# Cloudflare Access and Zero Trust [[Cloudflare]] Access is an identity-aware reverse proxy that gates any HTTP application, SSH host, or internal service behind authentication and policy rules. It sits in front of an origin (often via [[Cloudflare Tunnel]]) and enforces "who can reach what under which conditions" before a single byte of the protected app is touched. Zero Trust (rebranded as "Cloudflare One") is the umbrella product family — Access plus Gateway (outbound DNS/HTTP filtering), CASB, browser isolation, DLP, and device posture. Access is the most-used component; the rest are SSE/SASE plays competing with Zscaler and Netskope. ## Why It Matters "Zero Trust" replaces the perimeter model (VPN → trusted network) with per-request authentication. Every request to a protected app gets evaluated: who is the user, what device, from where, with what posture, on what protocol — and only then proxied through. The result: VPN goes away, internal apps become Internet-reachable but only to authorized identities, and lateral-movement risk drops. ## Core Capabilities - **Identity-aware proxy** for HTTP apps - **SSO integration**: SAML, OIDC, Azure AD, Google Workspace, Okta, GitHub - **Policies**: by user, group, country, device posture, MFA, time of day - **Browser-rendered SSH/RDP/VNC** — no client needed - **Service tokens** for machine-to-machine API access - **Logs and audit trails** of every access decision ## Common Use Cases - **Replacing corporate VPN** for internal app access - **Gating self-hosted homelab services** by Google/GitHub identity - **Just-in-time SSH access** with audit trail and session recording - **B2B partner portals** with federated identity - **Contractor access** scoped to specific apps, time-bounded ## References - Access home: https://www.cloudflare.com/zero-trust/products/access/ - Zero Trust documentation: https://developers.cloudflare.com/cloudflare-one/ ## Related - [[Cloudflare]] - [[Cloudflare Tunnel]] - [[Cloudflare WAF]]