Cloudflare Access
Identity-aware proxy for internal apps. The VPN replacement that doesn't require a client and works for browsers, APIs, and SSH alike.
This module is being expanded.
Coming in the next revision:
- The shape of Access. Sit in front of any URL; require SSO before forwarding the request to the origin. The origin is usually behind a Tunnel (module 03).
- Identity providers — Google, Microsoft Entra, Okta, Ping, OneLogin, GitHub, GitLab, SAML/OIDC generic. Multi-IdP per zone.
- Access policies — declarative rules on who, from where, with what device posture, with what duration. Examples that show up in real deployments.
- Service tokens — for machine-to-machine traffic that needs to bypass the SSO flow.
- Device posture — integration with WARP + EDR vendors to require a managed/healthy device before granting access.
- SSH/RDP via Access — browser-rendered terminals; no client install for occasional access.
- Logs and audit — every Access request logged; can be streamed to SIEM.