Brief product summary

Cloudflare is a well-known cloud computing and website security solution that provides DNS services to organizations. Their battle-tested DDoS protection guards a global content delivery network (CDN) which acts as a strong intermediary between site servers and visitors, keeping a cached version of websites on their network to provide when requested.

Cloudflare offers Cloudflare One as their SASE solution, a network-as-a-service platform that connects users to internal resources with identity-based access controls, provided by Cloudflare’s closest CDN proxies.

Cloudflare AccessPomerium
Context-aware gateway
VPN
Identity Provider SupportAny identity providerAny identity provider
Supports any cloud or infrastructureYes but all data is backhauled to where your apps and services actually live.Deployed at edge wherever your apps and servers are.
Continuous verification
Device identity
Integrates with multiple Identity ProvidersPartially, to varying degrees as part of partnerships with endpoint protection vendors.Yes, with WebAuthn.
Authorization PolicyOnly simple access rules are supported.Declarative policy and policy as code is supported.
TCP Protocol Support
LatencyGood but $$$. As a CDN, Cloudflare has a massive globally distributed network of edge servers. However, the additional hops still add latency, and Cloudflare will charge you for it.Best. No additional latency or bandwidth costs are incurred. Pomerium is deployed directly where your apps and services actually live.
Data tenancy & privacyExpansion of information boundary.You have full control over your data and information.
Layer77
Open Source

Our Recommendation

If your organization does not want the added hassle of configuring routes to your services and can accept Cloudflare being the front door to all internal applications, Cloudflare is a good solution. This does mean compromising on performance issues and necessarily expanding your information boundary to trust Cloudflare with potentially sensitive material.

If performance issues or retaining full control over your reverse proxy at edge to meet compliance and auditing requirements is a priority, Pomerium is the better solution.

Use Cases

  • VPN-alternativeCloudflare Access provides a VPN alternative which allows your organization to manage access to your applications based on your existing identity provider.

Strengths

  • Limits lateral movement — Cloudflare Access (CFA) and Gateway reduces attack surfaces by limiting user access to application and not exposing the network.
  • Access Control — CFA provides access control for cloud applications.
  • IdP ready — CFA integrates with existing IdP for SSO uses.
  • A trail of breadcrumbs — CFA has auditing and logging.
  • No wizard needed — No client is needed for HTTP-apps, but a client is needed for other uses.

Weaknesses

  • Expansion of information boundary — Cloudflare’s role as logger, auditor, and policy enforcer for your services gives Cloudflare insight into the inner workings and decisions of your organization, which may result in compliance issues. Pomerium avoids this by being deployed at edge, so Pomerium does not have any information that would put your organization at risk.
  • Pay for that too — Not only does Cloudflare nest a lot of their best features behind paid plans, their CDN system means introducing extra hops that incur increased latency and bandwidth costs.

Sign up to be notified of new features and product updates

Try Enterprise