Pomerium logo
Log In Contact Sign Up
Mobile Menu
Pomerium Zero Pomerium Enterprise Secure Human Access Secure Service Access Secure Agentic Access
Mobile Menu
Secure Human Access
 Secure Internal Access Scoped Contractor Access Time-Bound Access Just-In-Time Access Policy Change History Native SSH Access
Secure Service Access
 Kubernetes Security Secure Internal APIs Multi-tenant Environments Third-party Tools
Secure Agentic Access
 AI Agents Prompts & Autonomous Workflows Audit Agent Actions Control Agentic Sprawl Model Endpoints
Pricing
Mobile Menu
Comparisons Integrations Blog eBooks Glossary Customer Stories
Mobile Menu
Get Started with Zero Quickstart Fundamentals Architecture Changelog Guides Discuss Forum GitHub Careers

From NGINX to Pomerium: A Practical Migration Guide for Internal Kubernetes Applications

February 11, 2026
Share on Bluesky
Stay Connected

Stay up to date with Pomerium news and announcements.

Migrating from NGINX Ingress to Pomerium does not require a disruptive rewrite. Most teams adopt Pomerium incrementally, starting with internal services where the security and operational gains are immediate. An initial objective can be to decouple routing from access control for internal services.

Step 1: Identify Internal Services

Begin by inventorying services that:

  • Are not intended for public access

  • Currently rely on VPNs or basic auth

  • Contain sensitive data or administrative controls

Common examples include Grafana, Argo CD, GitLab, Prometheus, and internal APIs.

Step 2: Restrict Network Access

Ensure that these services are only reachable from Pomerium:

  • Update Kubernetes NetworkPolicies

  • Adjust security groups or firewall rules

  • Remove public ingress exposure

This guarantees that all access flows through the identity-aware layer.

Step 3: Configure Identity and Policies

Define access policies using identity claims rather than IPs.

Example:

Yaml
routes:
- from: https://grafana.localhost.pomerium.io
  to: http://grafana:3000
  policy:
    allow:
	   or:
      - groups:
   		 in: ['sre', 'platform']

Authentication is handled by your IdP; authorization is enforced by policy.

Step 4: Validate Access and Audit Logs

Test access with different user roles and verify that:

  • Unauthorized users are denied

  • Authorized users can access services seamlessly

  • Audit logs capture identity, resource, and decision context

Step 5: Decommission VPN Access

As confidence grows, teams often reduce or eliminate VPN usage for internal tools, shrinking their attack surface and simplifying operations.

The End State

In the end state:

  • Access control is centralized

  • Policies are explicit and auditable

  • Internal services are simpler

  • The blast radius of compromised credentials is dramatically reduced

Migration Patterns That Work Well

Successful migrations tend to:

  • Start small

  • Focus on internal tools

  • Run ingress and identity-aware access side by side

  • Expand coverage gradually

The result is a cleaner architecture where access control is centralized, explicit, and auditable.

Share: Share on Bluesky

Stay Connected

Stay up to date with Pomerium news and announcements.

More Blog Posts

See All Blog Posts
Blog
Privilege Access Is the Past. Per Request Authorization Is the Future.
Access Control
Access Control Authorization
Blog
AI Is Your Biggest Security Risk
Access Control
Agentic Access Management AI Gateway Access Control
Blog
10 Kubernetes Security Tools DevOps Teams Should Be Using in 2026
Kubernetes
Kubernetes

Revolutionize
Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Try Now

Company

About Privacy Policy Terms of Service Newsletter Careers

Use Cases

VPN Replacement Secure Remote Access Zero Trust Application Access Clientless Access Continuous Verification Context-Aware Access Secure Kubernetes

Quicklinks

Comparisons Integrations Customer Stories Resources Docs

Stay Connected

Stay up to date with Pomerium news and announcements.

Pomerium logo
© 2026 Pomerium. All rights reserved