Blog

A combination of our newsletter and other posts, where we talk about Tailscale, WireGuard®, 2-factor auth, and other networking-related topics.

Subscribe via email, RSS or follow our Twitter.

Supporting OAuth in the Tailscale API

Will Norris and Jordan Whited on
Photo of Will Norris
Photo of Jordan Whited

Tailscale’s API gives you programmatic access to many of your Tailscale resources, including devices on your tailnet, access controls in your tailnet policy file, and DNS settings. Today we’re launching two improvements to how you authenticate to the Tailscale API: the ability to create scoped access tokens limited to specific operations, and the ability to continually generate or refresh access tokens using OAuth clients.

Tailscale actions for iOS and macOS Shortcuts

Mihai Parparita on
Photo of Mihai Parparita
With Tailscale v1.36 actions can be directly triggered and automated with the Shortcuts app on iOS and macOS. We’ve added support for managing the connection state, using exit nodes, and switching between profiles. You can combine the Tailscale actions with other automations to customize tasks, such as automatically connecting to your tailnet if your device is not on your home Wi-Fi.

Traefik Proxy now offers Tailscale as certificate resolver

Photo of Parker Higgins
Parker Higgins on

Traefik, the popular load balancing and reverse proxy tool, has added support for Tailscale as a certificate resolver in Traefik Proxy 3.0 beta, the latest release of its forward proxy offering. Today, one of the engineers behind this integration has published a fun deep dive into how it works and how they’re using Tailscale to help with testing at Traefik.

Tailscale logo connecting to Traefik logo

This new feature means you can now access HTTPS-enabled services on your tailnet behind Traefik Proxy, without the headache of separately handling certificates or exposing an endpoint to resolve TLS challenges from Let’s Encrypt. Instead, Tailscale can manage your certificate life cycle and automatically renew your Let’s Encrypt certificate, and will do so under this setup as long as Traefik is running.

Looking back at 2022: A year of growth, funding and lots of new features

Mark Ogilbee on
Photo of Mark Ogilbee

As we took a few days away from our keyboards over the holidays, we here at Tailscale also spent time reflecting on the year we had in 2022, which seemed to come and go before we knew it. It was quite a journey — and we wanted to share with you some highlights from what was a decidedly lively and groundbreaking year for us.

December Tailscale newsletter

Mark Ogilbee on
Photo of Mark Ogilbee
Our December newsletter is out a bit early as we here at Tailscale take the final days of 2022 to rest up, be festive, and reflect on the year gone by — and what a momentous year it’s been, with lots of big product updates and company news. Here are just a few highlights: We launched Tailscale SSH, which lets you SSH into devices on your tailnet from anywhere, even mobile, without hassling with additional software, firewall rules, or key management. You can even SSH into devices on your tailnet from any web browser via SSH Console. We added support for on-demand access integrations with partners ConductorOne, Indent, Opal, and Sym, each of whom vastly simplify the process of provisioning new users with temporary access to sensitive resources. We received our SOC 2 (both Type I and Type II) compliance reports, reaffirming the ridiculously passionate commitment to security that’s baked into our DNA. We announced a $100 million Series B financing round led by CRV and Insight Partners, with participation from our existing major investors: Accel, Heavybit, and Uncork Capital, along with a cast of many prominent angels and smaller investors.

Tailscale for DevOps: Connect to any subnet in your tailnet with Connecti (by Pulumi)

Photo of Jeff Spencer
Jeff Spencer on

When setting up cloud infrastructure for your team, it often makes sense to provision sensitive services in private subnets. However, this usually means that those services are not easily accessible from your personal devices or CI/CD infrastructure. Tailscale already makes it possible to access those services by adding a private subnet router to your tailnet. But what happens if you need to quickly access something in a private subnet and then immediately terminate that connection?

Most organizations already have existing infrastructure, so the need to access or debug something in a private subnet is a relatively frequent problem. That’s why Pulumi has worked hard to create a way to quickly provision ephemeral VPN connections that you can spin up and tear down quickly. Connecti is a command line tool written in the Go programming language using Pulumi’s automation API, that allows you to declaratively provision Tailscale subnet routers in seconds without writing a single line of infrastructure code.

Pulumi is an open source infrastructure as code platform for creating, deploying, and managing cloud infrastructure. Pulumi works with both traditional infrastructures like VMs, networks, and databases, in addition to modern architectures such as containers, Kubernetes clusters, and serverless functions.

Continue reading to learn more about Tailscale and Connecti from Pulumi software engineer and Connecti creator Lee Briggs.

