
I don't have a ton of exposure to this kind of network configuration, and I'm very happy to take advice on an alternate approach.
