Join us live on August 26 in San Francisco for TailscaleUpTICKETS ON SALE NOW ->

Use ProxyGroup for high availability proxies

Last validated:

A ProxyGroup manages a StatefulSet of Tailscale proxy replicas. It offers several advantages over the standalone proxy model:

  • High availability: Multiple replicas ensure your services remain accessible even if a proxy pod fails or is rescheduled.
  • Resource consolidation: A single ProxyGroup can handle traffic for multiple Kubernetes Service or Ingress resources, rather than a dedicated proxy per resource.
  • High availability: Multiple replicas ensure your services remain accessible even if a proxy pod fails or is rescheduled.
  • Resource consolidation: A single ProxyGroup can handle traffic for multiple Kubernetes Service or Ingress resources, rather than a dedicated proxy per resource.
  • Scalability: Scale the number of proxy replicas up or down to meet traffic demands.

Types

There are three types of ProxyGroup, each designed for a specific use case:

TypeDescription
ingressExpose Kubernetes workloads to your tailnet.
egressEnable pods in your cluster to connect to devices on your tailnet.
kube-apiserverSecurely access the Kubernetes API server over Tailscale.

Created resources

When you deploy a ProxyGroup, the Tailscale Kubernetes Operator creates:

  • A config and state Secret per replica.
  • A ServiceAccount, Role, and RoleBinding for the ProxyGroup.
  • A StatefulSet running the specified number of proxy pod replicas (defaults to 2).
  • A ConfigMap containing ingress or egress configuration (for ingress and egress types).
  • If static endpoints are configured through a ProxyClass, a NodePort Service per replica for direct connectivity.

How to use

Deploy a ProxyGroup by creating the custom resource with the desired spec.type:

apiVersion: tailscale.com/v1alpha1
kind: ProxyGroup
metadata:
  name: my-proxies
spec:
  type: ingress
  replicas: 2

Then reference it from your Kubernetes Ingress or Service using the tailscale.com/proxy-group annotation:

metadata:
  annotations:
    tailscale.com/proxy-group: my-proxies

For production configuration such as topology spreading, resource limits, and metrics, refer to high availability.

Further exploration

  • Use high availability to configure topology spreading, resource limits, and metrics for production ProxyGroup deployments.
  • Use ProxyClass to customize the configuration that a ProxyGroup applies to its proxy Pods.