Zero trust access network
An interactive guide to Cloudflare's Zero trust access network.
The Shift
Why Zero Trust exists
The perimeter collapsed. Network-level trust became the liability.
The old model: 'Connect to the network, get the keys to the castle.' If an attacker gets in, they get everything. This is why ransomware spreads.
The new model (Zero Trust): 'Earn access to one door at a time.' You don't connect to a network. You just access an app. It's safer because a compromised device can't attack other systems. It's faster because you don't backhaul traffic through a slow VPN.
The old security model assumed a clear perimeter. Remote work + cloud erased it. VPNs grant network-level access after a single login, increasing lateral movement risk and expanding attack surface.
Zero Trust makes access app-scoped and decisioned per request using explicit context + policy. This reduces blast radius while improving control and user experience.
Perimeter-based security assumed stable network boundaries. Modern enterprises have remote endpoints, SaaS sprawl, multi-cloud infrastructure, and third-party contractor access.
VPNs solve reachability by extending layer-3 connectivity. This creates implicit trust domains with broad routing access and lateral movement paths (RFC1918 space, split tunneling, or full tunneling with routing policies).
Zero Trust reframes access as a request-time authorization problem: bind identity assertions (OIDC/SAML claims), device signals (posture, certificates, MDM state), and request metadata (IP, time, method) to explicit policy evaluation per destination.
Design goals: eliminate implicit trust, minimize reachable attack surface, make authorization decisions auditable and reversible, and decouple authentication from network connectivity.
The Mechanism
So, what is Zero Trust (at Cloudflare)?
Per-request decisions + app-scoped access (not network membership).
Instead of connecting to a network, you request access to specific applications. Each request is evaluated independently. When you access an app, Cloudflare validates your identity (who you are), checks your device posture (is it compliant), and evaluates policy rules (are you allowed). Only if all checks pass do you get access to that specific resource. The next request goes through the same process. The key difference: you never get blanket network access. Every request earns authorization individually.
Cloudflare Zero Trust is a contract: every request is evaluated and only the requested resource is authorized. Users don't gain broad network access; applications don't need to be directly exposed to the Internet.
A typical decision shape: User → Identity → Device context → Policy → Transport → Application. Keep this mental model fixed; everything else is implementation detail.
Cloudflare ZT is an authorization and connectivity fabric: evaluate requests with identity + device context, then proxy authorized traffic to specific resources without granting network membership. Core invariants: explicit policy evaluation per request, default-deny posture, app-scoped authorization (not subnet-scoped reachability).
Request flow: client initiates connection → identity assertion validated (JWT, session cookie) → device posture evaluated (WARP client signals, certificate auth) → policy rules matched → authorized requests routed through Cloudflare edge → backend receives proxied connection. For private apps: origins connect outbound via cloudflared tunnels, eliminating inbound firewall rules and public IP exposure. For SaaS/web: inline proxy with same identity + policy enforcement.
The Four Primitives
The building blocks
Identity, Device, Policy, Transport — each with clear scope and failure modes.
Zero Trust decisions are built from four components: Identity, Device, Policy, and Transport. Identity: who you are (verified through your IdP like Okta or Azure AD). Device: what you're using and its security state. Policy: the rules that determine access. Transport: the secure path to the application.
Each component can independently block access. A valid user on a non-compliant device gets blocked. A compliant device with invalid credentials gets blocked. Understanding these four primitives helps you debug access issues and design policies effectively.
Cloudflare Zero Trust is the composition of four primitives: Identity, Device, Policy, and Transport. Identity provides WHO (from your IdP). Device provides WHAT (posture signals). Policy provides the allow/deny logic. Transport provides the controlled path to the destination.
They're separable: you can adopt them incrementally, and you can debug them independently. Most failures map cleanly to one primitive: identity assertion, device signal, policy match, or transport reachability.
Model the system as four independent concerns with distinct sources of truth and failure modes.
Identity: externalized to IdPs via OIDC/SAML. Cloudflare validates tokens and extracts claims (groups, email, custom attributes). MFA context available via IdP assertion. Cloudflare never stores passwords — it consumes identity, doesn't originate it.
Device: posture signals from WARP client (OS version, disk encryption, firewall state) + MDM/EDR integrations (Intune, Jamf, CrowdStrike, SentinelOne). Also certificate-based device identity. Signals evaluated continuously, not just at initial auth.
Policy: ordered rule engine with first-match semantics. Rules combine identity claims (email, groups), device signals (posture checks), request context (IP, method, path), and destination. Default-deny means missing rules block access.
