trivago upgrades to a 5-star networking solution

As a travel site, trivago connects users to great deals on hotel stays by comparing prices for accommodations around the world. They excel at serving customers who demand the best value, but the trivago team was relying on a VPN setup that no longer met their performance and reliability needs.

Arne Claus, Site Reliability Engineer (SRE), and Thomas Khalil, Head of Hybrid Platform & Developer Experience, share how trivago upgraded to Tailscale for secure and reliable connectivity, with hands-off maintenance.

The best value, anywhere

As a hotel metasearch, trivago gives customers an edge by comparing deals from multiple travel sites at once. As Arne explains, “We compare prices from advertisers like Booking.com or Expedia, and we show you a list of options of great hotel deals.”

Founded in 2005 in Germany, trivago is now an international company with over 650 employees working globally. “We're headquartered in Germany, but we have a global span,” he explains. “We’re present in over 60 countries, and we have three different cloud regions.”

Today, trivago supports its international and multi-cultural staff with the flexibility to work from anywhere in the world. That makes effective networking even more crucial for their business. Arne shares, “People can switch back to their home countries and work from there, which means our hybrid workforce could span the globe, eventually.”

“We have three different cloud regions, and each region has at least one router node. We use Tailscale to directly access the nodes as if we were in the office. This was very important for us.”
Arne ClausSite Reliability Engineer

Flaky VPNs and painful disconnects

Before Tailscale, trivago used OpenVPN to access internal workloads. Their system was taxed by their need to connect internationally, Arne explains, “We had colleagues who were working in different locations around the world, and they always had to connect from that location to Europe. There were a couple of places where this was not ideal.” When accessing internal workloads hosted outside of Europe, a connection would have to go through Europe, even if the workload was hosted right around the corner. This results in slow and unstable connections, especially for team members who worked from the American continent for a long period of time.

He also describes OpenVPN as “sometimes unstable”, especially for international connections and on unreliable Wi-Fi. “If your Wi-Fi connection drops, sometimes you have to restart,” he shares. “It was always a bit painful if you were responding to a page in the middle of the night and the VPN stopped working.”

Besides these issues, trivago's team was burdened by the hassles of certificate management. “Certificates had to be pushed to clients. If the client missed the push, they had to be manually updated, and people were missing the pushes,” he shares.

As these burdens mounted, the COVID-19 pandemic became a catalyst for trivago’s staff to shop for other solutions. Teams began working remotely, and as Arne explains, “Everybody was affected because we have internal tools running on the local network.”

He described the ideal solution they sought as something that “just works.”

Vetting a new path forward

Arne first heard about Tailscale from a fellow staff member, and he explored its capabilities by testing it for personal networking first.

He explains, “I looked into it, and I also had it in my home system. I was like, ‘Hey, that's actually cool. We're not quite happy with our VPN solution, so this might be a better fit.’"

Once he realized Tailscale’s potential, he decided to try it out with a small group of his fellow SREs using a free trial of Tailscale. Their team put the various features through their paces, and when they concluded that it could meet their needs, they used a gradual rollout to transition away from OpenVPN.

“We decided that we wanted to go with Tailscale and then slowly start to decommission the old VPN,” he shares. “We’re migrating to a Zero Trust model, which Tailscale has a specific role in.”

Before this process, his team considered several other solutions, but they each had downsides that Tailscale didn’t. Arne recalls, “Tailscale was the one that ticked all the boxes, and the others always had some problem in some area. We wanted to have WireGuard because other protocols were slower. From both the technical and feature perspectives, Tailscale was the one that worked best.”

Rolling out Tailscale

Now, trivago uses Tailscale for their VPN needs. Arne shares, “We have three different cloud regions, and each region has at least one router node. We use Tailscale to directly access the nodes as if we were in the office. This was very important for us.”

Thomas and Arne both describe the initial rollout as simple, and its continued use has resulted in far less maintenance than their previous solution. “The cognitive load with the Tailscale app is very, very low. It connects quickly. It disconnects quickly. It's as frictionless as I can imagine,” shares Thomas.

Security, visibility, and control

To improve trivago’s security, connections from GitHub actions to internal CI systems are now all done via Tailscale. “We have GitHub Actions, which connect to specific services through Tailscale. We use ACLs to say, ‘Hey, our CI system is allowed to access our internal charts registry or our Terraform modules, but nothing else,” shares Arne.

Tailscale SSH also helps trivago’s team securely access nodes without the hassle of additional management. This feature automatically generates, rotates, and distributes auth keys without manual intervention.

Arne explains, “We use Tailscale SSH for the data center nodes. If you want to SSH into a node, you don't need to tell someone, ‘Hey, provision my key.’ You just go with your auth, if you're allowed to do that.”

Currently, trivago uses a “two-tiered” security model. Tailscale helps them isolate specific systems, and CrowdStrike’s Falcon Zero Trust Risk Score determines who is trusted enough to access them. “If your score is below a certain level, you're not allowed in,” states Arne.

Finally, Tailscale’s audit logs have also provided unprecedented visibility into trivago’s systems, increasing their control over who is on their network.

Thomas explains, “Another thing we're going to do soon is put the Tailscale audit logs into our SIEM solution. That was something that we didn't have previously—the ability to have some visibility over who's connecting to what and when.”

Networking that just works

Since adopting Tailscale, trivago’s staff have enjoyed a networking solution that “just works,” with less latency and more simplicity.“The hands-off experience is pretty good because I remember that I didn't work on the Tailscale stuff for about a year, and it just continued to work,” Arne shares. This convenience eliminates the maintenance burden that trivago’s staff suffered with their previous solution.

Thomas also appreciates the improvement in speed, lack of dropped connections, and consistency in Tailscale’s performance. These benefits impacted trivago’s staff as a whole, providing a better user experience and increasing productivity.

“We heard a lot of people say, ‘Wow! You can notice the difference in the latency,’ or ‘It feels so much smoother. It doesn't drop out as much.’ They say, ‘It connects quickly’ or ‘I don't have to restart my machine six times a day,” shares Thomas.

Switching to Tailscale put an end to trivago’s chronic VPN maintenance and introduced them to networking that supports their business goals—instead of slowing teams down.

“You don't have to do much,” shares Arne. “I mean, I click a button and I can use it. And this is amazing. I don't know if there's any other VPN solution that is so easy to use.”

Thomas adds, “I think the key thing that stands out for me is the simplicity. It's simple to configure. It's simple to use, and the feedback that we get is that there's no cognitive load. There's no guesswork. It just does what it says on the tin.”

Refusal to settle

Exploring alternatives led trivago to networking that is convenient, secure, and more reliable than they imagined. If you’re struggling with a VPN or wondering how much better your connectivity could be, chat with our team today.