Based in Louisville, Kentucky, Bamboo Health is a leading technology provider for healthcare organizations, ensuring healthcare professionals have real-time, actionable insights on patients’ physical, behavioral, and social health to deliver better outcomes. Bamboo Health’s network is the largest interoperable care collaboration system in the country, including 25,000 hospitals, thousands of post-acute care and pharmacies, and over two dozen healthcare plans.
Bamboo Health uses a multi-account structure across AWS that separates its product lines along with production and non-production environments. They rely on AWS Workspaces for remote access to their production environments, but to access their non-production environments, they spun up a WireGuard® solution back in 2018.
The Bamboo Health cloud team was the first to use WireGuard, but other teams — including teams comprised of non-technical users — followed suit, and it became Bamboo Health’s de facto tool to remotely access non-production environments.
This WireGuard solution served Bamboo Health well for a time, but once the company grew to about 500 employees — nearly all of them remote — it couldn’t deliver enough efficiency at scale. According to Travis Ackert, Senior Director of Information Security at Bamboo Health, “We fell in love with the WireGuard technology, and we built up a decent-sized WireGuard footprint. But as we were adding more and more people, we needed a better way of managing our network.”
The manual process of onboarding and offboarding employees, especially for non-technical users, became particularly arduous. While challenges with deploying a solution across multiple AWS accounts and VPCs only compounded the problem by straining existing resources. According to Travis: “User administration was our biggest pain point. Having an engineer spend time with end users to help them set up keys on their workstation became more difficult to manually manage, especially as we started to get into non-technical users. For each new person we brought on board — particularly those non-technical users — it took an hour to get them set up.” It’s easy to see why this approach became untenable as Bamboo Health’s teams grew.
Bamboo Health needed a better way to manage its WireGuard implementation for remote access.
In search of a better solution
Bamboo Health began their search for a new VPN solution capable of managing their complicated WireGuard network in a secure, automated, and scalable way. As they researched, evaluated, and tested different options, friends and colleagues of Bamboo Health engineers recommended Tailscale: “The developer community had really good things to say about Tailscale,” says Travis.
Two contenders emerged, but what set Tailscale apart was its simplicity and reliability. “The other product was more complex to get up and working, and they didn’t have the best support,” says Travis. “We’d seen issues with them in the past, but in our demos Tailscale was very reliable and consistent.”
Travis was also impressed with Tailscale’s support and responsiveness: “Tailscale was willing to work with us. We made a feature request for configuration management being handled through Git, and that became available soon after. Plus, the price was right and reasonable for what we were getting. When it came time to pull the trigger, it was really a no-brainer when we took Tailscale to our CTO.
Bamboo Health staggered the rollout to its teams, and used a simple CloudFormation script for deploying their tailnet across every AWS account, even those still running the old setup. The whole process took just a week, and Travis says the incremental transition was quick and easy: “There weren’t any complaints when we rolled it out — just silence. That’s a good sign. Nobody had any issues; they were able to connect to all the resources they needed and just keep doing their jobs.”
Non-technical teams use Tailscale with ease
Teams across Bamboo Health now rely on Tailscale to securely access the company’s non-production environments. Technical teams, such as their cloud and development teams, use Tailscale to access the company’s VMs and VPCs on AWS. With Tailscale, devs doing local development on their workstations can connect directly to databases and other services in their non-production AWS environment.
But even Bamboo Health’s less technical teams, including RevOps, QA, and implementation teams, find it easy to use Tailscale to securely connect to a variety of internal web portals that they use to perform operational tasks, test non-production versions of applications, or do reporting. Travis offers an example: “Our Support team uses Tailscale to access a web portal that we don’t want exposed on the internet. That’s a fairly non-technical group, and we were able to easily get them set up with Tailscale and give them that private access.”
Tailscale locks down security concerns
Misallocation of valuable engineering resources for onboarding users and troubleshooting remote access wasn’t Bamboo Health’s only problem. According to Travis, their old VPN was “a constant nightmare of maintenance issues and security vulnerabilities. It was frequently having to be patched or address security concerns. It was — and still is — a major target for hackers to find a weakness. And it was hard to determine if we were affected by some of the vulnerabilities.”
Travis says that is now a thing of the past: “Tailscale has been very solid. The few times that vulnerabilities in the client were identified, you made it crystal clear on your page which of my client machines were affected and needed to be updated. So it took just a quick broadcast email or a change in our management software to get those folks running on the latest version. That has definitely reduced risk from the security side, when it comes to remote access.”
Bamboo Health also makes heavy use of other Tailscale features. Exit nodes are a simple solution for when they need traffic to appear that it’s coming out of one IP or a single network. This came in handy when they were converting from their old VPN to Tailscale. According to Travis: “We had some things IP allowlisted to that IP, and we were able to move that over to an exit node to recreate the same behavior for the traffic leaving the network.”
They also have plans to further utilize exit nodes when they switch to a remote monitoring and management (RMM) vendor for managing their workstations. “Tailscale will allow us to use the exit nodes to ensure that the people accessing the RMM service are all coming from the same source IP.”
Travis and others at Bamboo Health also appreciate how easy it is to use Tailscale’s access control lists (ACLs) to tag 30-plus subnet routers and manage user groups to enforce least-privileged access to resources: “We can easily add people to a group and control which networks they can get access to. Having a mesh network with so many tailnet routers deployed across our environment and all managed through a single config — that’s the biggest win.” Even better, admins can manage all this from Bamboo Health’s GitHub account, whether it’s the cloud team making security changes, or the security team making changes to their architecture.
Tailscale is powerful, reliable, and simple to use
Tailscale has made life easier for Travis and others at Bamboo Health. “From an end-user perspective, Tailscale’s performance is one of its most powerful features,” says Travis. “We deal with some large data transfers, especially if we’re pulling down Docker images and things like that. Tailscale’s high-bandwidth and low latency mean we’re not constrained like we were with our old VPN.” Likewise, Tailscale’s stability and reliability translate into very little effort by the cloud and security teams to keep the network running with little to no downtime.
More dramatically, the amount of time it takes to onboard new users with Tailscale has been drastically reduced; what used to take an hour, now takes minutes. Travis says, “Literally, we tell them to go to Tailscale’s website, log in, download the client, install it, and login with their Azure AD credentials — and they’re off and running.” Travis estimates that using Tailscale for onboarding saves the company’s engineering resources a few hundred hours a year.
The last word
All this translates into a more efficient and secure work experience for Travis and others at Bamboo Health. “It gives me comfort, especially being on the security team,” Travis says. “Tailscale is thriving by providing better features and better support than anyone else in the market. Tailscale is the next generation of VPNs.”