Transport: WARP client routes traffic via Cloudflare edge. Private apps connect via cloudflared tunnels (outbound-only connections using HTTP/2 or QUIC). DNS resolution controlled by Gateway. No direct client-to-origin connectivity for private resources.
Decision Semantics
How a request is decided
Deterministic evaluation - explicit rules, ordered matches, default deny.
Every access request is evaluated against an ordered list of policy rules. The first matching rule determines the outcome. If a rule matches and allows access, the request proceeds. If it matches and blocks, access is denied. If no rules match at all, access is denied by default.
This default-deny behavior is intentional. It prevents accidental access from misconfigured or missing rules. When debugging access issues: verify identity claims are correct, check device posture passes requirements, confirm a policy rule matches the request, and ensure transport connectivity works.
Authorization is deterministic: policies evaluate in order, first match wins. If no rule matches, deny is the default (fail-closed). This makes outcomes predictable and debuggable — rule order and scope matter.
Debug flow: confirm identity assertion → confirm device posture → confirm policy match → confirm transport reachability.
The policy engine behaves like a routing table for authorization: ordered rules with scoped predicates and deterministic first-match resolution.
Evaluation: extract identity claims from JWT/session, fetch device posture signals, evaluate request context (source IP, destination, method, path) against rule predicates in order. First satisfied rule returns Allow or Block. No match = implicit Deny.
Fail-closed prevents accidental exposure from misconfigurations, missing predicates, or IdP/posture provider failures. If upstream signals are unavailable, requests fail.
Best practices: avoid overlapping predicates to keep rule order predictable. Use explicit Deny rules when you want to document blocked patterns. Version and test policy changes with canary users/devices before rollout.
Troubleshooting path: (1) verify identity claims in JWT (groups, email match expected values), (2) check device posture evaluation logs (which checks failed), (3) validate rule predicate match and order (use policy preview/dry-run), (4) confirm transport health (tunnel status, DNS resolution, edge routing).
VPN vs ZTNA
Why this isn't a feature upgrade
Different trust model, different blast radius, different architecture.
VPNs grant network-level access. Once authenticated, you can reach any system on that network (unless additional segmentation is configured). If your VPN-connected device gets compromised, an attacker can access everything reachable on that network. The VPN doesn't re-check authorization for each internal connection.
Zero Trust grants app-scoped access. Every connection requires authorization. A compromised device only gets access to resources that device and user are explicitly authorized for. This reduces blast radius significantly. An attacker would need to compromise credentials AND device posture AND pass policy checks for each target application.
VPNs grant network-level access after a single authentication, increasing lateral movement risk. ZTNA grants app-scoped access, enforcing policy per request and per destination.
With outbound-only connectivity (tunnels), private apps can avoid inbound exposure and direct Internet reachability. This is an architectural shift: membership vs authorization.
VPNs extend layer-3 connectivity to remote endpoints. Clients get routing access to RFC1918 space (full tunnel) or split-tunnel to specific subnets. Segmentation relies on firewall rules, VLANs, or ACLs downstream.
Attack surface expansion: compromised endpoint can scan reachable IP ranges, exploit lateral movement paths, and pivot to other systems without re-authentication. VPN concentrator sees one authenticated session, not per-app authorization.
ZTNA inverts this: authorize at request-time per destination. Client never gets layer-3 routing to private networks. Access is proxied through Cloudflare edge after policy evaluation. Each connection is a distinct authorization event.
For private apps using cloudflared: origin connects outbound to Cloudflare edge via long-lived HTTP/2 or QUIC tunnel. No inbound ports listening on public IPs. Firewall rules can block all inbound. Attackers can't directly reach origin even with valid credentials unless authorized request flows through edge.
Key difference: VPNs solve connectivity first, authorization second. ZTNA solves authorization first, provides connectivity only for authorized flows. This decouples network reachability from security posture.
VPN (Network Trust)
Flat Network
Zero Trust (App Trust)
Scoped Access
Unified Access
One policy engine across all app types
Private apps, SaaS, and web destinations — consistent rules, consistent context.
Cloudflare Zero Trust doesn't just control access to private applications. The same policy engine governs SaaS apps and public web destinations. You can enforce the same identity and device requirements whether users access your internal CRM, Salesforce, or any public website.
This eliminates the fragmentation of separate tools: no more VPN for private apps, SSO for SaaS, and a different proxy for web filtering. One policy framework, one set of logs, one place to manage access controls across all destinations.
