Zero Trust
Overview
Within Cloudflare, Zero Trust is used to control access to internal apps, environments, and resources without relying on a traditional VPN. Access is enforced at the edge, based on identity and device posture rather than network location.
In practice, Zero Trust is applied to:
- Protect internal web apps (via Access policies)
- Gate Pages/Workers deployments and preview environments
- Restrict dashboards, admin panels, and docs
- Enforce SSO (GitHub/Google/Entra, etc.) with MFA
- Apply device rules (managed device, OS version, certificates)
- Broker outbound traffic using WARP + Gateway
Policies are defined declaratively (who can access what, under which conditions) and evaluated on every request. Applications are never directly exposed to the public internet unless explicitly configured.
Operationally, this replaces VPN-based access with identity-aware routing:
- DNS → Access policy → authenticated request → app/Worker/Page
- No inbound firewall rules required
- No private network coupling between users and services
Result is that internal tools remain private by default, access is auditable, and onboarding/offboarding is reduced to identity provider changes rather than network configuration.
Available Access controls Policies
Currently, the following Access policies are in place to protect internal resources:
| Name | Description | Rules | Session duration |
|---|---|---|---|
r-sky-internal |
Grants access to internal applications and documentation for r-sky team members. | Allow only team members' email addresses to access resources | 1 month |