diff --git a/docs/changelog.d/restrict-flyio-proxy-acl.infra.md b/docs/changelog.d/restrict-flyio-proxy-acl.infra.md
index c9544ba..f12f7f4 100644
--- a/docs/changelog.d/restrict-flyio-proxy-acl.infra.md
+++ b/docs/changelog.d/restrict-flyio-proxy-acl.infra.md
@@ -1 +1 @@
-Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Alloy now pushes logs/metrics directly to Loki and Prometheus via Tailscale Ingress, bypassing Caddy. Migrate all Tailscale Ingresses to a shared ProxyGroup to enable per-Ingress tag overrides (`tag:flyio-target` on docs, loki, prometheus).
+Restrict fly.io proxy ACLs to dedicated `tag:flyio-target` endpoints instead of broad `tag:k8s` and `tag:homelab` grants. Migrate all Tailscale Ingresses to a shared ProxyGroup with per-Ingress tag overrides (`tag:flyio-target` on docs, loki, prometheus). Add `autoApprovers` for VIP service routes. Enable `--accept-routes` on indri for ProxyGroup VIP routing.
diff --git a/fly/alloy.river b/fly/alloy.river
index 4b63efe..d599358 100644
--- a/fly/alloy.river
+++ b/fly/alloy.river
@@ -94,10 +94,10 @@ loki.relabel "instance" {
   }
 }
 
-// Write logs to Loki via Tailscale Ingress (direct, bypasses Caddy)
+// Write logs to Loki via Caddy reverse proxy
 loki.write "loki" {
   endpoint {
-    url = "https://loki.tail8d86e.ts.net/loki/api/v1/push"
+    url = "https://loki.ops.eblu.me/loki/api/v1/push"
   }
 }
 
@@ -134,9 +134,9 @@ prometheus.relabel "instance" {
   }
 }
 
-// Push metrics to Prometheus via Tailscale Ingress (direct, bypasses Caddy)
+// Push metrics to Prometheus via Caddy reverse proxy
 prometheus.remote_write "prometheus" {
   endpoint {
-    url = "https://prometheus.tail8d86e.ts.net/api/v1/write"
+    url = "https://prometheus.ops.eblu.me/api/v1/write"
   }
 }
diff --git a/pulumi/tailscale/policy.hujson b/pulumi/tailscale/policy.hujson
index 471bd92..0703353 100644
--- a/pulumi/tailscale/policy.hujson
+++ b/pulumi/tailscale/policy.hujson
@@ -126,6 +126,15 @@
 		},
 	],
 
+	// ============== Auto Approvers ==============
+	// Allow ProxyGroup pods (tag:k8s) to auto-approve VIP Services
+	// Required for multi-cluster Ingress per Tailscale docs
+	"autoApprovers": {
+		"services": {
+			"tag:k8s": ["tag:k8s"],
+		},
+	},
+
 	// ============== Tag Owners ==============
 	"tagOwners": {
 		"tag:blumeops": ["autogroup:admin", "tag:blumeops"],