Tailscale logo connecting to the Pulumi logo

User and group provisioning for Okta is generally available

Ramya Nagarajan and Jeff Spencer on
Photo of Ramya Nagarajan
Photo of Jeff Spencer

We’re pleased to announce that user & group provisioning for Okta is now generally available. You can sync group membership and deactivated users from Okta, and refer to a synced group as part of an access rule in your tailnet policy file.

Postgres Crunchy Bridge with Tailscale

Maya Kaczorowski on
Photo of Maya Kaczorowski

Today we are happy to announce that Crunchy Bridge has integrated with Tailscale to provide easy access to your database from any of your devices, wherever they are running. Crunchy Bridge is a managed Postgres product that runs your database for you on your choice of cloud.

Tailscale logo connecting to Crunchy Data logo

Introducing tailnet lock: use Tailscale without trusting our infrastructure!

Tom D'Netto and Adrian Dewhurst on
Photo of Tom D'Netto
Photo of Adrian Dewhurst

Users sometimes ask us, “How can I trust Tailscale?” From the beginning, we’ve tried to make it so you don’t have to, by architecting our infrastructure with security and privacy in mind. When you use Tailscale, your data is end-to-end encrypted. Tailscale doesn’t have the private key, so we can’t see your traffic. While Tailscale can’t observe the data transiting your tailnet, we are responsible for managing the control plane, where our coordination server distributes public keys and settings for your tailnet.

Which brings us to one glaring issue that has remained with our architecture: You have still needed to trust our coordination server. What if we were malicious, and stealthily inserted new nodes into your network? Tailscale could hypothetically use a secretly-added node to send or receive traffic to your existing nodes — meaning it wouldn’t matter that the traffic is encrypted because the peer itself would be malicious.

You should decide who to trust when it comes to your tailnet’s coordination server and how nodes are added to your tailnet. We don’t want you to have to trust us to get it right. So today, we’re taking the first steps with tailnet lock, a security feature where your nodes verify the public keys distributed by the coordination server before trusting them for network connectivity.

Userspace isn't slow, some kernel interfaces are!

Jordan Whited and James Tucker on
Photo of Jordan Whited
Photo of James Tucker

We made significant improvements to the throughput of wireguard-go, which is the userspace WireGuard® implementation that Tailscale uses. What this means for you: improved performance of the Tailscale client on Linux. We intend to upstream these changes to WireGuard as well.

You can experience these improvements in the current unstable Tailscale client release, and also in Tailscale v1.36, available in early 2023. Read on to learn how we did it, or jump down to the Results section if you just want numbers.

Quickly switch between Tailscale accounts

Fast user switching has come to Tailscale! Starting in v1.34, out today, you’ll be able to quickly switch between Tailscale accounts on the same device, without re-authenticating. (We heard you.)

a gif showing the process of switching user accounts in the macOS client

To switch between tailnets on macOS, click on the Tailscale icon in the menu bar and select the other account.

Private go links for your tailnet

Photo of Will Norris
Will Norris on

Today, we’re sharing golink, an open source private URL shortener service for tailnets. Using golink, you can create and share simple go/name links for commonly accessed websites, so that anyone in your network can access them no matter the device they’re on — without requiring browser extensions or fiddling with DNS settings. And because golink integrates with Tailscale, links are private to users in your tailnet without any separate user management, logins, or security policies.

A screenshot of the golink application homepage. A form allows a new link to be created and popular links are listed: go/meet, go/slack, go/search, go/email

November Tailscale newsletter

Mark Ogilbee on
Photo of Mark Ogilbee
It’s been a dramatic month across the tech industry, but we have some good news: Tailscale is hiring! We’re looking for driven individuals who think differently, enjoy collaborating with highly technical remote teams, and are comfortable working asynchronously. See our open roles below, and learn more about our company vision. We launched Tailscale Funnel, which makes it simple (and still secure) to route traffic from the internet to a node in your tailnet. We’ve developed a guide for using tsnet to make your internal services easier to run, access, and secure; and we put together an inside look at how we built our new webhooks feature. Plus: Tailscale has joined the Fediverse! You can now follow us on Hachyderm

Tailscale Runs Anywhere I Need

Photo of Katie Reese
Katie Reese on

Last week, Tailscale hosted a three-day co-work week to prove Tailscale Runs Anywhere I Need (TRAIN) by traversing the Amtrak Coast Starlight line from Emeryville, CA to Seattle, WA. The week included a shared work day in Berkeley, an overnight on the train, a work day from the train’s observatory, and a work day from a lovely Airbnb in the Queen Anne neighborhood of Seattle.

