Get started - it's free!
Login
© 2025

How app connectors work

App connectors are available for all plans.

App connectors let you route your self-hosted applications and software as a service (SaaS) applications through dedicated devices in your Tailscale network (known as a tailnet). An app connector works like a subnet router with the added benefit of routing your users and devices to applications by domain names instead of IP addresses, providing more reliable connectivity.

Additionally, you can use app connectors to accommodate additional needs related to application connectivity, monitoring, optimization, security, and reliability.

Application types

  • Internally hosted resources.
  • Cloud infrastructure or virtual private cloud (VPC).
  • SaaS applications including Amplitude, Confluence, GitHub, Looker, Office 365, Salesforce, and Stripe.
  • Managed platforms such as Mongo Atlas, Amazon RDS, and Planetscale.

Management options and benefits

  • Centrally manage application access for your app connector devices instead of managing access to your applications for each individual device in the tailnet.
  • Monitor activity for new or removed app connectors in your tailnet in the configuration audit logs.
  • Monitor app connector and application traffic using third-party tools.
  • Optionally restrict all application access through the app connector device by configuring IP allowlisting in your application settings. This ensures that only the permitted devices in your tailnet can access the application if they are granted access to the app connector.

Reliability options and benefits

  • Use app connector high availability by adding multiple app connector devices for failover routing to the same application.
  • Use app connector regional routing to optimize traffic geographically.
  • Use app connector subnet routing to automatically manage the failover between multiple routers.

For more information about reliability options for app connectors, refer to Set up high availability.

How it works

Here are some terms and definitions for understanding how app connectors work.

  • App connector: The general overall term for the feature, as well as the admin console settings that let you add and remove app connectors in your tailnet.
  • App connector device: The Linux device in your talnet designated for routing traffic to your application.
  • Application: The self-hosted, cloud-based, or SaaS application to which the app connector device routes tailnet traffic.

Here's how you set up an app connector. For more information, refer to Set up an app connector in your tailnet.

  1. Configure your tailnet policy file to define device permissions for the app connector in your tailnet, including tags.
  2. Assign devices in your tailnet with the tag you configured to permit access to the app connector.
  3. Configure a Linux device on your tailnet to act as the designated app connector that will route the traffic to the application. This device must have a public IP address, and IP forwarding must be enabled.
  4. Configure the app connector in the admin console to specify the tag and the domain names for the applications.
  5. Configure the application to manage additional access and security needs, including optional IP allowlisting to only permit requests from the app connector device IP addresses.

Here's how app connectors work at a high level, assuming access control policy only lets a specific group of users and devices in your tailnet access the application by way of the app connector.

  1. A device with the designated tagging accesses an application.
  2. The request is passed to the device designated as the app connector.
  3. The app connector routes the traffic to the application by egressing to the IP addresses advertised by the application domains.
  4. (Optional) The application verifies that the request is coming from the app connector's public IP address.
  5. Traffic from the application is routed back through the app connector and then passed along to the user device in the tailnet.

Considerations

  • If a user is not connected to the tailnet, they will still have access to the application unless IP allowlisting is configured in the application settings. If you set up IP allowlisting, you can also enforce system policy settings such as AlwaysOn.Enabled to ensure that devices are always connected to the tailnet.
  • If a user disables the accept routes option on their Tailscale client, their device will not route through the app connectors. You can use the UseTailscaleSubnets system policy to prevent users from disabling this setting.
  • Linux devices on a tailnet do not accept routes by default. Make sure to use the Tailscale CLI command tailscale set --accept-routes=true on all the Linux devices that require access to the app connectors, if not previously set.
  • When manually configuring an application, the provider often uses multiple domains. You must add all of these domains to your app connector configuration. Refer to the GitHub V2Fly project for a curated list of known applications and the corresponding domains for each one.
  • Multiple app connector devices for a single app connector are recommended for optimal performance and reliability.
  • If an app connector becomes unavailable while in use, and no other app connectors are available, resolution to the domain will begin to fail until the app connector is back online.

Last updated Jun 5, 2025