Yugabyte uses Tailscale to quickly and securely connect its support and field teams everywhere

Yugabyte builds a distributed SQL database, YugabyteDB, to power global-scale, cloud-native applications. YugabyteDB helps developers and DevOps teams when they need a Postgres-compatible, horizontally scalable database that is failure-tolerant, able to be deployed in multiple geographically distinct datacenters, and can run in on-prem and cloud environments, even different clouds like Azure and AWS. Many of their customers self-host the database, but Yugabyte also provides a distributed database-as-a-service: Yugabyte Cloud. At Yugabyte, about 30 people in the support and field engineering teams share a “bubble” of simulated customer or other test environments, all of which need to be accessed over Tailscale.

Tailscale cures the DevOps infrastructure blues

Jim Doty, a post sales engineer at Yugabyte, helps with a multitude of customer problems during the course of his daily routine. These include advising on deployment architectures, tuning SQL statements, and working with Yugabyte’s support team on bugs. Yugabyte’s customers are typically companies looking for a cloud-native, distributed SQL database for mission-critical applications. Their customers often push their systems hard, and when something doesn’t work, Jim needs to set up a simulated environment with others to reproduce and debug the issue. Granting secure access between developers and sales engineers to these YugabyteDB environments could be cumbersome — it takes time and coordination to allowlist IPs and firewall rules in a cloud provider’s configurations (which not everyone has access to) and to grant temporary SSH credentials. This leads to a security question: How can Jim’s teammates access each other’s environments securely without futzing with the cloud provider’s configuration every time, for each of these different transient environments?

The frictionless tailscale bubble

Jim calls his solution the Tailscale bubble: a red carpet experience for developers and sales engineers to access a shared environment. Anyone who wants to share an environment only has to install Tailscale on the relevant YugabyteDB nodes, then everyone on the Yugabyte team can access those resources on that Tailnet (Tailscale network).

Tailscale provides a secure VPN with a fast setup thanks to its native package and installation flow for every platform Yugabyte uses.

We love the install flow. Bravo on investing in native packaging everywhere. That’s amazing, and it also shows a high quality of workmanship. Tailscale feels magic.
Jim Doty Advanced Technology Services Engineer

Saving time in field implementations

Setting up a self-hosted VPN solution like OpenVPN takes time and significant administrative overhead, as it requires configuration to distribute credentials. This makes it impractical to set up and tear down for ephemeral environments. Conversely, Tailscale takes care of authentication and authorization; there’s no need for IT support to develop a custom solution. In one typical instance, Yugabyte’s field engineering team used Tailscale to evaluate a test environment that contained a mix of virtualization and hardware in a datacenter that was not easily or quickly incorporated into their corporate network. Without Tailscale, doing this would have required a lot of overhead and busywork for their IT team. With Tailscale, the field engineers were able to provision secure access to this bubble of infrastructure smoothly and painlessly.

But that’s not all Yugabyte does with Tailscale. Performing customer demos has become easy and quick. One engineer can build the environment and another can access it with the stable Tailscale IP, all without exposing it to the wider internet. By moving to Tailscale, Yugabyte’s secure connection issues when testing their customer implementations in the field have disappeared, and have been replaced with a nearly frictionless experience.

Internally, Yugabyte’s most-used feature is the ACLs and ACL tags, with groups for engineering, pre sales, post sales, support, admin, and other teams. By writing ACLs granting specific groups access to certain tags, each group is able to use a subset of the Tailscale network and specific tags for admins.