Action required: Upgrade Windows clients to v1.32.3

Photo of Maya Kaczorowski
Maya Kaczorowski on

Tailscale has recently been notified of security vulnerabilities in the Tailscale Windows client which allow a malicious website visited by a device running Tailscale to change the Tailscale daemon configuration and access information in the Tailscale local and peer APIs.

To patch these vulnerabilities, upgrade Tailscale on your Windows machines to Tailscale v1.32.3 or later, or v1.33.257 or later (unstable).

Introducing Tailscale Funnel

Tailscale lets you put all your devices on their own private tailnet so they can reach each other, ACLs permitting. Usually that’s nice and comforting, knowing that all your devices can then be isolated from the internet, without any ports needing to be open to the world.

Sometimes, though, you need something from the big, scary, non-Tailscale internet to be able to reach your device.

Tailscale on the Fediverse

Photo of Xe Iaso
Xe Iaso on
Hey everyone! The last few weeks have been something else eh? We want to make it easier for you to keep in touch with us. As such, we have created a Fediverse account on Hachyderm. Feel free to give us a follow if you want to keep up to date! We’re honored to be one of the first corporate accounts on Hachyderm and in the Fediverse in general. This is a great responsibility and we are taking this responsibility seriously. We want to be an example of what a positive and mutually beneficial corporate presence on the Fediverse should look like. We want to use this opportunity to help strengthen the entire Fediverse community as well as help people use Tailscale in new and exciting ways. I’ve personally used the Fediverse since 2017, back when Mastodon was propagating things using OStatus. I’ve run bots on the Fediverse for years. I don’t want this to be an example of another corporation encroaching on a community space and covering it with advertising.

Virtual private services with tsnet

Photo of Xe Iaso
Xe Iaso on
Tailscale lets you connect to your network from anywhere, but you have to set it up on individual computers for it to work. In this article Xe covers how to use tsnet to get all of the goodness of Tailscale in userspace so that you can have your services join your tailnet like they were separate computers.

Making your Tailscale experience a little more eventful with webhooks

Laura Florea on
Photo of Laura Florea

Tailscale is amazing. But you already knew that, right? There’s nothing more satisfying than being able to set up a secure network in seconds, almost like magic — except maybe realizing it’s Friday when you thought it was Thursday, but I digress.

Being a relatively new product, Tailscale is still adding features to make it even easier to use. One of the most requested features from both our enterprise customers as well as individual users are notifications for events happening in your tailnet, such as when new nodes are added or need to be authorized. Before Tailscale introduced the new feature I’m about to mention (shh… I know you saw it in the title, but just pretend you didn’t for a second), there wasn’t really a way for the admin of a tailnet to know if something had changed without constantly stalking the admin console for new warning badges on machines, or scrolling through the configuration audit logs for updates.

During my internship at Tailscale this past summer, I set out to fill this notification gap. (“I” meaning me, Laura the intern, not to be confused with the lovely individual of the same name who has been writing the Tailscale newsletter every month.) As a result of my (and many other peoples’) summer-long efforts, Tailscale now allows you to configure webhooks to notify you of specific kinds of events in your tailnet.

October Tailscale newsletter

Jessica Webb Kennedy on
Photo of Jessica Webb Kennedy
It’s been a BIG month at Tailscale and we’re excited to share several new features with you. First off, MagicDNS is now GA (human-readable DNS names for each device in your tailnet). Speaking of DNS… have you ever wanted to run your own DNS resolver to block ads — but don’t actually want to run your own DNS resolver? Tailscale now supports NextDNS. We’ve also been hard at work on configuration audit logs (now in beta) so you can track changes to your tailnet, and use webhooks to get notified about changes or misconfigurations. We’re also making it safer to work remotely, even if there’s an emergency, with Tailscale SSH Console — which lets users initiate a secure browser-based SSH session from any device even if Tailscale isn’t installed on that device.