Cloudflare applies a unified policy model across private apps, SaaS, and web destinations. This replaces fragmented controls (VPN for private, SSO for SaaS, inconsistent web controls) with consistent enforcement.
Same decision inputs (identity + device posture + context) inform policy regardless of destination type. The win is consistency, simpler operations, and fewer gaps.
Traditional enterprises run separate control planes: VPN for private network access, IdP SSO for SaaS (often with CASB for session control), and SWG/proxy for web filtering. Each uses different policy languages, telemetry systems, and enforcement points.
Cloudflare unifies this: WARP client + Access (private apps) + Gateway (SaaS + web filtering) use the same identity source (IdP via OIDC/SAML), same device posture signals (WARP client + integrations), and same policy engine.
Policy rules can span destination types: block unapproved SaaS based on domain, enforce device compliance for private apps, restrict web categories based on user groups. All evaluated at Cloudflare edge with consistent logging to SIEM/analytics.
This eliminates policy drift (different rules in different systems), visibility gaps (logs scattered across tools), and reduces operational overhead. Adoption friction is often conceptual — requires shifting from 'Zero Trust = private app VPN replacement' to 'Zero Trust = org-wide access control fabric.'
| Req | identity | device | context | policy | decision |
|---|---|---|---|---|---|
| REQ 01 | john@company.com· Valid | macOS · Compliant· Passed | GET /admin· Protected | Rule #2· Match | ALLOW Access granted |
| REQ 02 | anon@company.com· Valid | Windows · Failed· Posture check failed | GET /v1/keys· Sensitive | Admins + Compliant· Requirement not met | DENY Device posture failed First failure: device |
| REQ 03 | contractor@vendor.com· Valid | macOS · Compliant· Passed | GET /internal· Protected | No rule match· No matching policy | DENY Implicit deny First failure: policy |
Performance
Performance at Scale
Faster than the competition. Verified by data.
Performance matters because it impacts your employees' experience. If security tools are slow, users bypass them, putting the organization at risk. We tested our Zero Trust platform against Zscaler and found significant advantages.
Cloudflare Gateway is 58% faster than Zscaler Internet Access (ZIA). Cloudflare Access is 38% faster than Zscaler Private Access (ZPA). Cloudflare Browser Isolation is 45% faster than Zscaler. Fast security means your team stays safe without slowing down.
We measured 95th percentile Response Time and Time to First Byte (TTFB) to capture the real end-user experience. For Secure Web Gateway, Cloudflare (164ms) was comparable to direct internet access, while Zscaler (366ms) added significant latency.
The key differentiator is 'Proxy Latency'—the time spent processing on the edge. Zscaler's proxy latency often exceeds 100ms (missing their own SLA), whereas Cloudflare's is consistently around 7ms.
Methodology: We compared Cloudflare against Zscaler using identical VMs in the same locations (Miercom validated). The performance gap stems from architecture. Zscaler's 'service chaining' adds latency as traffic hops between services.
Cloudflare's 'single pass' architecture processes identity, device posture, and policy in one go. Additionally, Cloudflare's highly peered network (connected to >12,000 networks) reduces the number of hops to the destination, ensuring the proxy is not a bottleneck.
Secure Web Gateway
Response Time (95th percentile)
Time for a user to make a request, go through the proxy, and get the response.
Data: Cloudflare vs Zscaler Tests (2023)
Day 1
How to start (without breaking everything)
Connect one app. Then one team. No big bang migration.
You don't have to replace everything at once. Start with one internal tool (like a wiki or admin panel). Put it behind Cloudflare Zero Trust. It takes 15 minutes. Then add one team. Then another. It's a gradual upgrade, not a scary switch.
This is a 'parallel adoption'. Your old VPN stays running while you move apps over one by one. Users won't even notice the difference, except that things get faster.
Parallel adoption strategy: Keep your VPN running. Pick one non-critical internal app. Configure cloudflared tunnel to point to localhost:8080 (or your internal IP). Set policy to 'Email ends with @company.com'. Test. No firewall changes needed initially.
Route by route migration: Use Split Tunnels to exclude ZT protected IPs from VPN, or just allow them to route through ZTNA. You control the pace.
Side-by-side deployment: Route specific DNS domains to Cloudflare Tunnel (CNAME to UUID.cfargotunnel.com). Keep existing VPN for legacy routes. Over time, migrate more internal DNS records to Cloudflare.
Users install WARP client. It co-exists with most VPN clients (split tunnel configuration). Eventually, when all apps are migrated, decommission the VPN concentrator. Zero downtime migration path.