Cleric, an autonomous AI SRE startup, needed secure low-latency access to customers' private infrastructure without burdening their platform teams. Traditional approaches like reverse proxies, VPC peering, and VPN bastion hosts were rejected due to complexity, operational overhead, and security risks. By embedding Tailscale's tsnet library into a Go binary called the 'Cleric Connector', they built a programmable overlay network where each customer resource is modeled as a distinct device on a tailnet. This eliminates lateral movement risks, requires zero changes to customer network configs, and reduced onboarding from weeks to near-instant. The approach enforces least-privilege access by identity rather than IP ranges.
Table of contents
The Connectivity ProblemWhy traditional methods fall shortBuilding a private overlay with TailscaleThe resultSort: