What is Zero Trust access?

Zero Trust is a security model based on the principle that no user or device should be trusted by default, even if they are on the internal network. Instead, every access request is verified against identity, device health, and policy before being granted. Cloudflare Access implements this model for web-based and internal applications without requiring a VPN.

Does it replace our VPN?

For most use cases involving access to internal web applications and admin tools, yes. Cloudflare Access handles identity-aware access to those applications directly. For cases where full network-level access is required, legacy systems, file shares, or internal services that aren't web-accessible, Cloudflare's WARP client provides private network access that can supplement or replace a traditional VPN.

Which identity providers does it support?

Cloudflare Access supports Microsoft Entra ID (Azure AD), Google Workspace, Okta, OneLogin, PingIdentity, GitHub, and a range of others via SAML 2.0 and OIDC. If you already have Microsoft 365 or Google Workspace, you can use your existing accounts without setting up anything new on the identity side.

Can it protect applications that aren't ours?

Cloudflare Access can also enforce your identity policies on third-party SaaS applications that support SAML or OIDC. This lets you apply the same MFA requirements, device posture checks, and access policies to tools like Salesforce, Jira, or GitHub as you apply to your own internal applications.

How does this relate to the Essential Eight?

Cloudflare Zero Trust directly supports several Essential Eight controls. Enforced MFA on all access contributes to Maturity Level 2 of the MFA control. Application-level access control and privileged access management contribute to the Restrict Administrative Privileges control. Audit logging supports the Log Events and Log User Activity controls under monitoring.

Access Security · Zero Trust

Cloudflare Zero Trust. Verify before you connect.

Put internal tools, admin panels, and private applications behind identity-aware access control, without a VPN.

Cloudflare Access verifies user identity and device health before granting access to any internal application. Every access event is logged. Internal tools are no longer directly exposed to the internet.

Deploy Zero Trust access →How it works

No VPN required

Identity-aware access control

Works on any device, any location

How it works

Identity first. Access second.

Every access request is verified against your identity provider and access policies before any connection is established. Being on the network is not enough.

Works with Microsoft Entra ID, Google Workspace, Okta, and others. No new identity infrastructure required.

Access requested

A user attempts to access an internal application, admin panel, or private tool from any device or location.

Identity verified

Cloudflare Access checks the user's identity through your existing identity provider: , Google Workspace, Okta, or others.

Policy evaluated

Access policies are checked: is this user allowed to access this application? From this device? At this time? Each condition must be satisfied.

Access granted

If all conditions are met, the user is connected to the application. Every access event is logged with user, device, time, and outcome.

What's included

Identity-aware access for every application.

Eight controls that together replace the implicit trust of a VPN with verified, logged, and policy-enforced access.

Identity provider integration

Works with , Google Workspace, Okta, OneLogin, and others. Connects to your existing identity infrastructure without replacing it.

Multi-factor authentication

is enforced as part of the access flow for every protected application. Users without MFA enrolled cannot complete authentication.

Device posture checks

Access can be conditionally granted based on device health: whether the device is managed, whether the OS is patched, whether endpoint protection is running.

Application-level access

Each internal application is protected individually. Access to one application does not grant access to others, even on the same network.

Audit logging

Every access request is logged with user, device, location, time, and outcome. Audit logs are available for review and can be exported for SIEM integration.

Browser isolation

Sensitive internal applications can run in an isolated browser session. Copy, paste, print, and download are controlled, so data can't walk out through the browser.

Private network access

Private network segments and internal services can be accessed through Cloudflare's WARP client without a traditional VPN tunnel.

SaaS app control

Cloudflare Access can also protect SaaS applications. Apply the same identity policies to Salesforce, GitHub, and others via SAML or OIDC.

Why Zero Trust beats VPN

A VPN grants network access. Once a user is connected, they can typically reach anything on that network segment. Zero Trust grants application access, one application at a time, after verifying identity on every request.

Compromised credentials don't grant broad network access
Application-level isolation stops lateral movement
No VPN client, certificates, or split-tunnel configuration to manage
Every access event is logged. VPNs typically log connections, not what users do.
Browser-based access with SSO is faster for users than a VPN tunnel

See Microsoft Conditional Access →

Essential Eight alignment

Cloudflare Zero Trust covers several Essential Eight controls directly. For businesses working toward ML2 or ML3, it handles some controls that are otherwise difficult to tick off.

Enforced MFA on all access — supports MFA control at ML2
Privileged access management — admin panels locked to verified users only
Audit logging — every access event recorded for the logging controls
Device posture — can enforce patching status before granting access
Application isolation — reduces blast radius of a compromised credential

What you gain

Access controlled. Everywhere it needs to be.

Four outcomes that change how your team accesses internal tools and how attackers can't.

VPN eliminated

Users access internal tools through a browser or the WARP client, without VPN clients, certificates, or split-tunnel configurations to manage.

Attack surface reduced

Internal applications are no longer directly exposed to the internet. An attacker without valid identity credentials cannot reach them at all.

Full audit trail

Every access event is logged. When a security incident occurs, you have a complete record of who accessed what, from where, and when.

Better user experience

Accessing internal tools is as simple as logging in with your work account. No VPN to connect, no certificates to manage, no timeouts to work around.

Common questions

Zero Trust questions answered.

Talk to a specialist →

What is Zero Trust access?
is a security model based on the principle that no user or device should be trusted by default, even if they are on the internal network. Instead, every access request is verified against identity, device health, and policy before being granted. Cloudflare Access implements this model for web-based and internal applications without requiring a VPN.
Does it replace our VPN?
For most use cases involving access to internal web applications and admin tools, yes. Cloudflare Access handles identity-aware access to those applications directly. For cases where full network-level access is required, legacy systems, file shares, or internal services that aren't web-accessible, Cloudflare's WARP client provides private network access that can supplement or replace a traditional VPN.
Which identity providers does it support?
Cloudflare Access supports (Azure AD), Google Workspace, Okta, OneLogin, PingIdentity, GitHub, and a range of others via SAML 2.0 and OIDC. If you already have or Google Workspace, you can use your existing accounts without setting up anything new on the identity side.
Can it protect applications that aren't ours?
Cloudflare Access can also enforce your identity policies on third-party SaaS applications that support SAML or OIDC. This lets you apply the same requirements, device posture checks, and access policies to tools like Salesforce, Jira, or GitHub as you apply to your own internal applications.
How does this relate to the Essential Eight?
Cloudflare directly supports several controls. Enforced on all access contributes to 2 of the MFA control. Application-level access control and contribute to the Restrict Administrative Privileges control. Audit logging supports the Log Events and Log User Activity controls under monitoring.

Replace VPN with verified access

Internal tools protected. Without the VPN overhead.

Replacing VPN access with Zero Trust is one of those changes that's hard to argue with once you see how it works. We scope, deploy, and validate it against your identity provider and applications.

Deploy Zero Trust access →