Pomerium Best Practices

You’ve got web apps and we’ve got a context-aware proxy for zero trust access control. (For the non-technical, it’s a form-fitting and flexible hazmat suit for your applications on the internet.)

So what do users get with open-source Pomerium Core (always free)?

• Identity-based access
• Device identity
• SSO support
• Declarative authorization policy
• Community support
• Apache 2 License

What does any of that mean? Here’s a 2 minute explainer demo:

Getting started with open-source Pomerium Core

The following resources are for users to start use the core features that make Pomerium great, including how to configure authentication providers and access policies. No more confusing users with login clients and dropped connections!

1. Starting with Pomerium Core: Use our Quickstart Docker Guide if you want to run an open-source Pomerium Core instance as a container.
2. Build Pomerium From Source: Some teams prefer to compile from source to build static binaries for a wide array of architectures and operating systems.
3. Using Kubernetes? We have several options for Kubernetes teams:
   1. Kubernetes Quickstart: Use this guide and install Pomerium to your cluster in just one line! Follow the rest of the guide to manage certifications, test the service, and troubleshoot if you have any issues.
      1. Once Pomerium is installed to your cluster, you’ll want to set up global configurations to ensure the benefits are standardized throughout your environments.
      2. Secure Kubernetes Dashboard: We know how many teams use the Kubernetes Dashboard to manage their clusters, so Pomerium can act as an independent identity-aware proxy to improve and add SSO for the default access controls. It’s better than using static tokens, we promise.
   2. Deploy as Ingress Controller: Yes, you can use Pomerium as a first-class secure-by-default Ingress Controller to simplify management. The Pomerium Ingress Controller enables workflows more native to Kubernetes environments, such as Git-Ops style actions based on pull requests. By defining routes as Ingress resources you can independently create and remove them from Pomerium’s configuration.
4. Install with Pre-built Binaries
   1. Prefer using pre-built binaries? Here’s our standalone binary guide for getting the latest release from GitHub, configuring the variables, then running Pomerium.

Level Up with Pomerium Enterprise

Pomerium Core users love us for securing their web-based applications, but sometimes organizations need more. Luckily, our Enterprise offering provides the following features to help you out:

• Programmatic API — Pomerium integration can be seamlessly achieved through API access, allowing programmatic configuration management in any preferred language or infrastructure management tool.
• Session Management — Quickly view who is logged in your infrastructure, with easy access to revoke sessions. Even better, Session Replay and User Impersonation allows administrators to walk the user’s journey, allowing for easier debugging.
• Deployment History & Audit Logs — View and export access logs straight from the web UI, but these aren’t just any logs: these are fine-grained logs detailing every single request and action taken by users!
• Device Identity and Management — Building upon Pomerium Core’s device identity, Enterprise enables device management with enrollment links only an admin can generate.
• Securing TCP-Based Services — Pomerium provides a client-side application to proxy TCP connections for non-HTTP based applications, giving you the same protection as traditional VPNs.
• Management GUI — View traffic and logs, define routes and policies, and organize your service access from an intuitive web interface.
• Integrations — Make context-aware policy decisions by integrating with other corporate tools (such as MDMs) to leverage them as external data sources.
• Metrics — Get data on usage with Prometheus. You can set up your own existing Prometheus instance or rely on Pomerium’s embedded Prometheus to scrape metrics (recommended).
• Service Accounts — Offer a protected and standardized method of issuing identity tokens for authenticating machine-to-machine communication between services protected by Pomerium.
• Self-service & Governance — Provides self-service capabilities through our Namespaces feature, which allows teams to manage access to the infrastructure they build or depend on, with user roles granted hierarchically and defined by the IdP to ensure stable policies.

Upgrading from Pomerium Core to Pomerium Enterprise provides additional features, support, and management capabilities for organizations that require more advanced authentication and authorization capabilities.

Getting These Features

If you are a new or current user of Pomerium Core and are considering upgrading to Pomerium Enterprise, here is a step-by-step guide to help you with the process.

1. Have Pomerium Core installed! Because Pomerium Enterprise contains additional features on top of Core, it is important to have Core installed first.
2. Did you build Pomerium from source/download as a binary? If yes, download Enterprise as an OS package to upgrade your Core.
3. Did you deploy Core with Docker? If you’ve started with Docker, this guide provides detailed instructions on how to upgrade your Pomerium Core!
4. Need/Want a GUI? The Pomerium Enterprise Console is a web-based GUI that provides additional features and functionalities for managing Pomerium Enterprise. It’s available as DEB and RPM OS packages for easy set up and configuration for your admins!
5. Kustomize with Kubernetes: Kubernetes teams can refer to the Kustomize installation guide for Pomerium Enterprise. This guide provides detailed instructions on how to use Kustomize to customize and deploy Pomerium Enterprise in your Kubernetes cluster.

Confused? Reach out to us on our Discuss or take a look at how you can set it up in 5 minutes:

Remember to review the documentation thoroughly, backup your configurations and data, and test the upgrade in a safe environment to ensure a smooth transition. Happy upgrading!