← Act 2: Network Services & Zero Trust

Cloudflare Access (ZTNA)

What is it?

Cloudflare Access is a Zero Trust Network Access (ZTNA) service that replaces traditional VPNs. Instead of connecting users to an entire corporate network, Access connects them to specific applications — and only after verifying their identity, device, and security posture.

Fun fact: the onboarding portal you're reading right now is protected by Cloudflare Access!

What problem does it solve?

Traditional VPNs are one of the biggest pain points in corporate IT:

  • Slow: VPNs route all traffic through a central data center, creating bottlenecks.
  • Over-permissive: Once connected, users can typically access the entire network — not just what they need.
  • Vulnerable: VPNs are a prime attack target. If compromised, attackers get broad network access.
  • Terrible UX: Employees hate using them.

Cloudflare Access eliminates all of these problems.

How does it work?

  1. An admin defines access policies for each application (e.g., "Only employees in the engineering team with a corporate device can access the internal wiki").
  2. When a user tries to access the application, they're redirected to an identity provider (like Google, Okta, or Azure AD) to authenticate.
  3. Cloudflare checks: Is this person who they say they are? Is their device compliant? Do they meet the access policy?
  4. If yes, they're granted access to that specific application only — not the whole network.
  5. Access is continuously re-evaluated. If the user's device becomes non-compliant or their session expires, access is revoked.

Key features:

  • Agentless: Many applications can be protected without installing anything on the user's device.
  • Browser-based SSH/RDP: Access internal servers through a browser without a VPN.
  • Service tokens: Allow machine-to-machine authentication for automated systems.
  • Access logs: Every access attempt is logged for audit and compliance.

Why it matters strategically

ZTNA is the "tip of the spear" for Act 2 — it's often the first Zero Trust product customers adopt, typically to replace a VPN. Once customers experience the speed and simplicity of Access, they're much more likely to adopt Gateway, Browser Isolation, and the rest of the SASE platform. Cloudflare competes here primarily with Zscaler Private Access (ZPA) and Palo Alto's Prisma Access.

Learn more

← Zero Trust Overview Cloudflare Gateway →