Service Definition: Tailscale Add-on

DevOps-as-a-Service supports two VPN options for reaching your Kubernetes clusters and AWS VPC, and you choose the one that fits your team:

WireGuard is included in DOaaS as a basic, cost-conscious option with basic functionality.

The Tailscale Add-on described here is the paid alternative for teams that want SSO-driven access, simultaneous multi-cluster connectivity, fine-grained ACL policies and a fully managed control plane. See the VPN overview for a side-by-side comparison.

This service definition describes what the Tailscale Add-on covers, how a Tailscale rollout is run, and where the boundary sits between work that is included in the DevOps-as-a-Service engagement and work that is billed separately.

All commercial terms (bespoke setup costs, recurring fees, license plan and seat counts, contract term and notice) are agreed in a per-customer proposal that accompanies this service definition.

How we engage

The first step is to let your Customer Lead know you wish to explore Tailscale VPN. The Customer Lead will initiate the right steps to get going. The Tailscale Add-on is delivered in two phases.

Bootstrap phase

The bootstrap phase covers the initial configuration of Tailscale on your environments and a two-week trial period aligned with Tailscale’s 14-day free trial, during which you have hands-on access to evaluate the solution.

Tailscale and WireGuard can coexist on the same Skyscrapers-managed platform, so a Tailscale trial does not require disabling WireGuard if you currently use it.

Default setup (included for free with DOaaS)

A ready-to-go default setup allows you to start right away.

14-day Trial of Tailscale VPN
Deployment of the Tailscale Connector pods to all of your cluster(s)
Configuration of the Tailscale account on your behalf including OAuth client setup, ACL repository wiring, setup of integration credentials and deployment of the base ACL that gives Tailscale users access to all of your Kubernetes clusters and Skyscrapers-managed components (see the Tailscale setup guide for the technical details)
Discovery and sparring sessions with a Skyscrapers Solutions Architect to:
- Explore any specific customisations you may need as well as check what specific features Tailscale offers and how they may be useful for you (custom ACL design, MDM integration, external-service connectivity, multi-tailnet setup, migrations, etc.). This feeds the Bespoke setup work below.
- Answer any configuration and integration questions you may have during the trial.

Bespoke setup (charged on Time & Material)

We implement any bespoke configuration work that you identified together with the Solutions Architect during the trial.

Examples:

Custom ACL design beyond the base setup (per-audience grants, group-based policies, posture rules)
MDM device-posture integration with your MDM solution
Connectivity wiring to external services not managed by Skyscrapers
Migration of users and devices from another VPN solution

What we need from you in this phase

Once the project is started, we will be asking you for the following at the right time:

Create the Tailscale account that will host the tailnet
Configure your identity provider (Google, Microsoft, Okta, etc.) and the SSO integration with Tailscale
Grant Skyscrapers admin access to the Tailscale account so we can carry out the configuration on your behalf
Identify in-scope clusters, the initial set of users, and what you want to validate during the trial (base setup is included; anything beyond is scoped as bespoke T&M work)
Participate in the discovery and sparring sessions with the Solutions Architect
Validate the solution against your needs during the trial period
Sign off on any bespoke configuration scope before Skyscrapers starts the T&M work

At the end of the trial Skyscrapers provides a proposal covering the license plan and commercial terms. If you choose not to proceed, Skyscrapers removes the Tailscale deployment from your clusters and the Tailscale subscription is closed at the end of the trial period.

Operational phase

Once you commit to the operational phase, Skyscrapers takes ongoing responsibility for the Tailscale platform components and usage support. Day-to-day operational changes (new connectors, ACL edits, exit-node toggles, etc.) follow the standard DOaaS Support Process.

Included for free with DOaaS:

Maintenance, version upgrades and security patches of the Tailscale platform components and supporting Kubernetes resources
Monitoring of the Tailscale platform components and integration with the standard alerting and on-call escalation paths of your platform
Incident response to events coming from monitoring
User and connector management: adding or removing connectors, advertised routes, exit nodes, and adding additional clusters or VPCs to your tailnet
Advice on and configuration of additional Tailscale functionality such as multi-tailnet setup, custom DNS rules and automation of policy management beyond the standard pipeline
Coordination with Tailscale support when needed

Bespoke configuration (charged on Time & Material)

ACL changes that follow your evolving access model (new groups, new audience-specific grants, new posture rules, …)

What we expect from you

Keep Skyscrapers authorised as administrator in your Tailscale account
Maintain your identity provider and SSO integration as your team evolves (joiners, movers, leavers)
Own the business intent of the configuration: when changes are needed, communicate the access model you want (which users, groups and devices reach which resources)
Enrol, manage and offboard your end-user devices, including any MDM integration
Sign off on bespoke configuration scopes and T&M estimates before work starts

Support

We offer the following two levels for usage and problem support (“Support Levels”):

Level	Coverage
Level 1: End-user Support	Direct end-user support to people using Tailscale (“End-user”) covering support on installation, basic usage and troubleshooting on their workstations.
Level 2: Advanced Support	Advanced, 2nd-level technical support covering things like configuration advice, ACLs and deeper troubleshooting. This level can be used by a person on the Customer Team to help them support End-users themselves.

Depending on the role designation under the DevOps-as-a-Service agreement, the following support options are included at no cost:

DOaaS Role designation	Support Level included
Technical Platform User	Level 1: End-user Support
Platform Lead Role	Level 2: Advanced Support
General Platform users	Payable add-on
Users outside of DOaaS agreement	Payable add-on

For users without an included role designation, support is sold as a payable add-on (typically in user-pack form). Pack size and pricing are agreed per customer in the proposal.

Day-to-day Tailscale requests follow the standard DOaaS support channels — see the Support Process.

Future extensions

Tailscale offers many more possibilities that we are happy to explore with you:

Extend Tailscale usage to the rest of your company
Configuration of your identity provider tenant
MDM integration and rollout
Integrations with external services beyond the standard Kubernetes connectors, such as App Connectors, custom DNS configurations and PrivateLink-based service exposure
End-user enrolment and onboarding — provisioning devices, distributing the Tailscale client, and in-house policies for the end-user lifecycle. End-users themselves are typically provisioned automatically through your SSO/SCIM integration.

Licensing

Skyscrapers is a Tailscale partner and resells Tailscale licenses to customers as part of this add-on. The license plan, seat count and commercial terms are agreed per customer in the proposal that accompanies this service definition. As Authorised Tailscale Managed Service Provider, Skyscrapers handles the Tailscale subscription and billing on your behalf; the Tailscale platform components Skyscrapers deploys connect as subnet routers and do not consume user seats.