Monitor internal tools behind Tailscale and zero-trust networks

It's Tuesday afternoon. A support agent tries to pull up a customer record in your internal Retool dashboard. The page spins. Then a timeout. They try again. Same result. They post in Slack: "Is Retool down?" Nobody knows. Fifteen minutes later, someone on the platform team discovers the Tailscale node running the Retool instance ran out of memory and crashed sometime overnight. The support queue has been backing up for hours.

Internal tools break silently. They don't have status pages. They don't page anyone. They sit behind VPNs and zero-trust networks, invisible to every external monitoring service, and nobody notices they're down until someone desperately needs them.

The tools nobody monitors — until they break

Every company accumulates a constellation of internal tools. Retool or Appsmith for customer support dashboards. Metabase or Grafana for analytics. Custom admin panels for operations. Backstage developer portals for engineering. Internal wikis, CI dashboards, feature flag UIs, and dozens of small services that teams depend on daily.

These tools all share two traits: they're critical to daily work, and they're behind a private network. Tailscale, WireGuard, Cloudflare Zero Trust tunnels, or a traditional VPN — the access layer keeps them off the public internet. That's good for security. It's terrible for monitoring.

External monitoring services like Pingdom or UptimeRobot can't reach these endpoints. They're designed to probe public URLs. Your internal Metabase instance at analytics.tailnet.ts.net doesn't resolve from the outside world. So it goes unmonitored, and you find out it's broken from a frustrated message in Slack.

Your SSO provider is a single point of failure

Here's a failure mode teams rarely consider: if your SSO provider goes down, your entire remote team gets locked out of everything. Okta, Azure AD, Google Workspace — these are the gatekeepers to every internal tool. When they have an outage, it's not one tool that breaks. It's all of them, simultaneously. Engineers can't access GitHub. Support can't reach their ticketing system. Sales can't log into the CRM.

Monitoring your SSO provider's status endpoint gives you a head start. You'll know it's down before the flood of "I can't log in" messages starts, and you can communicate proactively instead of reacting to confusion.

Cloudflare tunnels and Tailscale nodes fail silently

Cloudflare Zero Trust tunnels are fantastic when they work. But the cloudflared daemon can crash, the host machine can restart without auto-starting the tunnel, or a network change can silently sever the connection. Tailscale nodes have similar failure modes — the daemon stops after an OS update, a node key expires and it drops off the tailnet, or a firewall change blocks the WireGuard port.

These are infrastructure-level failures that application health checks won't catch. The app is healthy. The network path to the app is broken. You need to monitor both layers.

The problem: you can't monitor private endpoints from outside

This is the fundamental challenge. Private endpoints are private for good reason. You can't just expose them to the internet for monitoring. But you still need to know when they're down. There are two practical patterns that solve this without compromising your security posture.

What to monitor in your internal tool stack

Don't try to monitor everything. Focus on the tools and infrastructure layers where silent failures cause the most pain.

Setting up a heartbeat monitor in five minutes

The heartbeat pattern is the simplest way to monitor anything behind a private network. Create a heartbeat monitor in Uptrack, which gives you a unique URL. Then add a cron job on any machine inside your network that first checks the internal tool is healthy, then curls that URL. If Uptrack stops receiving pings, it fires an alert — whether the tool crashed, the cron host went down, or the network path broke.

If you're also using Cloudflare tunnels or Tailscale Funnel, add those public URLs as standard HTTP monitors too. The combination is powerful: if the HTTP check fails but the heartbeat still arrives, your tunnel is broken but the service is fine. If both fail, the service itself is down. That signal clarity turns a 30-minute debugging session into a 30-second diagnosis.

How Uptrack covers both public and private tools

Most monitoring services only do pull-based HTTP checks. That works for public endpoints but leaves private tools completely uncovered. Uptrack supports both HTTP checks and heartbeat monitors, so you can monitor your entire stack from a single dashboard — SSO endpoints and tunnel URLs with HTTP checks, internal tools with heartbeats.

The free tier gives you 50 monitors — more than enough to cover your public services, your SSO providers, your tunnel endpoints, and a heartbeat for every critical internal tool. No credit card, no trial expiration.