An epic treatise on DNS, magical and otherwise

Xe Iaso and Avery Pennarun on
Photo of Xe Iaso
Photo of Avery Pennarun
Naming products is hard. One of Tailscale’s key features, MagicDNS, has long been a source of armchair grammar controversy. To wit: Some people think we should call it Magic DNS because Apple calls their flagship keyboard and mouse the Magic Keyboard and the Magic Mouse. But have you noticed that Apple also calls their laptops MacBooks and their wireless headphones AirPods? The reason they do this is because of an obscure (and nerdy) rule of the English language that says if removing the adjective from a noun phrase would change the meaning of the noun, you can remove the space and make it a compound word. A Magic Keyboard without the magic is still a keyboard. A MacBook without the Mac is not a book. MagicDNS is one word because without the magic, it wouldn’t just be DNS; it wouldn’t be anything. Tailscale already has DNS and split DNS (two words!

Making an SSH client the hard way

Photo of Mihai Parparita
Mihai Parparita on

Today, we’re launching a web-based SSH client: Tailscale SSH Console.

From the Tailscale admin console, admins will now see a little “SSH…” button to connect to devices running Tailscale SSH. Click this, and you’ll pop open an SSH client, right in your browser. Tailscale SSH Console is now available in beta.

Animation of selecting a username to start a Tailscale SSH Console session.

To start a Tailscale SSH Console session, click “SSH” on the device, select the username you want to connect as, and reauthenticate.

Get notifications for events on your tailnet with webhooks

Laura Florea and Sonia Appasamy on
Photo of Laura Florea
Photo of Sonia Appasamy

If you’re managing and using Tailscale along with several other users, it’s hard to keep track of what changes get made, even with audit logs. For example, another admin might make an update, or an event that you need to react to could occur — such as a node needing authorization.

MagicDNS is generally available

Charlotte Brandhorst-Satzkorn and Maisem Ali on
Photo of Charlotte Brandhorst-Satzkorn
Photo of Maisem Ali

Tailscale automatically assigns IP addresses for every unique device in your network, giving each device an IP address no matter where it is located. We further improved on this with MagicDNS, which automatically registers a human-readable, easy-to-remember DNS name for each device —  so you don’t need to use an IP address to access your devices. This means you can access the device monitoring, even if it moves from on-prem to the cloud, without ever needing to know its IP address in the first place.

MagicDNS is such a useful feature that it’s been frustrating for us that not all Tailscale users know about it. We’re surprised that we often get suggestions like, “It would be great if Tailscale could just run a small DNS server for me” — when it already does! So we’re particularly excited to share that as of today, MagicDNS is generally available, and it’s enabled by default for new tailnets! (Already a Tailscale user, but not using MagicDNS yet? Click “Enable MagicDNS” in the DNS page of the admin console to get going.)

Animation of enabling MagicDNS and accessing a file server on port 8000 of a device using a human-readable DNS name for a device.

With MagicDNS enabled, you can access a device with human-readable DNS name.

If you’re already using MagicDNS, your tailnet has been automatically assigned a new tailnet name of the form tail<hex>.ts.net, in addition to the existing name <domain>.beta.tailscale.net. If you’re sharing nodes with the beta name, we ask you to migrate to the new tailnet name. The existing beta name will be supported until at least November 1, 2023.

Use configuration audit logs to track changes in your tailnet

Understanding what changes were made to your Tailscale network, and who made them, is critical for maintaining the security and integrity of your network. That’s why we’re making it even easier for admins — and your auditors! — to review changes made to your tailnet’s configuration, such as adding devices, updating ACLs, or changing DNS settings.

Configuration audit logs, now in beta, capture changes made to your network in the coordination server. If you’re an admin of a tailnet, you can access audit logs for your tailnet in the logs tab of the admin console. From the console, you’ll see a table of changes made to your network, with the most recent events first, and you can filter by user, time, and action taken. Configuration audit logs are also available via API.

Use NextDNS everywhere you use Tailscale

Brad Fitzpatrick, Maisem Ali and Jenny Zhang on
Photo of Brad Fitzpatrick
Photo of Maisem Ali
Photo of Jenny Zhang

Ever wanted to run your own DNS resolver but you don’t actually want to run your own DNS resolver because running DNS is fraught with pain?

Tailscale now supports NextDNS!

The Tailscale and NextDNS logos, connected by dots.

Don’t make databases available on the public internet

David Anderson on
Photo of David Anderson

… But if you must, we made something that can help you do it right.

The folks at bit.io just published an excellent review of PostgreSQL security, with a startling conclusion: the vast majority of PostgreSQL connections that are happening over the public internet are insecure, due to a combination of server misconfigurations and most clients unfortunately defaulting to unsafe settings.

September Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
This month we’re making sharing nodes a rewarding experience! When you share a node with a unique user and they accept the invitation, we’ll increase the device limit on both your accounts by two. The rewards will be reflected in your device limits on your Billing page. (Don’t worry, if you happened to do this before we officially launched our rewards, your device count has been automatically updated.)

