Ephemeral nodes make it easier to connect and then clean up short-lived devices such as containers, cloud functions, or CI/CD systems that spin up and spin down on a regular basis.
By default, when you add a new device to your Tailscale network, it appears in your admin console and in Tailscale client apps. However, short-lived devices can quickly generate hundreds of duplicates and make your network messy and difficult to navigate.
Ephemeral nodes differ from regular nodes in a few ways:
- They are auto-removed from your network after a short period of inactivity. The next time an ephemeral node is created, it will have a new IP address.
- They are only assigned a private IPv6 Tailscale address, rather than a usual 100.x.y.z address.
- They can only be created using ephemeral auth keys, not through the regular authentication flow.
You can identify ephemeral nodes in your admin console by looking for an “ephemeral” tag underneath the device name.
Authenticating an ephemeral node
Step 1: Generate an ephemeral auth key
To create an ephemeral node, you’ll first need to generate an ephemeral auth key from the auth keys page of the admin console.
Step 2: Configure your infrastructure to use the key
The simplest way to do this is to update your usual scripts to use the new auth key:
sudo tailscale up --authkey=<your ephemeral key>
Instructions vary by platform. See our guides on settings up common platforms:
- Tailscale on Heroku
- Tailscale on Google Cloud Run
- Tailscale on GitHub Actions
- Tailscale on AWS Lambda
Step 3: Trigger a build
The next time your infrastructure spins up a new device, you should see it appear in your admin console as an ephemeral node! It will be able to connect to your network, and will be auto-removed shortly after going offline.
How long before ephemeral devices are auto-removed?
Ephemeral devices are auto-removed anywhere from 30 minutes to 48 hours after the last activity. This timeframe is subject to change as we learn more about what works best for Tailscale users.