Implementing Cloudflare Zero Trust Private Network Access for Secure Internal Resource Access

Traditional remote access solutions usually require users to connect through a VPN to reach internal company resources. While VPNs provide connectivity, they often provide broad network-level access after authentication.

Cloudflare Zero Trust Private Network Access provides a different security approach based on the Zero Trust model: never trust, always verify.

In this implementation, remote users install the Cloudflare One Client (WARP) on their devices and securely connect to the organization’s Cloudflare Zero Trust environment. A Cloudflare Tunnel is deployed on the on-premises network to create an outbound-only secure connection to Cloudflare.

1. Create Cloudflare Zero Trust Organization

First, create and configure the Cloudflare Zero Trust organization.

Cloudflare Dashboard → Zero Trust → Settings → Team

Required settings:

  • Organization name
  • Team domain
  • Login methods (Identity Providers)
  • Session duration settings

Example:

Organization Name:
MSR Zero Trust

Team Domain:
msr.cloudflareaccess.com

This organization becomes the management platform for security policies, user authentication, and private network access.


2. Configure Identity Provider (Authentication)

Cloudflare Access requires user identity verification before allowing access to internal applications.

Navigate:

Zero Trust Dashboard
→ Settings
→ Authentication

Configure Identity Providers such as:

  • Microsoft Entra ID
  • Google Workspace
  • Okta
  • One-time PIN (Email OTP)

Example:

For Microsoft 365 environments:

Identity Provider:
Microsoft Entra ID

Authentication:
Azure AD OAuth

Benefits:

  • Centralized user authentication
  • MFA support
  • Conditional Access integration
  • User-based access control

3. Install and Configure Cloudflare Tunnel Connector

Cloudflare Tunnel creates an encrypted connection between the internal network and Cloudflare Edge.

Navigate:

Zero Trust Dashboard
→ Networks
→ Tunnels
→ Create Tunnel

Steps:

  1. Create a new tunnel
  2. Select connector type:
Cloudflared
  1. Install cloudflared agent on internal server:

Example:

Windows Server
Linux Server
Docker Container
  1. Authenticate connector

Example:

cloudflared tunnel login
  1. Run tunnel service

Example:

cloudflared service install

After installation:

Dashboard should show:

Tunnel Status:
HEALTHY

4. Configure Private Network Routes

This is the main configuration for accessing internal resources.

Navigate:

Zero Trust Dashboard
→ Networks
→ Routes

Add internal network ranges.

Example:

MSR internal network:

192.168.0.0/23

Add:

Network:
192.168.0.0/23

Tunnel:
MSR-Private-Network-Tunnel

This tells Cloudflare:

“Traffic destined for this private network should go through this tunnel.”

Example resources:

192.168.0.8
Windows Domain Controller

192.168.0.20
Internal Web Server

192.168.0.50
File Server

5. Configure WARP Client Settings

Users need Cloudflare WARP Client to connect to private resources.

Navigate:

Zero Trust Dashboard
→ Settings
→ WARP Client

Configure:

  • Device enrollment
  • Allowed users/groups
  • Client policies

Example:

Allow:
IT Department Group

Block:
Guest Users

6. Create Access Application

Cloudflare Access controls who can reach internal applications.

Navigate:

Zero Trust Dashboard
→ Access
→ Applications
→ Add Application

Select:

Self-hosted Application

Example:

Internal application:

Application Name:
Internal Dashboard

Hostname:
dashboard.internal.msr.com

Configure:

  • Authentication method
  • User/group restrictions
  • Session duration

Example policy:

Allow

Include:
Group = IT Administrators

Require:
MFA

7. Configure Gateway DNS Filtering (Optional Security Layer)

Cloudflare Gateway provides DNS and traffic filtering.

Navigate:

Zero Trust Dashboard
→ Gateway
→ Firewall Policies

Create DNS policies.

Example:

Block:

Malware Domains
Phishing Websites
Cryptomining
Adult Content

Example:

Action:
Block

Selector:
DNS Query

Categories:
Security Risks

This protects users even when they are outside the office network.


8. Deploy Cloudflare WARP Client to Users

Install WARP Client on:

  • Windows
  • macOS
  • Linux
  • iOS
  • Android

Enrollment:

Settings
→ WARP Client
→ Device Enrollment

User login:

[email protected]
       |
       |
Cloudflare Access Authentication
       |
       |
Private Network Access

9. Test Private Resource Access

After configuration:

Test from remote user device.

Example:

Without Cloudflare:

Internet User
     X
192.168.0.8

Cannot access internal server.

With Cloudflare Zero Trust:

User Device
      |
Cloudflare WARP
      |
Cloudflare Edge
      |
Cloudflare Tunnel
      |
Internal Network
      |
192.168.0.8 Server

Access is allowed based on:

  • User identity
  • Device status
  • Security policy
  • MFA requirement

Final Architecture Diagram

Remote User
     |
     |
Cloudflare WARP Client
     |
     |
Cloudflare Zero Trust Platform
     |
     |
Cloudflare Tunnel
     |
     |
MSR Firewall / LAN
     |
     |
Internal Resources
(AD, File Server, Web Apps)

Leave a Reply