Tailscale: A modern replacement for Hamachi

Photo of Xe Iaso
Xe Iaso on

When I was in college almost a decade ago, I lived on the computer science floor of my dorm. It was quite possibly one of the most interesting places I’ve ever lived. It was full of nerds, and we had file shares and LAN parties every weekend. While I was there, I got introduced to a tool called Hamachi that we used in order to keep playing games like Minecraft, StarCraft (Brood War), and Age of Mythology together over winter and summer breaks. We shared our photos, code creations, and more; all over that shared network. This allowed us to be together even on breaks, when we were on opposite sides of the state.

Making heads or tails of open source

David Crawshaw on
Photo of David Crawshaw

Open source is in Tailscale’s bones. After our seed round, when we were only five people making our initial open source plans, we each already had decades of experience writing and using community software. Personally, I’m a Unix programmer only because of a Slackware CD I picked up in Hong Kong in 1995. I owe my livelihood and a big part of my identity to open source. So it was natural to me that we would open source anything where the trouble involved in doing so was worth the value of releasing the code.

Beyond our instincts to build open source software, we also couldn’t have built Tailscale without it. Tailscale is heavily dependent on open source: WireGuard®, a tunneling protocol for establishing encrypted connections between peers, is at the core of Tailscale. And, like every other company these days, the vast majority of the code we use wasn’t written by us — we have dependencies on code written by thousands of other developers, and we want to give back.

Now with more DERP

David Crawshaw and Denton Gentry on
Photo of David Crawshaw
Photo of Denton Gentry

Tailscale clients make direct connections to each other, almost all the time. To do that, they need reliable communication infrastructure to determine how to connect (using DISCO packets), and a communication path of last resort to use when the local network on one or both ends is hostile enough that direct connections are not feasible. Tailscale runs a global network of DERP relay servers to cover both of these needs.

This week, we added nine additional DERP locations to complement our existing relay network. By operating in more locations globally, your devices are more likely to be closer to a server. That means you can more quickly and easily establish network connections. And, if your connection goes through a closer relay, it’ll likely be faster.

The case of the spiky file descriptors

Mihai Parparita on
Photo of Mihai Parparita

Not all engineering work at Tailscale requires changing Go internals or deep insights into how to leverage the birthday paradox for NAT traversal. There are countless small bugs and edge cases that we investigate in our quest to meet an unreasonably high percentile of our users’ expectations. This is the story of one such investigation.

What we learned (and can share) from passing our SOC 2 Type II audit

David Anderson, Rachel Lubman, Denton Gentry and Maya Kaczorowski on
Photo of David Anderson
Photo of Rachel Lubman
Photo of Denton Gentry
Photo of Maya Kaczorowski

Good news everyone: Tailscale is SOC 2 compliant! Wait… weren’t we already compliant? Yes, but now we’re SOC 2 Type II compliant… which is kind of a big deal.

As part of our ongoing commitment to security and privacy at Tailscale, we’ve completed a SOC 2 Type II audit. Our Type I audit validated that we had policies and procedures in place to keep your information safe. Now, our Type II audit validates that our security controls were effective over the period of time evaluated and that we’re actually implementing the policies and procedures we committed to.

GitOps for Tailscale ACLs

Xe Iaso on
Photo of Xe Iaso

Tailscale lets you manage access permissions within a tailnet, including which users are allowed to connect to which machines, using powerful Access Control Lists (ACLs). ACLs are controlled by a HuJSON tailnet policy file that you can edit directly in the admin console. This makes managing permissions simple, but unlike other controls defined in code, there is no way to require approval or review before accepting changes made to ACLs directly in Tailscale’s admin console. In the industry, there’s a pattern called GitOps that suggests you should maintain anything that defines your infrastructure, like this policy file, in a Git repository and use CI to validate, test, and automatically deploy changes.

In this post, I’m going to cover how you can set up a GitOps workflow for your tailnet policy file with GitHub Actions so you can maintain ACLs in a central repository, apply the same controls for changes to your configuration file as you do for code (“config as code”)— such as requiring review, and how to automatically apply these configuration changes to your network.

To make this easier, we’ve released a Sync Tailscale ACLs GitHub Action you can use for automatically updating your tailnet policy file from GitHub. If you’re using this action, or another GitOps workflow you’ve built yourself, you can surface it in the Access Controls page of the admin console to prevent colleagues from accidentally making unapproved changes.

