If you’re migrating from a traditional office networks or a centralized VPN concentrator, you might find you have external servers that don’t run Tailscale but still need to have their connections secured.
Third-party services, or internal services running on “serverless” cloud providers such as Heroku, might have configured an IP block list (sometimes known as an IP whitelist) that are expecting all your user traffic to originate from a single IP address or a small number of IP addresses. Since Tailscale doesn’t need to send all traffic through a central concentrator, your user traffic will suddenly start arriving from all over the Internet, running into the IP block list protections operated by your service provider.
Read more.