This looks great, and I'd love to replace AWS SSM (at least for the purposes of instance access) with this! One question I have is have is around device limits.
With SSM, I can easily run an agent on every instance. Tailscale has pretty tight device limits on the Team and Business plans. I have no idea what the custom pricing looks like, but I'm guessing it would exceed my budget. What's the intended way to use this with a large number of servers? A small team can easily have more devices than 5x or 10x the number of users. Should we just set up some "gateway"/"bastion" instances to access via Tailscale SSH and then use regular ssh from there? Some sort of more limited device mode that doesn't count against the device limit (for ssh only, perhaps?) would be great.
You could do a Tailscale SSH bastion thing, yeah. But before you build a funky setup to avoid pricing concerns, at least reach out to the sales folk to see what it is. We're usually pretty flexible on exact quotas and realize that different orgs have different user/device shapes.
With SSM, I can easily run an agent on every instance. Tailscale has pretty tight device limits on the Team and Business plans. I have no idea what the custom pricing looks like, but I'm guessing it would exceed my budget. What's the intended way to use this with a large number of servers? A small team can easily have more devices than 5x or 10x the number of users. Should we just set up some "gateway"/"bastion" instances to access via Tailscale SSH and then use regular ssh from there? Some sort of more limited device mode that doesn't count against the device limit (for ssh only, perhaps?) would be great.