Appearance

Connecting a private database

Securely back up databases on private networks using Tailscale, without exposing them to the internet.

If your database is on a private network with no public access, you can use Tailscale to create a secure connection between your infrastructure and SimpleBackups. Tailscale is a VPN service that lets you share specific machines without opening ports or configuring complex firewall rules. This guide covers both standard server setups and Docker containers.

Prerequisites

  • A Tailscale account with the client installed on the machine hosting your database
  • Access to the private database you want to back up
  • Administrative access to the machine where Tailscale is running

Connect a private server with Tailscale

Install and verify Tailscale

Install Tailscale on the server that hosts your database and confirm it is running.

The Tailscale admin console showing the machine is connected

Share access with SimpleBackups

In the Tailscale admin console, navigate to Machines, click on the server you want to share, and click Share.

The Share button on the machine details page

Click Generate & copy invite link, then open a support ticket with SimpleBackups and share the link with us.

The invite link generation dialog

Create the backup

Once your share access is accepted, create a backup using the private IP address assigned by Tailscale. Select Serverless as the backup type and choose Yes - Database publicly accessible (the Tailscale IP is treated as reachable).

Creating a backup using the Tailscale private IP address

Connect a Docker container with Tailscale

If your database runs inside a Docker container, you can run a Tailscale sidecar container that shares the network namespace with your database container. This eliminates the need for a bastion host.

Start the Tailscale container

Run a Tailscale container attached to your database container's network:

bash
docker run -d \
  --name=database-sb-connector \
  --network container:NAME-OF-DATABASE-CONTAINER \
  --cap-add=NET_ADMIN \
  --cap-add=NET_RAW \
  --env TS_AUTHKEY=API_KEY_FROM_TAILSCALE_ACCOUNT \
  tailscale/tailscale

Replace NAME-OF-DATABASE-CONTAINER with your database container's name and API_KEY_FROM_TAILSCALE_ACCOUNT with your Tailscale API key.

Verify the connection

Check that the Tailscale container is connected and has a private IP assigned:

bash
docker exec -it database-sb-connector tailscale status

Create the backup

Use the private IP assigned by Tailscale as the database host when creating your backup in SimpleBackups. The connection is secured through the Tailscale network without exposing your database to the public internet.

Security considerations

SimpleBackups does not use Tailscale SSH. Tailscale SSH should be disabled so that SimpleBackups authenticates using the SSH key you provide when connecting the server. Your nodes must always require SSH password or public/private key authentication.

Tailscale SSH settings showing SSH disabled

Docker containers backupBack up databases running inside Docker containers.SimpleBackups IP addressesIP addresses to whitelist for SimpleBackups access.