CI/CD pipelines
Enable simple, secure access with managed runners
Stop self-hosting. Get the convenience of managed runners without the security compromises.
Trusted by companies like these
Stop self-hosting. Get the convenience of managed runners without the security compromises.
Trusted by companies like these
Grant each runner the exact access they need without self-hosting.
Powered by WireGuard®. Perfect for the secure data CI runners touch.
Uniquely identify your ephemeral nodes, simplifying authentication.
Networking, especially with CI runners, is a headache. Not with Tailscale.
Gain the convenience of managed runners without the limitations.
Runners need stable connections to perform. Tailscale ensures that.
Focus on development, let Tailscale handle networking.
Secure access to managed runners means no more self-hosting.
Tailscale Kubernetes Operator grants access to services without making them public.
Grant least-privilege, just-in-time access to production when needed.
Allow precise segmentation of workloads and temporary runners with Grants.
Minimize attack surface area with no broad network exposure or always-open entry points.
Control access per runner and repo with Grants and Tailscale’s adaptive policy engine.
Tailscale uses ephemeral, identity-aware networking with zero public exposure.
Centralized VPN models expect human logins, so they don’t support automation with ephemeral runners. This makes it extremely difficult for CI/CD jobs that work with very sensitive information to gain access, especially across multi-cloud or on-premises environments. Tailscale removes this error-prone, manual management while letting you know exactly which runner accessed which service.
Tailscale’s single identity-based mesh network removes the drawbacks of traditional hub-and-spoke model VPNs. By assigning runners identities with tags, Tailscale enables granular access control per repo and job.
“One of my favorite things about Tailscale was how fast I could start building out our networks. Provisioning resources manually can be very time-consuming, and the ability to fit into existing IaC workflows made deploying our network infrastructure easy.”
Guillaume Legendre
DevOps Engineer
“Our product teams can give themselves direct SSH access into bastion hosts without a public IP attached to it. That way, they can manage these large fleets of Kubernetes or otherwise container-based hosts that run the cloud products we offer.”
Louis Gardner
Principal Security Infrastructure Engineer
“Because of it’s simplicity, both in architecture and end user experience, we can solve our acute problems quickly and easily. With Tailscale we don’t have to think about VPNs any more.”
Mike Deeks
Senior Staff Software Engineer
Tailscale uses Zero Trust networking with end-to-end encryption powered by WireGuard. Every runner gets a unique identity, and connections are authenticated individually rather than relying on network perimeter security. Your CI/CD traffic is encrypted point-to-point, and Tailscale cannot (and does not) inspect it. This cloud network security model means your runners stay secure whether they're running in GitHub Actions, GitLab, or your own infrastructure.
Zero Trust means never trusting a connection by default, even inside your network. For CI/CD pipelines, this is critical because runners are often ephemeral and spin up in different environments. Instead of assuming "inside the network equals safe," Tailscale verifies every runner's identity before granting access. You get cloud access control that works across multi-cloud and hybrid cloud environments without managing firewall rules or VPNs.
Yes. Tailscale works with any managed runner service. Install Tailscale in your CI workflow (usually one or two lines), and your ephemeral runners can securely access private resources like databases, staging environments, or production infrastructure. No need to expose services publicly or configure complex VPN setups. It just works with GitHub Actions, GitLab CI, CircleCI, Jenkins, or any CI/CD platform.
Nope. Tailscale uses NAT traversal to establish direct connections between your runners and resources without requiring firewall configuration or port forwarding. Your runners can connect to private services across different clouds, on-premises data centers, or hybrid cloud networking setups without touching network infrastructure. This is especially useful for ephemeral CI runners that need quick, secure access without manual network setup.
Tailscale uses identity-based access control with tags and ACLs (Access Control Lists). Tag your runners by repository, team, or job type, then define granular policies in your tailnet. For example, you can give production deployment runners access to production databases while limiting test runners to staging only. This least-privilege cloud access control works automatically as runners spin up and down, with no manual credential management or network reconfiguration.
For individuals who want to securely connect personal devices, for free.
For teams or organizations looking for an easy-to-use, secure, legacy VPN replacement.
For companies who need service and resource level authentication and access control.
For companies who need advanced integrations, compliance and support for access control at scale.