How Awesome improved access and user management by 90% with Tailscale

Awesome was established as a parent company to serve its photography-focused brands. With a mission to “build a better world through the power of photography,” Awesome helps photographers store, share, and sell their work. Within the Awesome family, Flickr provides a photo storage service for photographers at large, SmugMug focuses on professional tools and services, and This Week in Photo (TWiP) serves as a hub for the latest in the photography community.

Lee Lazon, a Staff Site Reliability Engineer at SmugMug, was tasked with deploying a hassle-free networking solution–not just for SmugMug, but across the entire Awesome organization. By adopting Tailscale, Lazon’s team implemented an open-source solution with better security, less maintenance, and headache-free onboarding for users.

The road to getting unstuck

When Lee joined years ago, it was already clear that the company needed to upgrade its OpenVPN network.

“We had so many instructions to get someone set up on OpenVPN. People would get stuck, have issues, and need password resets. We’d have to do handholding for initial access to their laptops, and people would get disconnected for weird reasons. It was a nightmare.”

While Lee was already a fan of Tailscale, the team also explored other WireGuard-based solutions. “We have a lot of shared infrastructure between SmugMug and Awesome. When looking, a solution would need to cover the full scope.”

Almost 200 employees work at Awesome and its subsidiaries, so their solution needed to accommodate a large team. The new VPN also needed to integrate seamlessly with AWS, where 100% of Awesome’s infrastructure lives.

“When I joined the company a couple of years ago, they had already started the process of looking at Tailscale or a new VPN solution. I picked that up and ran with it.”

“It would take me five minutes to hop on, install Tailscale, authorize it for our tailnet, and immediately, people have access. We're not messing with network rules. We're not messing with firewall rules. These one-off things were super easy to onboard.”
Lee LazonStaff Site Reliability Engineer

Why Awesome needed a new solution

Before switching to Tailscale, Awesome managed a handful of OpenVPN servers on a network accessible to all accounts–an increasingly unmanageable and insecure setup.

Lee describes the challenges of manually onboarding and offboarding users and maintaining consistent configurations across multiple servers. The OpenVPN setup often granted unnecessary access, violating the security practices of least-privilege access.

They considered a few other WireGuard-based and internal AWS-based solutions, but they appreciated Tailscale’s open-source infrastructure combined with the stability and protection of an established company.

“We love to back companies like Tailscale because that’s who we are as well,” says Lee.

“Our CEO/CTO was also a big proponent of Tailscale and the technology behind it, so we had a lot of key players already on board. Once we built the proof of concept and showed that we could meet the requirements we felt we needed, it was an easy sell.”

Getting Tailscale up and running

Lee started by identifying which teams required access and tested performance, onboarding, offboarding, SSO, and basic ASLs before rolling out a small-scale prototype of their future system.

“Tailscale’s documentation was awesome,” he notes. “Alex’s YouTube videos were a big help–I love those videos, and that’s how I learned.”

Awesome was moving from a traditional VPN solution to Tailscale’s mesh network with direct connections. They started with a default set of ALCs based on what they knew people needed access to. As people requested access to additional resources, they expanded permissions as needed.

“When we looked at the architecture, there were pretty good examples of rolling out Tailscale in AWS. We installed Tailscale on some of our EC2 instances and containers, and then we have subnet routers for everything else.”

Lee explains that it was easy to sketch out the basics before they started looking at additional accounts and specialized access. Tailscale also proved invaluable for quick access to information on unconventional networks.

“It would take me five minutes to hop on, install Tailscale, authorize it for our tailnet, and immediately, people have access. We're not messing with network rules. We're not messing with firewall rules. These one-off things were super easy to onboard.”

Tailscale allowed Awesome’s employees to access shared resources securely and easily, with features their previous OpenVPN solution lacked.

“ACLs are super important,” explains Lee. “It’s something that we didn’t previously have. We basically had you connect to a VPN server, and everyone had access to everything. ACLs allow us to build fine-grained access controls, so our team members don’t have access to unnecessary things that might introduce risk.”

“We’ve had a 90% reduction in time spent on user access and management tasks.”
Lee LazonStaff Site Reliability Engineer

Self-serve onboarding and delighted users

Lee recalls the team’s reaction as the best confirmation of success. “People would schedule meetings to go over setup, and I’d say, ‘This is literally going to take you five minutes. It is so much easier than you can even imagine.’ And the response was always: ‘Wait, that’s it? It works?’ Over and over, that was the feedback from my users. So that alone was my favorite thing.”

The feedback from Lee’s team was overwhelmingly positive. “They’re loving how easy it is to manage Tailscale.” They’ve also converted several members of their team into personal Tailscale users.

Lee estimates, “We’ve had a 90% reduction in time spent on user access and management tasks.”

Where do we go from here?

Looking ahead, Lee’s team plans to use Tailscale for infrastructure-to-infrastructure access, using Tailscale Funnel to give external access for testing, engineering, and development.

“I’m hoping to roll out Tailscale SSH as a bigger concept, not just giving SSH access, but developing a just-in-time model for reducing production access. I’m hoping Tailscale is my key to making that work.”

He also anticipates using Tailscale’s newest features, like Prometheus exporters, to gain better visibility into his network.

“Having a centralized way to get this data is huge for us. We haven’t implemented it, but we will. That’s big and something we really needed,” he explains.

A bigger and better picture

Awesome’s journey from OpenVPN to Tailscale captures the value of smarter networking solutions in scaling organizations. As companies grow, so does their network management burden and need for a mature solution. Tailscale helped Awesome simplify operations, strengthen security, and save time–delighting users along the way.