Secure Remote Access to Development and Production Environments using Tailscale

Whether you’re a small startup or a Fortune 100 company, managing development, production, and infrastructure environments can be overwhelming. Modern development teams need secure remote access to databases, servers, devices, VMs, containers, internal applications, and more to do their job effectively. And operational functions such as IT and Security, need ways to manage who has access to these environments and infrastructures quickly and securely. What makes things even more complex is that the needs of your development environment are entirely different from the needs of your production environment. Let’s examine each separately and then explore how Tailscale fits in.

Local, Cloud, IDE, and Ephemeral Development Environments

When developers start a project that involves local, Cloud (e.g. AWS/Digital Ocean), IDE (e.g. Codespaces), and ephemeral development environments, they often need to access various servers, databases, containers, applications, code bases, etc, and those things can be located anywhere in your infrastructure — including public cloud providers like AWS or GCP, on-premises, or even on another developer’s laptop.

With developers working from anywhere in the world on a variety of devices running different operating systems, the challenges of modern development go far beyond simply managing secure remote access to these resources. Organizations also have to consider the very real possibility of data leakage; i.e., publicly exposed data.

Developers often follow the path of least resistance, so companies need to find secure ways to let developers connect to resources and environments without creating unnecessary friction or administrative overhead. In the past, remote access has been accomplished by creating a VPN, opening ports & exposing IP addresses, and setting up a firewall and access control mechanisms to prevent unauthorized access. Tailscale handles all of these things in a secure and scalable way, so it’s a huge quality-of-life improvement for these teams because companies no longer need to open ports, expose IP addresses, set up firewalls/WAFs, or control access in some archaic way. Whether a developer is on a personal Android phone or a work-issued MacBook, it all just has to work and it has to be secure by default. That’s why Tailscale integrates with your trusted identity provider, connections are end-to-end encrypted, access is denied unless explicitly granted, and leverages user & group provisioning to manage user onboarding and offboarding automatically.

Developers need more flexible infrastructure to test and experiment with new features and functionality in development environments. Companies use various solutions such as containerization, microservices architecture, and cloud-based infrastructure to address these complexities (all of which can be integrated with Tailscale):

• Containerization enables developers to build and deploy applications quickly and efficiently. Developers can access containers via Tailscale SSH from a mobile device and across operating systems. Developers can use Tailscale SSH without having to figure out how to get a private SSH key onto it.
• Microservices architecture allows developers to create small, independent services that can be easily maintained. Microservices can be deployed anywhere from local machines, on-demand resources, or even cloud-based infrastructure — and Tailscale can connect them all.

Let’s use the example of three microservices, one for an API that manages customer data, another that manages your product database, and a third that takes care of payment processing. Each of these could be deployed on completely different infrastructures or cloud providers. They could even be hosted through a trusted connection of a third-party vendor. While this is a simple example, it is a realistic scenario that plays out all the time. The complexity most companies have is being able to secure all of them and have the confidence that you do not have data leakage.

• Cloud-based infrastructure provides a flexible and scalable platform that can adapt quickly to changing developer needs. But what happens when organizations have multiple servers or virtual private clouds (VPCs) across several providers? This is particularly important when customer data or sensitive information is stored in those environments, and if that’s the case, you can deploy Tailscale for encrypted site-to-site networking — enabling any of these solutions to securely talk to each other without added complexity.

The challenge is clear: how do you give developers the flexibility they need, while tying it all together in a secure, centralized, platform-agnostic, and scalable way?

Teams across Bamboo Health, now rely on Tailscale for secure remote access to development environments. Their cloud and development teams use Tailscale to access VMs and VPCs on AWS securely, and developers doing local development on their workstations can connect directly to databases and other services.

In another example, Duolingo is using Tailscale and Codespaces for remote development. Their 100+ engineering team is coding on a website (Codespaces) versus locally on a computer which Tailscale helps facilitate.

Production Environments

Production environments, which organizations rely on to deliver their services and products to customers, require more stable infrastructures to handle large traffic volumes and ensure uninterrupted operations. Additionally, access controls are essential to enhance security and minimize disruptions or downtime caused by unauthorized access or malicious activities.

In modern production environments, organizations often utilize a combination of different components. These components can include fixed on-premises hardware, scalable cloud services, and external service providers. The integration of these diverse elements presents a challenge in terms of managing and securing the infrastructure effectively.

One challenge is staying up to date with the best practices for storing data securely. With the increasing amount of data generated and processed in production environments, organizations must ensure that data is stored and managed in a manner that adheres to the highest security standards. This involves implementing robust data encryption, access controls, and regular backups to safeguard against data breaches or loss.

Another challenge is delivering services to developers from anywhere, even when working in less secure or unreliable network environments, such as sketchy hotel Wi-Fi. It becomes crucial to establish secure remote access mechanisms and adopt technologies that enable developers to securely connect to the production environment and carry out their tasks without compromising the overall system’s security.

