Deploying Cloudflare Access for Zero Trust

When to Use

• When replacing VPN infrastructure with identity-aware application access using Cloudflare One
• When exposing self-hosted internal applications through Cloudflare Tunnel without opening inbound ports
• When implementing ZTNA for a distributed workforce accessing web applications, SSH, and RDP services
• When needing a cost-effective zero trust solution with integrated DLP, CASB, and SWG capabilities
• When securing contractor and third-party access to specific applications without full network access

Do not use for applications requiring persistent UDP connections not supported by Cloudflare Tunnel, for environments requiring air-gapped or fully on-premises access control, or when regulatory requirements prohibit routing traffic through third-party cloud infrastructure.

Prerequisites

• Cloudflare account with Zero Trust subscription (Free for up to 50 users, paid plans for larger teams)
• Domain name managed by Cloudflare DNS (or ability to add CNAME records)
• Linux, Windows, or macOS server to run cloudflared tunnel daemon
• Identity provider: Okta, Microsoft Entra ID, Google Workspace, GitHub, or any SAML/OIDC provider
• Cloudflare WARP client for device-level enrollment (optional but recommended)