Screenshot of Access controls in the admin console with a linked Git repository.

When using GitOps, a warning is shown in the admin console.

August Tailscale newsletter

Laura Franzese on
Photo of Laura Franzese
Summer has come to an end in the northern hemisphere, and as we sharpen our pencils and compare Lisa Frank Trapper Keepers, we have some exciting updates to share. The team worked alongside some wonderful partners to extend on-demand access to your Tailscale resources with OpalIndentSym, and ConductorOneBrad Fitzpatrick did some moonlighting on the 9to5 Apple @ Work podcast talking about Tailscale SSH. Microsoft’s Paul Yu detailed how to access your Linux machine on Azure with Tailscale SSH.

Manage your Tailscale resources with Terraform

Denton Gentry and Andrew Dunham on
Photo of Denton Gentry
Photo of Andrew Dunham

When deploying infrastructure, you might need to frequently redeploy an environment for testing, or spin up servers in response to an increase in demand. A common tool to automate the provisioning of your infrastructure is Terraform — with Terraform, you can define infrastructure as code, then script deployments of that infrastructure. If you’re deploying servers that you want to access over Tailscale, you can already simplify setup by using a tagged auth key to automatically connect devices to your tailnet with the right permissions. But what if you’re trying to manage your deployment of Tailscale?

You can also use Terraform to manage your use of Tailscale to define and deploy your ACLs, DNS settings, auth keys, and more. Tailscale is adopting the Tailscale Terraform provider and taking responsibility for ongoing support and development. The community, notably David Bond, originally created the Tailscale Terraform provider, and we are very thankful for the work they’ve done to provide this valuable tool to others.

Ephemeral nodes… now more ephemeral!

Maisem Ali on
Photo of Maisem Ali

If you’re using Tailscale with short-lived devices such as containers or frequently redeployed infrastructure, you are probably already using ephemeral nodes. Ephemeral nodes are meant for automated, frequently redeployed workloads because they’re automatically removed from your network once they are no longer active. However, this automatic process could potentially take an hour or longer while the coordination server waits to see if the ephemeral node will come back online. This clutters your network with containers or functions that are no longer running.

Tailscale for DevOps: On-demand access to your Tailscale resources with Opal

Maya Kaczorowski on
Photo of Maya Kaczorowski

When you’re working in an environment with strict compliance needs, you want to make sure you’re following the principle of least privilege and granting employees access only to the resources they need to do their job. Tailscale ACLs already make that possible by letting you define what someone can access — and restricting their access to everything else — with “default deny” rules.

In many organizations, access to resources needs to be granted temporarily, such as when someone needs additional information in order to debug a customer issue. This is why we’re partnering with Opal: to provide short-lived, granular, on-demand access to resources in your tailnet. With Opal, your team can generate self-serve access requests and get automatic approvals for faster access to the resources they need, rather than waiting for their help desk ticket to be manually reviewed and provisioned.

Tailscale logo connecting to Opal logo

Tailscale for DevOps: On-demand access to your Tailscale resources with Sym

Maya Kaczorowski on
Photo of Maya Kaczorowski

Managing privileged access can help improve security by reducing unnecessary access to sensitive resources and customer data. With Tailscale ACLs, you can already manage access to company resources and restrict access with “default deny” rules.

But what if there’s an emergency, and the person on call needs to access your production environment? Solving this is why we’re excited to partner with Sym! Now, users can easily request temporary access to sensitive resources in Tailscale via Slack. These requests can then be approved by team members directly in Slack, or even be automatically approved for certain people — such as on-call engineers.

Tailscale logo connecting to Sym logo

Tailscale for DevOps: On-demand access to your Tailscale resources with ConductorOne

Maya Kaczorowski on
Photo of Maya Kaczorowski

Modern governance and access control policies for sensitive resources like production nodes, databases, and SSH access to servers on Tailscale can sometimes lead to extra work when requesting and approving on-demand access. Fortunately, Tailscale ACLs already let you manage access to company resources and restrict access with “default deny” rules.

But what if you want to automate Tailscale access requests and approvals so that on-call employees and engineers can get access to sensitive resources where and when they need it? That’s why we’re really excited to partner with ConductorOne, which pulls your Tailscale identities and ACLs into a centralized, automated identity security control center that gives you greater control over who has access to what and — crucially — when.

Tailscale logo connecting to ConductorOne logo

Subscribe for monthly updates

Product updates, blog posts, company news, and more.

Too much email? RSS Twitter