Overall, the challenge lies in striking a balance between maintaining a stable infrastructure capable of handling high traffic volume and implementing robust security measures to protect against potential threats and disruptions. Organizations must continuously evaluate and adopt the best and most secure approaches to manage data, deliver services, and provide secure access to developers, irrespective of their location or the network conditions they are operating in.

Access control is essential when giving developers access to production servers or databases in different environments such as AWS and GCP. The challenge also increases when users need to access these resources from remote locations or personal devices.

Tailscale access control lists (ACLs) let you define rules for granting or denying access to specific resources based on factors such as user, group, device tag, and network location. ACLs let you restrict access to resources to only those who need them, and provide an additional layer of security so IT teams can ensure that users can securely access production resources.

Requesting and approving on-demand access can lead to extra work when on-call employees and engineers need instant access to production nodes, databases, and SSH access to servers on Tailscale. Services like ConductorOne (among others) integrate with Tailscale and can dynamically update ACLs to add/revoke access to resources like Prod when people are on-call or need emergency access.

Mercari, a Japanese e-commerce company, now uses Tailscale to securely connect its globally distributed workforce to the company’s resources securely and efficiently — regardless of location or device type. Tailscale’s ease of use and compatibility with existing tools made it a natural fit for Mercari’s production environment.

Going Beyond Secure Remote Access For Development and Production Environments

Tailscale, which is built on Zero Trust principles, helps organizations meet their regulatory and compliance requirements by focusing on simplicity, security, integrations, and remote access. This means that companies of all sizes can add sophisticated security capabilities and access controls — to ensure that every connection is authenticated, traffic is end-to-end encrypted, and nodes can only be reached by approved users.

Simplicity

Tailscale runs everywhere which means employees just need to log in with a company email address to join your network. Tailscale handles complex networking and traffic/DNS routing so you don’t have to. For an in-depth look at the technical how-to behind this, see our blog post on NAT Traversal.

Security

A highly secure network, built on WireGuard, that only gives users access to the things they should have access to, and enhances security by reducing or eliminating man-in-the-middle and common attack vectors. Tailscale relies on your existing identity provider to authenticate users and automatically uses authentication settings like MFA. Access to your Tailscale network is default-deny and has to be explicitly granted, so lateral attacks are unlikely. Additionally, traffic is end-to-end encrypted.

Integrations

When it comes to integrating with Tailscale, you have the flexibility to connect and collaborate with various components and tools that are integral to your team’s workflow. Tailscale offers a reliable and secure platform that allows you to seamlessly integrate the stack your team trusts with both production and development environments. Here are a few examples of how you can expand on the integrations with Tailscale:

1. Cloud services like AWS/GCP: Tailscale enables you to establish secure connections between your cloud infrastructure and your team’s devices or networks. Integrating with Tailscale allows you to securely access and manage resources hosted on platforms such as Amazon Web Services (AWS) or Google Cloud Platform (GCP). This integration allows your team to work efficiently on cloud-based projects, ensuring data confidentiality and reducing the risk of unauthorized access.
2. Remote development environments like Coder & CodeSandbox: Tailscale facilitates secure connectivity to remote development environments like Coder and CodeSandbox. By leveraging Tailscale’s network, your team members can collaborate effectively on coding projects without being physically co-located. Tailscale’s encryption and access control mechanisms ensure that the connection to these remote development environments is secure, regardless of the network they are accessing.
3. Infrastructure tools/services like Terraform and Pulumi: Tailscale can integrate seamlessly with popular infrastructure tools and services like Terraform and Pulumi. These tools allow you to define and manage infrastructure as code, and by integrating them with Tailscale, you can securely communicate and deploy changes to your infrastructure. Tailscale provides a secure overlay network that ensures the confidentiality and integrity of the communication between your infrastructure management tools and the target infrastructure, reducing the risk of unauthorized access or data interception.
4. Kubernetes: You can utilize Tailscale to establish secure connections within Kubernetes clusters and between different clusters. By integrating Tailscale into your Kubernetes infrastructure, you can securely communicate between pods, nodes, and services within the cluster and establish secure connections between multiple clusters. Tailscale’s encryption and authentication mechanisms help safeguard the communication channels, ensuring only authorized entities can access and interact with your Kubernetes infrastructure.

These examples demonstrate the versatility and power of integrating with Tailscale. By leveraging Tailscale’s secure network connectivity, you can enhance collaboration, streamline development workflows, and ensure the confidentiality and integrity of your data and infrastructure across various components and tools.

To learn more, go to the Tailscale integrations page.

Get Started For Free

Tailscale is a secure and easy-to-use solution that enables teams to access the systems and environments they rely on, including development and production environments, servers, databases, and other infrastructure. With Tailscale, organizations can create a private network spanning multiple environments, that allows their users to access infrastructure securely and seamlessly.

Built to work with various systems and environments, Tailscale supports Linux, macOS, Microsoft Windows, Android, Synology, and Apple iOS. This makes it a flexible tool for teams across different platforms and operating systems.

Getting started with Tailscale is free and takes just a few minutes. Try it now.