Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started - it's free!
Login
© 2025

Deployment checklist

There are a number of topics to consider for a successful and scalable Tailscale deployment beyond configuration of individual devices and access controls. This topic details some of the less obvious, but still important, concerns for using and deploying Tailscale at scale. You can use this topic as your Tailscale deployment checklist.

Support

  • Internal support—provide documentation to your users on how to get internal support within your organization. Refer to end-user client configuration for ways to customize the Tailscale client to help with this.
  • Tailscale support—document how and when to contact Tailscale support in internal documentation. Also include relevant departments (for example, IT help desk or production operations teams) and instructions to ask end-users to generate a bug report when reporting issues internally and share the bug report identifier when contacting Tailscale support.

Stay up-to-date on Tailscale news

  • Subscribe to the Tailscale newsletter and blog to stay up-to-date on general Tailscale news. Use email addresses that go to a group of users rather than a single individual.
  • Subscribe to the Tailscale changelog RSS feed to stay up-to-date on client and service changes.
  • Subscribe to the Tailscale security bulletins RSS feed to stay up-to-date on security notifications.

Organization notifications

  • Set contact preferences to receive email notifications regarding account, configuration, and security updates. Use email addresses that go to a group of users rather than a single individual.

Production best practices

Tailnet management

The following sections detail how to manage your Tailscale network (known as a tailnet) at scale.

General settings

  • Configure tailnet, user management, and device management settings per your organization's needs and security policies.
  • Manage your tailnet settings (such as device approval and key duration, DNS settings, log streaming and posture integrations, and more) with infrastructure-as-code and GitOps to have an audit trail of changes to Tailscale access controls and configuration in your version control system with peer review of changes.

Tailnet policy file management

  • Manage your tailnet policy file (which includes ACLs, tags, and other settings) with infrastructure-as-code and GitOps. This provides an audit trail of changes to Tailscale access controls and configuration in your version control system with peer review of changes.
  • Review common patterns for tag names and implement consistent tags that represent access patterns and network segments for your devices.

User management

The following sections detail how to manage users in your tailnet at scale, including user provisioning, role assignments, and authentication requirements.

User and group provisioning

Tailscale-specific roles

  • Transfer organization ownership to an appropriate team member. Oftentimes, the person that created the tailnet is not who should be the owner long-term.
  • Assign appropriate Tailscale-specific roles to team members based on their job function and responsibilities. Network admin, IT admin, and billing admin are common roles to assign.

Device management

EDR and MDM integrations

End-user client configuration

  • Deploy Tailscale client applications to end-users using a mobile device management (MDM) solution.
  • Enable automatic client updates for end-user devices to ensure employee devices stay up-to-date.
  • Configure end-user client applications using system policies through your MDM solution. Review the full list of system policies to determine which options are important to your organization. Some common system policies include:
    • Force client behavior end-users will depend on:
    • Hide unused capabilities in the client menu such as:
    • Provide information for how to get support from Tailscale administrators or your IT team:
      • ManagedByCaption to specify a caption to be displayed in the Managed By view.
      • ManagedByOrganizationName to specify the name of the organization managing Tailscale, for instance "XYZ Corp IT."
      • ManagedByURL to specify a URL pointing to a help desk webpage or Slack channel.

Server configuration

  • Automate server deployments using infrastructure-as-code to provision devices in a repeatable manner less susceptible to human error.

Monitoring

Client metrics

  • Collect client metrics for use with your monitoring system from your subnet routers, exit nodes, app connectors, and other important devices.

Monitor tailnet changes

  • Configure webhooks to receive important notifications to your central monitoring and alerting system—for example, your monitoring service or Slack. In particular, we recommend notifications for the following event types:
    • Device misconfiguration: exitNodeIPForwardingNotEnabled
    • Device misconfiguration: subnetIPForwardingNotEnabled
    • Tailnet management: nodeNeedsApproval
    • Tailnet management: userNeedsApproval
    • Tailnet management: userRoleUpdated
    • Webhook management: webhookUpdated
    • Webhook management: webhookDeleted

Log streaming

  • Configure log streaming to stream configuration and network flow logs to your Security Information and Event Management (SIEM) system.

  • Configure data retention of logs in your SIEM per your company's security policies.

  • Configure alerts in your SIEM to notify you of noteworthy events. In particular, we recommend alerts for events related to settings changed through the Tailscale admin console:

    // Other fields omitted for brevity
{
  "action": "CREATE",
  "origin": "ADMIN_CONSOLE",
  // ...
},
{
  "action": "UPDATE",
  "origin": "ADMIN_CONSOLE",
  // ...
},
{
  "action": "DELETE",
  "origin": "ADMIN_CONSOLE",
  // ...
},

Last updated Mar 19, 2025