What is a tailnet?
A Tailscale network (known as a tailnet) is a secure, interconnected collection of users, devices, and resources. Your tailnet is your private space, inaccessible from the public internet. It's akin to a secure conference room where only invited participants can enter. It forms the foundation of Tailscale's approach to networking, providing a flexible yet controlled space for device connectivity, resource sharing, and collaboration across the internet.
Tailscale creates a tailnet when you first log into Tailscale on any device, be it a phone, personal computer, or virtual machine (VM). Each time you (or another user in your organization) authenticate a device with Tailscale, it adds that device to the tailnet. You can authenticate devices using a Tailscale account (for users) or a tag (for service-based devices).
Each tailnet is identified by a tailnet name and an organization name. The tailnet name, provided by Tailscale, is used for features like MagicDNS, HTTPS, and sharing without revealing your organization's identity. You can choose between a default tailnet name (for example, tailfe8c.ts.net) or a personalized tailnet name (such as yak-bebop.ts.net). You can view and manage your tailnet name on the DNS page of the admin console. The organization name, on the other hand, is based on your corporate domain, email address, or GitHub username and is used for the Tailscale API. You can view your organization name from the General settings page of the admin console. However, you can't change your organization name.
Each device in your tailnet receives a private Tailscale IP address within the CGNAT (Carrier-Grade Network Address Translation) range. Tailscale IP addresses facilitate direct communication between all your devices, regardless of physical location. It's like having your own personal, secure internet that spans wherever your devices are located.
Some pricing plans extend the functionality of tailnets, allowing businesses and organizations to accommodate numerous devices and users, integrating seamlessly with various identity providers such as Microsoft Entra ID, Google Workspace, GitHub organizations, or Okta tenancies. These integrations streamline user access and resource management based on existing organizational structures.
Management
You (or another user with the correct permission) can view and manage tailnet settings through the admin console. The admin console lists all devices and users within the tailnet and provides access to tailnet-wide settings and configurations. Some settings include access control policies, DNS settings, and authentication settings.
You can also manage your tailnet in other ways. For example, you can:
- Add entire subnets to your tailnet with subnet routers.
- Route traffic with exit nodes.
- Route and manage application-specific traffic with app connectors.
- Set up high availability features.
- Configure network and application based access policies using grants.
- Control how traffic routes through your tailnet using via.
- Increase security with features like tailnet lock.
- Manage logging, streaming, and events.
Tailnets also support sharing features. You can invite users to your tailnet or share specific devices with them. Sharing and invites let you securely share internal services with other Tailscale users, including those outside your organization (such as contractors). Individuals can also share resources like a personal Minecraft server with friends while maintaining network security. You can create access control policies to manage what an invited user can do in your tailnet.
In addition to sharing and invites, you can leverage features like Tailscale Serve and Tailscale Funnel to temporarily share access to specific services running on a device in your tailnet.