The CloudLink service is convenient and everything, but the fact it uses OpenVPN makes it basically a nonstarter in a lot of corporate environments. It would be great if it were deprecated and replaced with something easier to deploy, even if it didn’t support all the features.
Ideally you could either use a public HTTP or MQTT based service with mTLS (I think this would mostly be approved); it would also be nice if you had public Tailscale service that you could add to your tailnet to completely encapsulate the traffic.
With a few exceptions (most notably SSH, and the ability to easily do OS updates) Balena devices can happily run without CloudLink, and there’s an option to turn it off. Container and configuration updates already happen over an HTTP connection, and from what I’ve seen of the code the new supervisor that’s in development will also take care of doing OS updates without needing CloudLink as well which is the last big show stopper for us when we have to deploy on sites where the client refuses to allow a VPN connection.