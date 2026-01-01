Sign up

Benefits of Cloudflare Access

Improve team productivity

Make on-premises applications as easy to use as SaaS apps. ZTNA reduces remote access support tickets by 80% compared to a VPN.

Simplify management

Simplify the setup and operation of ZTNA with one-time integrations, composable software connectors, and unified Zero Trust policies.

Eliminate lateral movement

Shrink your attack surface by enforcing context-based, least-privilege access policies for every resource.

Scale zero trust effortlessly

Shield critical applications and high-risk user groups first — then expand cloud-native ZTNA to protect your infrastructure and MCP servers.

How it works

Manage access across your internal environment

Cloudflare Access verifies and secures employee and third-party access across all of your self-hosted, SaaS, and non-web applications, including AI tools, helping mitigate risk and ensure a smooth user experience.

It checks granular context like identity and device posture for every request to provide fast, reliable access across your business.

Learn more in our ZTNA product overview

Learn how Access works within Cloudflare's SASE platform

See reference architecture

ANALYST RECOGNITION

What top analysts say

Cloudflare named a Visionary in 2025 Gartner® Magic Quadrant™ for SASE Platforms
Scored 2nd highest in 'Strategy' category in The Forrester Wave™: Zero Trust Platforms, Q3 2025
What our customers are saying

“Cloudflare Access was a game-changer for Bitso. It made zero trust much easier. We now manage access to internal resources more efficiently, ensuring the right people have the right level of access to the right resources, regardless of their location device, or network.”

Cybersecurity Lead, Bitso

TOP ACCESS USE CASES

Cloudflare Access provides simple, secure user access to your internal resources — without a VPN

Augment / replace your VPN

Offload critical applications for better security and an improved user experience.

Manage third-party access

Authenticate third-party users (like contractors) with clientless options, social identity providers, and more.

Empower developers

Ensure privileged technical users can access critical infrastructure — without performance trade-offs.

Explore use cases

Helping organizations worldwide advance toward zero trust

See case studies

Pricing

Cloudflare Access control features available across the full zero trust platform

Free Plan

$0

forever

Best for teams under 50 users or enterprise proof-of-concept tests.

Pay-as-you-go

$7

per user/month (paid annually)

Best for teams over 50 users solving narrow SSE use cases and that do not require enterprise support services.

Contract Plan

Custom price

per user/month (paid annually)

Best for organizations building toward a full-featured SSE or SASE deployment that also desire maximum support.

Access controls (included in zero trust platform)

Support and services

Support options vary by plan type. Various professional advisory and hands-on implementation services available as add-ons to Contract plans.
Customizable access policies
Customizable access policies

Custom application and private network policies, plus policy tester. Supports temporary authentication, purpose justification, and any IdP-provided auth method.
Protect access to all your apps and private networks
Protect access to all your apps and private networks

Protect self-hosted, SaaS, and non-web (SSH, VNC, RDP) apps, internal IPs and hostnames, or any arbitrary L4–7 TCP or UDP traffic.
Authentication via identity providers (IdPs)
Authentication via identity providers (IdPs)

Authenticate via enterprise and social IdPs, including multiple IdPs concurrently. Can also use generic SAML and OIDC connectors.
Identity-based context
Identity-based context

Configure contextual access based on IdP groups, geolocation, device posture, session duration, external APIs, etc.
Device posture integration
Device posture integration

Verify device posture using third-party endpoint protection provider integrations.
Clientless access option
Clientless access option

Clientless access for web apps and browser-based SSH or VNC.
Browser-based SSH and VNC
Browser-based SSH and VNC

Privileged SSH and VNC access through in-browser terminal.
Split tunneling
Split tunneling

Split tunneling for local or VPN connectivity.
Application launcher
Application launcher

Customizable app launcher for all apps, including bookmarks to apps outside of Access.
Token authentication
Token authentication

Service token support for automated services.
Internal DNS support
Internal DNS support

Configure local domain fallback. Define an internal DNS resolver to resolve private network requests.
Infrastructure-as-code automation (via Terraform)
Infrastructure-as-code automation (via Terraform)

Automate deployment of Cloudflare resources and connections.
mTLS authentication
mTLS authentication

Certificate-based auth for IoT and other mTLS use cases.

Core capabilities

Uptime
Uptime

Dependable service level agreements (SLA) for paid plans with 100% uptime and reliable service you can trust.
Learn more >
Support and services

Support options vary by plan type. Various professional advisory and hands-on implementation services available as add-ons to Contract plans.
Standard log retention
Standard log retention

Zero Trust logs are stored for a varying period of time based on the plan type and service used. Contract users can export logs via Logpush.
See tech docs >
Application connector software
Application connector software

Securely connects resources to Cloudflare without a publicly routable IP address. Does not require VM infrastructure and has no throughput limitations.
See tech docs >
Device client (agent) software
Device client (agent) software

Securely and privately sends traffic from end user devices to Cloudflare’s global network. Enables capabilities like building device posture rules or enforcing filtering policies anywhere. Self-enroll or deploy via MDM.
See tech docs >
Zero trust network access (ZTNA)
Zero trust network access (ZTNA)

ZTNA provides granular identity- and context-based access to all your internal self-hosted, SaaS, and non-web (e.g., SSH) resources.
See tech docs >
Secure web gateway (SWG)
Secure web gateway (SWG)

SWG protects against ransomware, phishing, and other threats using L4–7 network, DNS, and HTTP filtering policies for faster, safer Internet browsing.
See tech docs >
Digital experience monitoring (DEX)
Digital experience monitoring (DEX)

Provides user-centric visibility into device, network, and application performance across your zero trust organization.
See tech docs >
Network flow monitoring
Network flow monitoring

Provides network traffic visibility and real-time alerts for unified insights into network activity. Available for free to everyone.
See tech docs >
Cloud access security broker (CASB)
Cloud access security broker (CASB)

CASB continuously monitors SaaS apps at rest to detect potential data exposure due to misconfigurations or weak posture findings.
See tech docs >
Data loss prevention (DLP)
Data loss prevention (DLP)

DLP detects sensitive data in transit and at rest across web, SaaS and private apps with controls or remediation guides to stop leakage or exposure.
See tech docs >
Log Explorer
Log Explorer

Free and pay-as-you-go plan: Free for the first 10 GB, $1 per GB per month after
Enterprise: Custom pricing
Remote browser isolation (RBI)
Remote browser isolation (RBI)

RBI layers additional threat defense and data protection controls across browsing activities by running all browser code on Cloudflare's global network.
See tech docs >
Email security
Email security

Email security helps block and isolate multi-channel phishing threats, including malware and business email compromise.
See tech docs >
Network services for SASE
Network services for SASE

Cloudflare One is our single-vendor SASE platform that converges zero trust security services from the plans above with network services — including Magic WAN and Firewall.
See tech docs >

Resources

Blog

See ZTNA in action
Watch demos
Blog

Least privilege access for AI agents
Read blog post
White paper

The path to VPN replacement
Download whitepaper

