Indent for Tailscale

2 years ago
Written by
Fouad Matin
Elsie Phillips

Today we’re delighted to announce the Tailscale + Indent integration. Tailscale is a popular mesh Virtual Private Network (VPN) that uses the WireGuard® protocol to provide end to end encryption for your network connections.

Using Tailscale, you can connect from your laptop to your enterprise server, even behind firewalls, without additional networking configuration. We're excited to partner with Tailscale so that members of your team can easily request, and reviewers can easily approve, time-bounded access to these resources without ever leaving Slack.

In fact, Tailscale was designed for non-technical users to be able to easily create secure VPNs. Tailscale allows you to manage remote access to your servers, computers and cloud instances, in addition to authenticating SSH connections using WireGuard®.

With the Tailscale + Indent integration, you can:

  • Grant users on-demand access to specific Tailscale networks
  • Allow temporary SSH connections between devices in your Tailscale network as authorized by your access controls without managing SSH keys
  • Set up closed-by-default rules for the most sensitive nodes in your tailnet to allow only senior engineering staff the ability to approve access for 30 minutes at a time or auto-approve while someone is on-call.

Try the interactive demo below and request access as me:

Tailscale ‘just works’ with Indent

As an organization matures, engineers often go from the convenience of default admin permissions in cloud providers like AWS or GCP to needing to request permissions to prevent unapproved updates to sensitive systems.

Additionally, while engineers can use Tailscale to easily access an ephemeral EC2 or database instance, that access can unnecessarily persist on production environments. Indent is able to help solve both of these problems by eliminating the friction that comes with access control so teams can continue to move quickly.

Using Tailscale with Indent helps change those incentives. Together they enable you to have a frictionless connection flow and add additional controls and automation to ensure compliance policies are adhered to and to create an additional layer of protection. For instance, you can ratchet up the controls for production vs staging to require that requests are approved by senior engineering staff or leadership.

Using Tailscale SSH and Indent

Let’s take an example situation where our production database seems to be responding slowly to certain queries. In order to debug what’s going on, we need to open a connection to the database and view the query logs. Before we get started, we’ll need to:

  1. Follow Tailscale documentation to install Tailscale on the database server, and enable Tailscale SSH access. If we can't install Tailscale directly on the server, we can use a subnet router (for example, to access AWS RDS)
  2. Install the Indent integration for Tailscale -

Once we've configured Tailscale and Indent, we can request access via the Slack /access command to the group group:prod-database that grants network connectivity for the EC2 instance with database access. Now we can use Tailscale SSH to access the RDS:

$ ssh root@prod-db-server
$ mysqlsh
MySQL ssl JS > \sql
Switching to SQL mode... Commands end with ;
MySQL ssl SQL > show databases;
| Database |
| demo |
| information_schema |
| mysql |
| performance_schema |
| sys |
5 rows in set (0.0297 sec)

Now we can run the troublesome query, view the logs and perform any necessary changes while securely connected to the database. Once the access grant expires, the SSH connection will be automatically terminated and we’ll get a link to quickly request again in Slack.

Auto approvals for on-call engineers using Tailscale

Using an on-call provider like PagerDuty or OpsGenie as a source of truth, you can set up a bot to check a user’s on-call status and auditable access control evidence. Setting up on-call auto approvals facilitates fast access during incidents while maintaining compliance best practices.

Follow this guide:

Set up Indent for Tailscale

  1. Set up Indent with Tailscale
  2. Choose which groups you want to manage in Tailscale ACL.
  3. Start granting temporary access!

Get started

To learn more about how Indent and Tailscale are being used together in the wild, read the case study. When you're ready to get started, check out the integrations page.

Try Indent for free.