Traditional remote access solutions usually require users to connect through a VPN to reach internal company resources. While VPNs provide connectivity, they often provide broad network-level access after authentication.
Cloudflare Zero Trust Private Network Access provides a different security approach based on the Zero Trust model: never trust, always verify.
In this implementation, remote users install the Cloudflare One Client (WARP) on their devices and securely connect to the organization’s Cloudflare Zero Trust environment. A Cloudflare Tunnel is deployed on the on-premises network to create an outbound-only secure connection to Cloudflare.
1. Create Cloudflare Zero Trust Organization
First, create and configure the Cloudflare Zero Trust organization.
Cloudflare Dashboard → Zero Trust → Settings → Team
Required settings:
- Organization name
- Team domain
- Login methods (Identity Providers)
- Session duration settings
Example:
Organization Name:
MSR Zero Trust
Team Domain:
msr.cloudflareaccess.com
This organization becomes the management platform for security policies, user authentication, and private network access.
2. Configure Identity Provider (Authentication)
Cloudflare Access requires user identity verification before allowing access to internal applications.
Navigate:
Zero Trust Dashboard
→ Settings
→ Authentication
Configure Identity Providers such as:
- Microsoft Entra ID
- Google Workspace
- Okta
- One-time PIN (Email OTP)
Example:
For Microsoft 365 environments:
Identity Provider:
Microsoft Entra ID
Authentication:
Azure AD OAuth
Benefits:
- Centralized user authentication
- MFA support
- Conditional Access integration
- User-based access control
3. Install and Configure Cloudflare Tunnel Connector
Cloudflare Tunnel creates an encrypted connection between the internal network and Cloudflare Edge.
Navigate:
Zero Trust Dashboard
→ Networks
→ Tunnels
→ Create Tunnel
Steps:
- Create a new tunnel
- Select connector type:
Cloudflared
- Install cloudflared agent on internal server:
Example:
Windows Server
Linux Server
Docker Container
- Authenticate connector
Example:
cloudflared tunnel login
- Run tunnel service
Example:
cloudflared service install
After installation:
Dashboard should show:
Tunnel Status:
HEALTHY
4. Configure Private Network Routes
This is the main configuration for accessing internal resources.
Navigate:
Zero Trust Dashboard
→ Networks
→ Routes
Add internal network ranges.
Example:
MSR internal network:
192.168.0.0/23
Add:
Network:
192.168.0.0/23
Tunnel:
MSR-Private-Network-Tunnel
This tells Cloudflare:
“Traffic destined for this private network should go through this tunnel.”
Example resources:
192.168.0.8
Windows Domain Controller
192.168.0.20
Internal Web Server
192.168.0.50
File Server
5. Configure WARP Client Settings
Users need Cloudflare WARP Client to connect to private resources.
Navigate:
Zero Trust Dashboard
→ Settings
→ WARP Client
Configure:
- Device enrollment
- Allowed users/groups
- Client policies
Example:
Allow:
IT Department Group
Block:
Guest Users
6. Create Access Application
Cloudflare Access controls who can reach internal applications.
Navigate:
Zero Trust Dashboard
→ Access
→ Applications
→ Add Application
Select:
Self-hosted Application
Example:
Internal application:
Application Name:
Internal Dashboard
Hostname:
dashboard.internal.msr.com
Configure:
- Authentication method
- User/group restrictions
- Session duration
Example policy:
Allow
Include:
Group = IT Administrators
Require:
MFA
7. Configure Gateway DNS Filtering (Optional Security Layer)
Cloudflare Gateway provides DNS and traffic filtering.
Navigate:
Zero Trust Dashboard
→ Gateway
→ Firewall Policies
Create DNS policies.
Example:
Block:
Malware Domains
Phishing Websites
Cryptomining
Adult Content
Example:
Action:
Block
Selector:
DNS Query
Categories:
Security Risks
This protects users even when they are outside the office network.
8. Deploy Cloudflare WARP Client to Users
Install WARP Client on:
- Windows
- macOS
- Linux
- iOS
- Android
Enrollment:
Settings
→ WARP Client
→ Device Enrollment
User login:
[email protected]
|
|
Cloudflare Access Authentication
|
|
Private Network Access
9. Test Private Resource Access
After configuration:
Test from remote user device.
Example:
Without Cloudflare:
Internet User
X
192.168.0.8
Cannot access internal server.
With Cloudflare Zero Trust:
User Device
|
Cloudflare WARP
|
Cloudflare Edge
|
Cloudflare Tunnel
|
Internal Network
|
192.168.0.8 Server
Access is allowed based on:
- User identity
- Device status
- Security policy
- MFA requirement
Final Architecture Diagram
Remote User
|
|
Cloudflare WARP Client
|
|
Cloudflare Zero Trust Platform
|
|
Cloudflare Tunnel
|
|
MSR Firewall / LAN
|
|
Internal Resources
(AD, File Server, Web Apps)