Connecting Cloud Apps to Industrial Equipment with Tailscale

How to bridge the gap between cloud-based Django apps and on-premise equipment with tailscale

In industrial automation, leveraging all the benefits of cloud-based web apps presents a big challenge. Connecting these cloud applications to equipment running on private local networks makes you start thinking of firewalls, security holes, and handling failover between two different ISPs — so IP addresses could change.

It can be so daunting that you’d be tempted to toss in the tower and host everything on-premise.

However, with modern tools like Tailscale, this challenge becomes more manageable. In my setup, I’ve leveraged Tailscale to securely connect a cloud-based Django web app, running in a Docker container on Heroku, to a containerized Flask API hosted on a local server.

This Flask API, sitting on the same private network as the industrial equipment, serves as a bridge, allowing the Django app to make API calls that interact directly with various vendor equipment.

The process is straightforward: Tailscale, running on both the local server and the Docker container, creates a secure, encrypted mesh network between them. This setup eliminates the need for complex VPNs, firewall rules, or exposing sensitive equipment to the public Internet. Instead, we gain secure access to equipment APIs from anywhere while keeping everything else isolated and protected.

The docs on getting a client running on Heroku are pretty straightforward.

I had to modify things a bit, though, for the startup script:

In my image, I don’t run as root and don’t have a home directory, so I need to specify where to put the cache/state files. I also want to pass in the hostname based on the environment so that my QA and Production environments can operate independently and I can keep the machines straight.

I also don’t set the ALL_PROXY environment variable because I mostly don’t want to use proxies when making outbound calls. We are integrating with several cloud-based services, and this would get in the way.

Furthermore, you want any proxied calls to use Tailscale’s DNS (MagicDNS) and to do that; you need to use socks5h://localhost:1055 instead of socks5://localhost:1055 (notice the “h” after socks5).

Then, making API calls from the Heroku-hosted container environment back into our corporate network is simple:

There seem to be many extra features of Tailscale that look like they’ll be really useful, but for now, this unlocks a lot for us. It only took a couple of hours to go from no account to having something deployed and working.