Cloudflare Zero Trust – An alternative to traditional VPN’s

VPN’s have long been the go-to for businesses both large and small when needing to access company resources remotely. VPN’s when implemented correctly allow for teams to securely access company resources such as file shares, internal computers, and tools. While the transition to the cloud and cloud services has meant less reliance on on-premise services, there are still scenarios where on-premise access is the best solution.

Zero trust is a cybersecurity concept which emphasises the idea of not trusting any user or device implicitly. The model implements security measures that ensure users and devices are verified and monitored before being given access to company resources. Some the key principles of zero trust include, rigorously verifying a user’s identity, giving users the least privilege needed to perform tasks, segmenting networks into smaller sections, implementing strict access control policies, and ensuring strong data encryption.

Cloudflare Zero Trust is one service offering zero trust and a software-based VPN alternative. There are other companies offering similar software VPN alternatives such as ZeroTier, however Cloudflare offers additional services and functionality on top of the software based VPN alternative. Cloudflare Zero Trust is an extensive platform, in this article I will be detailing just a few of the main benefits they could offer to small and medium-sized Australian businesses.

Traditional VPN replacement

Traditional VPN’s require you to make holes in your firewall to enable the remote connections. If your firewall is not up to date or a vulnerability is found in the VPN service, attackers could gain access through this exposed port. Cloudflare’s zero trust network access (ZTNA) is different, rather than putting holes in your firewall, you deploy a small agent that brokers the connection between your site and the Cloudflare edge network. The benefit of this is that no ports are exposed in the process.

These agents create Tunnels to Cloudflare’s network, the benefit is that you can deploy these agents on-premise, in the cloud and even connect to SaaS products. This allows your users to connect centrally to one solution and have access to resources no matter how geographically dispersed they are.

An added benefit is that if you have a mobile (4G/5G) connection or an ISP that uses CG-NAT or a dynamic IP as your office internet connection, you can still host services externally. Using the tunnels you can access internal services, even when traditional VPN’s would not work.

You are also able to have a company dashboard that lists all the secure apps that staff have access to. Through this central portal they can authenticate and access the resources they need.

In house & self-hosted applications

If your company self-hosts applications and web apps, Cloudflare Zero Trust can allow you to make them publicly accessible without exposing ports on your firewall. The connection to Cloudflare is done through the tunnel. Cloudflare then exposes access with a public domain name and proxies the connection through the tunnel.

One additional benefit is that you have the option to add an additional layer of security, you can enable Cloudflare Zero Trust on top of the service. So, before users are granted access to the service, they must authenticate with Cloudflare Zero Trust.

Security Benefits

When using Cloudflare ZTNA you can connect a wide range of 3rd party identity providers, such as Microsoft Azure AD (Microsoft 365) and Google Workspace. This means that users don’t need to have separate usernames, passwords and MFA for the Cloudflare ZTNA. Instead, they can login using their current trusted Identity, likely their email account to authenticate with the service. It is important that you use strong MFA such as authenticator apps and hardware tokens with your current identity provider.

This method also hides your public IP address, this can be helpful especially with ISP’s who may be less equipped to handle Distributed Denial of Service attacks. This combined with not opening ports to the internet, is one less attack vector for bad actors.

Traffic that is routed through the Cloudflare ZTNA is also subject to their threat intelligence and machine learning. This adds an additional security layer to your connections.


An important consideration is trust. With this method you are adding Cloudflare to your trust circle. When the agent is deployed, it has access to your network and any resources within reach. It is important to understand this when considering any software VPN alternative.


In this article I have touched on just a small subset of the features of Cloudflare Zero Trust. These are the features that I can see having the most initial benefit for small and medium business. If your business would like to improve security and move to a Zero trust model, please get in touch. At FordhamIT we would love to be part of your journey.