Tailscale
Overview
Tailscale is a modern mesh VPN solution built on WireGuard that Skyscrapers uses to provide secure access to customer Kubernetes clusters and AWS VPCs. While Tailscale is often positioned as a mesh VPN with peer-to-peer connections, Skyscrapers uses it as a gateway-based VPN - similar to traditional VPN solutions - where Tailscale connectors running in your EKS clusters act as entry points to your private networks.
What is Tailscale?
At its core, Tailscale:
- Is built on WireGuard, a modern, high-performance VPN protocol
- Uses a coordination server to manage authentication and routing
- Creates a private network (called a “tailnet”) for your organization
- Handles NAT traversal automatically without complex network configuration
For more technical details about Tailscale’s architecture and capabilities, see the official Tailscale documentation.
How Skyscrapers Uses Tailscale
Architecture
The integration creates the following resources:
- Kubernetes Deployment: One pod per replica, each running the Tailscale connector
- ServiceAccount:
tailscale-connectorwith minimal RBAC permissions - Secrets: Encrypted auth keys and state storage
- Pod Disruption Budget: Ensures maximum 1 unavailable replica
- Vertical Pod Autoscaler: Optimizes resource allocation per replica
Network Flow
Your Device → Tailnet → Tailscale Connector Pod → EKS Cluster → ResourcesEach connector pod:
- Authenticates using pre-authorized, ephemeral auth keys
- Advertises configured routes to the Tailnet
- Stores state in Kubernetes secrets for persistence across restarts
High Availability
- Multiple Replicas: Default 2 replicas for redundancy
- Pod Anti-Affinity: Ensures replicas run on different nodes/zones
- Pod Disruption Budget: Limits simultaneous disruptions
- Node Selection: Excludes Fargate nodes from scheduling
- Priority Class: Set to
infra-cluster-critical
Gateway-Based Access
In the Skyscrapers implementation, Tailscale functions as a VPN gateway rather than a mesh network:
Your Device → Tailscale Client → Tailnet → Gateway (K8s Pod) → EKS Cluster/VPC- Tailscale connector pods run in your Kubernetes clusters as subnet routers
- These pods advertise your VPC CIDR blocks and any additional routes
- Your laptop/workstation connects to the Tailnet and routes traffic through these gateways
- This provides access to your EKS API servers, internal services, and VPC resources
One key advantage: you can connect to multiple customer environments simultaneously:
- Connect to production, staging, and development clusters at the same time
- No need to disconnect from one VPN to connect to another
- Access resources across different AWS accounts and regions
CIDR overlap between environments will still cause routing conflicts, just like traditional VPNs.
Benefits vs Self-Managed VPN
Compared to Skyscrapers’ previous self-managed VPN solution:
| Aspect | Self-Managed VPN | Tailscale |
|---|---|---|
| Authentication | Separate VPN credentials to manage | SSO integration with existing IdP (Google, Microsoft, Okta) |
| User Management | Manual provisioning and deprovisioning | Automatic user lifecycle management through IdP |
| Dashboard | Separate console per environment | Single unified Tailscale admin console for all environments |
| Access Control | Individual VPN user configs | Centralized ACL policies managed in Git |
| Infrastructure | VPN servers to maintain, patch, and scale | Zero infrastructure - fully managed by Tailscale |
| Network Setup | Complex NAT traversal configuration | Automatic NAT traversal |
| Credential Management | Manual certificate rotation | OAuth-based authentication for service accounts |
| Configuration | Manual updates to VPN configs | Infrastructure as Code (OpenTofu/Terraform) + GitOps |
| Performance | OpenVPN (moderate throughput) | WireGuard (high throughput, low latency, lower CPU overhead) |
| Per-Cluster Access | All-or-nothing VPN access | Granular per-cluster access control through tags |
| Permissions | VPN-level access control | Group-based permissions with automatic route approval |
| Onboarding/Offboarding | Manual VPN credential management | Automatic through SSO and ACL updates |
| Audit & Compliance | Separate logs per environment | Centralized audit logs across all environments |
| Operational Overhead | High (patching, monitoring, scaling) | Low (managed service) |
How It Works in Practice
For End Users
- Install Tailscale client on your device
- Authenticate with your organization’s SSO
- Connect to the Tailnet
- Access resources in authorized clusters/VPCs
Key Concepts
Tailnet
Your organization’s private Tailscale network. All authorized users and connector pods join this network.
Subnet Routers
Kubernetes pods that advertise network routes (VPC CIDRs) to the Tailnet. These act as the VPN gateways in the Skyscrapers setup.
Tags
Labels used to identify and control access to connectors:
tag:terraform- Infrastructure-managed devicestag:k8s- Kubernetes cluster connectorstag:production-eks-customer-com- Specific cluster identification
ACL Policies
JSON-based rules that define access control for your Tailnet - who can access which resources, route approvals, and group-based permissions.
For detailed information on configuring ACL policies, see the ACL configuration guide.
Getting Started
To set up Tailscale for your clusters see our Tailscale setup guide and get in touch with us.