Articles

Set Up Cloudflare Zero Trust to Replace Your VPN (2026)

April 16, 2026 3 min read

Cloudflare Zero Trust can replace your VPN by enforcing granular access policies based on identity and context, rather than just network location.

Let’s see how this works with a practical example. Imagine you have an internal application, say an admin panel at admin.example.com, that you want to expose securely to your remote employees. Instead of a VPN where anyone on the VPN can potentially see or access anything, Zero Trust will let you say: "Only John Doe, who is logged in from his company laptop and is part of the 'Admins' group, can access admin.example.com on port 8080."

Here’s a simplified setup using Cloudflare Access. First, you need to have your domain managed by Cloudflare DNS.

1. Set up Identity Providers (IdP)

Cloudflare Access integrates with various identity providers. For this example, let’s use Google Workspace.

  • Go to your Cloudflare dashboard -> Zero Trust -> Access -> Authentication -> Login Methods.
  • Click "Add new" under Google.
  • You’ll be prompted to create an OAuth application in your Google Cloud Console. Follow Cloudflare’s instructions carefully. You’ll need to provide redirect URIs, which Cloudflare gives you.
  • Once configured, Google will provide a Client ID and Client Secret. Paste these into Cloudflare.

2. Configure an Access Application

Now, define what you want to protect and who should have access.

  • Go to Zero Trust -> Access -> Applications.
  • Click "Add a name" and enter "Admin Panel".
  • Under "Application domain", enter admin.example.com.
  • Under "Identity providers", ensure Google is selected.
  • Under "Session duration", set it to something reasonable like "24 hours".

3. Define Access Policies

This is where the "who" and "what" of your access rules are defined.

  • Click "Next" after configuring the application.
  • Click "Add a policy".
  • Policy name: "Allow Admins".
  • Action: "Allow".
  • Identity:
    • Include -> Emails ending in -> @yourcompany.com (or specific emails).
    • Include -> Emails in -> yourcompany.com (if using Google Workspace).
    • Include -> Group is -> Admins (assuming your IdP syncs groups).
  • Click "Next".
  • Click "Add another policy".
  • Policy name: "Block Everyone Else".
  • Action: "Block".
  • Everyone Else: This is a special identity that matches anyone not covered by an "Allow" policy.
  • Click "Next".
  • Click "Add application".

4. Configure DNS and Tunnel (for internal apps)

If admin.example.com is an internal-only application, you’ll need to route traffic through Cloudflare. The most secure way is using Cloudflare Tunnel.

  • Go to Zero Trust -> Access -> Tunnels.
  • Click "Create a tunnel". Give it a name like "AdminPanelTunnel".
  • Follow the instructions to install cloudflared on a server within your network that can reach admin.example.com.
  • Once the tunnel is running, you’ll see it listed. Click "Configure" for your tunnel.
  • Under "Public Hostname", click "Add hostname".
    • Subdomain: admin
    • Domain: example.com
    • Service: http
    • URL: localhost:8080 (or whatever port your internal app runs on).
  • Save the hostname.

Now, when an employee navigates to admin.example.com, Cloudflare will intercept the request. They’ll be redirected to your configured IdP (Google) for authentication. After successful authentication, Cloudflare will check the access policies. If their identity and context (e.g., group membership) match an "Allow" policy, they’ll be granted access to the internal application via the tunnel. If not, they’ll be blocked.

The biggest shift from VPNs is that you’re no longer granting broad network access. You’re granting specific access to applications based on who the user is and what device they’re using, verified through strong authentication.

The one thing most people don’t realize is that Cloudflare Access can also act as a robust identity-aware proxy for publicly accessible websites. You can use it to require login for specific paths (e.g., /private/ section of a marketing site) or even for the entire site, effectively turning a public website into a private, authenticated portal without touching the origin server’s code. You just point the Access Application to your public domain and origin IP/hostname, and Cloudflare handles the authentication and authorization before forwarding the request to your web server.

Next, you’ll likely want to explore securing other resources like SSH or RDP sessions using Cloudflare’s more advanced tunneling features and Access policies.

Want structured learning?

Take the full Cloudflare course →