Today we’re excited to announce Tailscale Services, a new way to define available resources on your network and expand the granularity of your access controls.
Tailscale’s mesh-networking approach, combined with a flexible and powerful policy engine, has empowered our customers to provide precision access controls wherever Tailscale is installed.
But what if you’re unable to install Tailscale on a resource directly? What if that resource is on a dynamic IP address, or in ephemeral container orchestration environments? What if a single machine hosts multiple resources, or if a single logical resource exists in multiple places? What if you’ve got thousands of services you need to quickly stand up in a tailnet?
That’s where Tailscale Services come in. Tailscale Services allows you to assign virtual Tailscale IPv4 and IPv6 address pairs (TailVIPs) to any logical resource in your network, as long as that resource is reachable by a Tailscale client. Services get a unique human-readable MagicDNS name for ease of reference. Services are a unit of policy on which you can grant access. And maintaining a service can be entirely automated via API.
Tailscale Services functions a lot like traditional Tailscale nodes, but the services are not tied to any particular hardware. A service can map to one or many Tailscale nodes. Because of that, Tailscale Services can replace traditional or cloud load balancing setups with simple intelligent routing and availability mechanisms.
We’ve been piloting Tailscale Services with select customers, and they’ve used it for all sorts of connectivity scenarios, from workload connectivity to critical developer tooling to internal application access. Our early design partners have built capability and identity-aware database proxies, highly available internal secret stores, simple and scalable MCP servers, globally distributed telemetry and logging gateways, and more—all without any complex networking and security infrastructure to set up.
One design partner used Tailscale Services alongside their CI pipelines to connect in-development workloads to testing suites, quality assurance teams, and their internal secret storage, migrating away from a legacy firewall, load balancer, and mutual TLS setup. The repeatable API-driven interface allowed them to easily scale their CI model across the organization with minimal infrastructure setup, internal approvals, and allowed for their development teams to focus on shipping code instead of debugging networking issues or fighting security constraints.
Another design partner leveraged Tailscale Services to expose a fleet of containerized applications in their homelab with MagicDNS names instead of having to remember their various port numbers. Their previous setup required complex local networking and didn’t allow for high availability during software updates or migrations.
Tailscale Services can help anywhere you need a simple and predictable connectivity path, precision access control policies, or can’t install Tailscale on the target workload.
Every service consists of a stable TailVIP, unique MagicDNS name, a definition of the service’s endpoints, and a set of hosts that advertise the service. Optionally, services can be assigned to a tag for identification and grouping.
... continue reading