r/CloudFlare: Help me understand ZTNA vs VPN

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/y0d6su/help_me_understand_ztna_vs_vpn/

Question

Hi all, I've setup Cloudflare Zero Access in the company I work in, but I still don't understand how that replaces a VPN when it's not for cloud based resources.

I have employees asking for a VPN to secure their traffic bc they might work from some countries where access is dubious. Does the browser based ZTNA cover those cases even if they don't access any company resources?

How would that help every other application they run? Slack, Zoom, etc.

I've been leaning to use WARP for those employees, but I'm struggling to understand how this works when it's not for company web applications hosted on cloud/on premise

Would anyone kind enough shed some light onto this so I can understand a bit more?

Thanks!

Answer

Since the initial commenter deleted their comments, I will assume we start from a clean slate.

VPN, in its most classical sense, connects an endpoint or a network with another endpoint or network, for example to be able to reach an application, since it is not reachable directly externally, through the WWW itself.

Another variant of a VPN is to circumvent country-level blocking or oppressive governments, so you connect to a VPN, you are in (just an example, I don't mean that this government is oppressive) Egypt, and your VPN lets your traffic leave in USA. In that case, the server or app you are connecting to sees the USA endpoint and lets traffic pass, even if it is blocked for Egypt.

Cloudflare and its ZTNA infrastructure wasn't built with the second variant in mind. It is there to secure on-prem and cloud self-administered installations, so you don't need port forwardings and also have DDoS and bot protections, along with strong authentication.

The clientless solutions, for web apps and SSH/VNC are there to not have to install the WARP client onto your local machine, as you eluded to in the other comment string. However, as you can read from the previous sentence, it has limitations regarding which apps it can protect. If an app doesn't run in the browser (or may have a browser app but is normally expected to be installed locally), then you need WARP since it can't be done any other technical way.

So to further help you with an explanation, I have to know what your employees are looking for.

Comment 1 on Answer

this is the explanation I direly needed :)

We have both scenarios in our company, engineers would most likely need to access applications on our cloud based infra, so they can access that through ZTNA, but non-engineers also request VPN access to protect their non web based apps in case they work remotely from anywhere, so that's where WARP comes in.

Thanks you so much for taking the time to write the above.

If you don't mind me asking now, if we have a server hosted in a public cloud, and we want to make the application only accesible through ZTNA, where would the auth be on the side of the public cloud? I understand if it were through DNS using Cloudflare, but we're not.

Perhaps I'm missing documentation or knowledge on this, so apologies for that, but that's the other piece of the puzzle missing.

My response to comment 1

Before I can answer your question, you have to understand the concept of IdP (Identity Provider) and SdP (Service Provider) first.

The IdP, in Cloudflare's case Azure AD, Okta, Google Workspace or many other, hold the users informations and their credentials. The SdP, Cloudflare ZTNA, has the launcher through which you open your apps. And the SdP needs an auth token from the IdP to know if a user may pass.

And the app you want to protect either is able to get the auth from ZTNA passed through, or it has another auth, but maybe no 2FA, so you want ZTNA to cover that part.

And yes, for ZTNA to work fully, you need to have the DNS zone with Cloudflare, since ZTNA is also a Cloudflare service.

Does something prevent you from migrating the zone to Cloudflare if you are already using ZTNA?

Comment 1.1 on Answer

We're using G Workspace as IdP and that works lovely, but we're mostly on AWS with R53, so using Cloudflare as DNS provider is not really an option right now. I can't find any documentation on how to passthrough credentials with ZTNA, or how that implementation would work though.