Skip to content

Deploy Zero Trust Web Access

Secure access to internal web applications without a device client.

Start path
  1. Concepts

    Review the concepts behind Zero Trust Web Access.

    Start module

    Contains 3 units

    1. What is a reverse proxy?
    2. What is Zero Trust?
    3. What is Zero Trust Web Access?
  2. Initial setup

    Start module

    Contains 4 units

    1. Create a Cloudflare account
    2. Add a site
    3. Create a Zero Trust organization
    4. Configure an identity provider (recommended)
  3. Connect your private applications

    Cloudflare Tunnel allows you to securely connect your applications to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare's global network.

    Start module

    Contains 2 units

    1. Create a Cloudflare Tunnel
    2. Best practices
  4. Secure your applications

    Now that you have connected your private applications to Cloudflare, secure those applications behind Cloudflare Access.

    Start module

    Contains 2 units

    1. Create an Access application
    2. Best practices
  5. Customize the end user experience

    Cloudflare Access offers several ways to customize the look and feel of the user login experience.

    Start module

    Contains 5 units

    1. App Launcher
    2. Tags
    3. Bookmarks
    4. Login page
    5. Block page
  6. Migrate applications

    Start module

    Contains 3 units

    1. Applications with integrated SSO
    2. Authenticate without integrated SSO
    3. Best practices
  7. Advanced ZTWA workflows

    Configure advanced Access policies to meet the specific requirements of your application or organization.

    Start module

    Contains 2 units

    1. External Evaluation rules
    2. Isolate Access applications
  8. Alternative ZTWA on-ramps

    As discussed in the previous modules, almost everything you do with the Cloudflare reverse proxy requires adding a site to Cloudflare. That public DNS record (or its subdomains) becomes the domain on which your users access your private applications. This method is exceptionally secure and transparent; each domain and subdomain has access to the Cloudflare web security portfolio, are inherently DDoS protected, and receive an obfuscated origin IP. For these reasons, public hostname routing is the recommended method to onboard applications for clientless user access. However, there may be times in which a public DNS record cannot be created, or other situations that prevent administrators from using this method.

    Start module

    Contains 1 units

    1. Clientless Web Isolation
  9. Terraform automation

    Start module

    Contains 1 units

    1. Publish applications with Terraform