Networking with agents: Put them in the right conversations with Tailscale
Source: Hacker News
We briefly considered prompting our agents with the classic networking playbook: polish the profile, craft a compelling personal narrative, ask for warm intros, comment “Insightful perspective” on questionable posts about politics in the workplace. Sadly, this did not help them reach your private Postgres database.
In theory, Firetiger Database Agents can administrate your Postgres, MySQL, and ClickHouse on autopilot. In reality, your database likely lives on a private network, never to be touched by the outside world. Surely you are doomed to a life of database blind spots, pain and suffering, right?
Wrong! Thanks to tools like Tailscale, connecting two things on the Internet is finally a solved problem. You can now connect Firetiger to your Tailnet, allowing Firetiger DBAs and other agents to securely observe and operate your privately networked infrastructure.
Why is this needed?
Most interesting databases live on private networks. This creates a real problem for any system running on the Internet, Firetiger included, that needs to talk to those databases.
There are a few options to bridge the gap from an agent on one network to a database on another:
- VPC peering – you’ll quickly hit overlapping CIDR blocks.
- AWS PrivateLink – works great if everyone is on AWS, but requires configuring Network Load Balancers.
- Site‑to‑site VPNs – often result in “six hours debugging IPsec tunnels”.
- Bastion hosts – useful until someone forgets to rotate the SSH keys.
Enter Firetiger Network Transports
We built Firetiger Network Transports as a way to connect agents to private network resources. A network transport is the underlay that lets Firetiger reach your infrastructure. By default we use the public internet, but you can now plug in other methods—starting with Tailscale.
Tailscale makes connecting two endpoints simple: install it on both sides and they can securely talk to each other with end‑to‑end encryption, regardless of cloud provider, NAT, or VPC configuration.
With our Tailscale transport, Firetiger joins your Tailnet as an ephemeral device, scoped to the permissions you define in Tailscale’s identity‑based access controls. Your database stays off the public internet without sacrificing secure access.
Here’s how it works:
Grant Firetiger access to your database within your Tailnet
Update Tailscale ACLs accordingly. For example:
{
// create a new tag for firetiger devices
"tagOwners": {
"tag:firetiger": ["autogroup:admin"]
},
// Allow firetiger devices to connect to your postgres databases
"grants": [
{
"src": ["tag:firetiger"],
"dst": ["*"],
"ip": ["5432"]
}
]
}Create Tailscale credentials for Firetiger
You’ll need permission to write Auth Keys for the tag you created earlier. This allows Firetiger to connect to your Tailnet using ephemeral devices.
Create a Firetiger Tailscale Network Transport
Firetiger Network Transports let you proxy connections to your infrastructure by various means, including Tailscale. Here we create a Tailscale Network Transport and plug in our Tailscale OAuth credentials.
Create a connection using your Tailscale Network Transport
Now you can connect your database (or any other resource) to Firetiger and configure it to use the Tailscale transport.
Configure your agent
Set up our pre‑configured DBA (database agent) to monitor health, or build custom agents with outcomes specific to your company. Thanks to Firetiger Network Transports, agents can operate even when the database resides on a private network.
That’s it!
For a complete end‑to‑end example, see the guide on how to connect your private database to Firetiger using Tailscale.
You can also sign up for Firetiger today and give Network Transports a spin.