12 Jun, 2024 | 3 min read

Introducing Secure VPN Connections with Choreo and Tailscale

  • Vajira Prabuddhaka
  • Senior Software Engineer - WSO2


Securing access to external resources within private networks—whether in other public clouds or on-premise data centers—is a key use case for applications and APIs deployed on the Choreo cloud data planes.

Today, we are simplifying the process of creating and managing secure VPN connections from the Choreo cloud data planes to any external network with Tailscale, a renowned and trusted WireGuard® VPN provider.

Why Tailscale?

While Choreo cloud data planes (CDPs) provide a seamless experience for our users, they present some unique challenges, particularly given the scale at which we run them. Traditional VPN solutions, which depend on non-overlapping network ranges and hub-and-spoke models, for example, are generally incompatible with the sheer scale and network/security controls that underpin all Choreo cloud data planes.

Tailscale, however, with its unique peer-to-peer mesh (“overlay”) network, is a perfect fit for Choreo’s cloud data planes. Its ease of use, robust security features, and minimal overhead make Tailscale an ideal choice for securely and efficiently connecting Choreo to private networks.

Effortless Integration: Create Secure VPN Connections from Choreo Cloud Data Planes with Tailscale

Choreo provides a sample image with Tailscale proxy that can be deployed in your Projects as Components with minimal configuration, using your own Tailscale API key. Once deployed, it can be easily used as a forward proxy to access private endpoints. The following scenarios illustrate practical solutions for the above use cases, using these new Tailscale proxy components:

Connect or secure resources in an on-premise data center with Choreo

  • Utilize a Choreo API Proxy Component deployed on a Choreo CDP to secure a backend application running in an external network location via a VPN with a Tailscale proxy.
  • Seamlessly access services running in the on-premise data center from services and applications deployed on Choreo.

Accessing a database running in a public/private cloud or an on-premise data center from a Choreo cloud data plane

The VPNs provided by the Tailscale proxy components can be used to connect any external resource that runs on TCP (e.g. databases, message brokers, etc.).

Getting Started

For detailed guidance on using the new Tailscale proxies in your Choreo projects, please refer to our documentation.

If you haven't yet, sign up for Choreo today and start your journey for free.

VPNs vs mTLS

Wireguard VPNs (including Tailscale) operate at layer 3 of the OSI stack and encrypt all traffic between two endpoints, while mTLS operates at the transport layer and encrypts traffic for specific application protocols like HTTP. Depending on your requirements, you can use either or both in combination to secure access to your resources.

For example, if you need to secure a legacy backend service in an external network location with a Choreo API proxy, a VPN might be a more suitable solution. However, if you have implemented comprehensive security controls (moving towards zero-trust), mTLS over the internet might be sufficient. Alternatively, you can utilize both depending on other security and compliance requirements in your organization.

Check out our documentation to learn more about using mTLS with Choreo API proxies.

VPNs in Choreo Private Data Planes

Private data planes on Choreo generally offer more flexibility in terms of network extensions as these are run on dedicated, private infrastructure. While we do support more traditional VPNs on private data planes, this feature is available on Private data planes as well.