Platform tooling
Tailscale

Tailscale

Resource Plane
Networking
Source
Quick infos
What is Tailscale?
Tailscale is a secure connectivity platform that builds secure, encrypted mesh networks across any infrastructure—cloud, on-prem, or hybrid—built on zero-trust principles to enable simple, identity-based access.

Profile

Tailscale is a unified connectivity platform that enables platform engineering, security, and IT teams to establish secure, direct connections between any device, service, or workload without modifying firewall rules, juggling multiple VPNS, or rearchitecting underlying network architecture.
Built on WireGuard®, a modern open-source tunneling protocol, Tailscale builds overlay mesh networks by creating peer-to-peer connections between nodes, eliminating centralized bottlenecks and reducing latency. Security is enforced at each node rather than only at the network edge, with access policies defined and managed on the control plane level through identity—users, groups, and device tags. The resulting network behaves like a flat, private LAN regardless of where infrastructure actually lives.
The personal plan for Tailscale is permanently free and backward compatible, reflecting the company's commitment to making modern networking accessible to individual developers and small teams alongside enterprise customers.

Focus

As infrastructure spreads across clouds, clusters, and edge devices, teams face a tradeoff between broad, network-level access that adds risk and operational complexity over time  and fine-grained, identity-based access that scales more securely and efficiently. Tailscale reduces that tension by combining peer-to-peer networking with centralized identity and policy controls.
Core use cases include:

  • Replacing legacy VPN infrastructure
  • Securing workload-to-workload connectivity across Kubernetes clusters and cloud environments
  • Enabling privileged access to production systems without SSH key management
  • Connecting ephemeral CI/CD runners to private resources

The platform is designed for teams that need to move fast without compromising on security posture—from a single engineer connecting a dev machine to a prod database, to an enterprise managing thousands of nodes across multiple cloud providers.

Background

​Tailscale was founded in 2019 in Toronto, Canada with the goal of making connectivity simpler with a zero-configuration alternative that could be installed on any device, automatically manage firewall rules, and work from anywhere—without the operational complexity or performance issues of traditional VPN infrastructure.
Since then, Tailscale has expanded into a broader secure access platform spanning workload connectivity, privileged access management, AI infrastructure security, and zero-trust networking for modern environments. 
The company has grown to over 200 employees and 20,000 paid business customers. Notable enterprise customers include Instacart, SAP, Duolingo, Motorola, and Telus. It is also used by today’s top AI companies including Perplexity, Mistral, Groq, Hugging Face, and Cohere. 
Tailscale has been recognized among the Fortune Cyber 60, Enterprise Tech 30, Redpoint’s Infrared 100, Deloitte Fast 50, and Fast Company’s Next Big Things in Tech—while also taking home the Webby Award for Best Developer Tool in 2025. As a workplace, Tailscale has been named one of Fast Company’s Best Workplaces for Innovators. Tailscale is leading the transformation to secure networking for the modern era.

Main features

Mesh networking and automatic NAT traversal

Tailscale builds a WireGuard®-based peer-to-peer mesh overlay network across any connected nodes, routing traffic directly between devices rather than through a central server. It handles NAT traversal automatically—using STUN to discover public endpoints and coordinated probing to punch through firewalls—so nodes behind home routers, corporate gateways, or cloud NATs connect directly without any manual configuration. When a direct path isn't possible, Tailscale falls back to encrypted relay servers (DERP) and Peer Relays (customer-deployed managed traffic relaying mechanism) transparently. This architecture eliminates the single point of failure inherent in hub-and-spoke VPN designs, and scales horizontally as nodes are added.

Zero-trust, identity-based access control

Access in Tailscale is governed by identity rather than IP addresses. Policies are defined centrally in the tailnet policy file using ACLs and Grants that reference users, groups, and device tags —specifying exactly which nodes can communicate with which, on which ports. The network is governed by a single policy file for each node, meaning security is maintained at the individual workload level, rather than the network perimeter. This maps cleanly onto zero-trust principles: no device is trusted by default, access is least-privilege, and policies changes propagate. across the entire network within seconds.

Kubernetes and workload connectivity

Tailscale integrates natively with Kubernetes through the Tailscale Kubernetes operator, enabling secure connectivity between clusters, namespaces, and external services without exposing workloads to the public internet. Platform teams can connect pods to on-prem resources, bridge multi-cloud clusters, or provide developers with direct access to internal services—without managing per-environment ingress rules or VPN gateways. This makes Tailscale a practical alternative to complex service mesh configurations for cross-cluster and hybrid connectivity use cases.

Privileged access and SSH management

Tailscale SSH replaces traditional SSH key management by using WireGuard node keys and Tailscale identity for authentication. Platform teams can grant and revoke SSH access through ACL policy changes, with updates taking effect in seconds—no manual key rotation or authorized_keys file management. Check mode adds an optional re-authentication step for high-risk connections (such as root access to production), and session recording provides full audit trails for compliance requirements. Access can be scoped to users, groups, or device tags, giving teams granular control without additional tooling.

CI/CD and ephemeral environment connectivity

Tailscale supports ephemeral node authentication, making it well-suited for connecting short-lived CI/CD runners—on GitHub Actions, GitLab CI, ArgoCD, and others—to private infrastructure including databases, artifact registries, or internal APIs. Runners join the tailnet at job start and are automatically removed on exit, with no persistent credentials or open firewall rules. This gives platform teams a secure, auditable path for pipelines that need access to private resources, without the complexity of per-environment VPN configuration or long-lived credentials.

Website
Docs
LinkedIn
GitHub
Slack
Stack Overflow
Useful resources

Tailscale quickstart

Tailscale quick guides

How I use Tailscale - Chameth.com

Complete Tailscale Guide: From Basics to Advanced Features

Related tools
Ambassador
Developer Control Plane
Networking

Ambassador is a Kubernetes-native API gateway and edge stack platform built on Envoy Proxy, enabling comprehensive API management and declarative configuration for microservices traffic management.

Cilium
Security Plane
Networking

Cilium is an open-source networking, security, and observability tool for cloud-native environments, providing a high-performance CNI for Kubernetes with advanced eBPF-based capabilities. It enables efficient networking, granular security, and deep observability at the kernel level.

Envoy
Resource Plane
Networking

An open-source proxy server for cloud-nativre setups.

View all tools
Abstract pattern of purple and black halftone dots forming a wave-like shape on a black background.