WHITEPAPER

Reference Architecture for

Internet-Native Transformation
Modernize how you secure user-to-application access

What security stack sits between users and apps?

Before Cloudflare
Most organizations rely on a 20+ year-old
hub-and-spoke architecture. Internal users and apps
are connected and secured differently than external
users and apps. Access depends on the location,
device, role, or identity provider (aka. IdP).
With Cloudflare
Your architecture is future-proofed with an
Internet-native transformation embracing Zero Trust
principles to consistently connect and secure all users
and apps with a complete stack of cloud-native
services that are easy to setup and operate.

Internal apps External apps

✓ Supported use case and security

Self-hosted private DC, Self-hosted public cloud SaaS and email Internet
✖ Unsupported use case and security
colo or cloud (non-Web) (AWS, GCP, Azure) (M365, GSuite) (FB, Reddit)

Before Internal users ✓ “Trusted” location, device, or employee role ✓ Corporate IdP n/a
Cloudflare (office and remote) ✖ “Untrusted” location, BYO device, contractor role ✖ Social IdP

External users ✖ “Untrusted” IoT device or B2B customer role ✖ Social IdP n/a

On-network connectivity “Trusted” direct LAN “Trusted” private link One “Untrusted” egress point

Off-network connectivity “Trusted” VPN “Untrusted” VPN split tunnel

Access security stack ✓ FW, IDS (w/ LB, DNS) ✓ FW (with LB) ✓ SWG, SEG, DLP (sometimes)
✖ WAF, DDoS, ZTNA, SWG, SEG, RBI, DLP ✖ CES, CASB, RBI

With Internal users ✓ Any verified identity (role-based optional), any device (posture-based optional),
Cloudflare (office and remote) any location (context-based optional)

External users ✓ Any verified identity via any IdP (context-based optional, e.g. mTLS, OTP) n/a

On-network connectivity Direct breakout egress points to Cloudflare

Off-network connectivity Direct to Cloudflare

Access security stack ✓ FW, IDS, WAF, DDoS, ZTNA, SWG, SEG, RBI, DLP ✓ SWG, SEG/CES, CASB, RBI, DLP
(with LB, DNS) (with ZT rules)

1 888 99 FLARE | [email protected] | www.cloudflare.com REV:PMM-AUG2022

Cloudflare | Reference Architecture for Internet-Native Transformation

Before Cloudflare: Hub-and-spoke architecture

Additional cost and complexity

Security 5 Backhauling traffic to one centralized

Perimeter Public cloud Internet, SaaS Contractors, egress point to enforce security is
FW, IDS, VPN, SWG, (self-hosted apps) Apps & Email BYOD & B2B
increasingly inefficient and ineffective.
SEG, DLP appliances
(or cloud point
solutions)
EGRESS Difficult to adopt new technologies
PRIVATE POINT
SPLIT
LINKS TUNNEL Public cloud and SaaS app adoption
(optional)
4 forces security or performance and
2 user experience tradeoffs.
3
MPLS VPN Difficult to grow the business
Denver DC
1 (primary) Hard decisions for where to deploy
new hardware and how much capacity
LAN FIBER to ensure all users can access all apps.
Seattle Pittsburg
Branch Branch Remote
Users
Denver Unfriendly model for remote work
HQ
Note: ① to ⑤ The pandemic, climate, or geopolitical
Scottsdale Atlanta Boulder DC are explained
issues cause businesses friction as
Branch Branch (failover) on pages 3-5
they rethink their resourcing models.

With Cloudflare: Internet-native transformation

Improved experiences, reduced costs

Zero Trust
Network-aaS Distribute enforcement points close to
with WAN, FW, IDS, Public cloud Internet, SaaS API- Contractors, all users, reducing reliance on MPLS
WAF, DDoS, ZTNA, (self-hosted apps) Apps & Email driven BYOD & B2B
SWG, SEG/CES,
CASB circuits at offices and hardware in DCs.
& CES Clientless
CASB, RBI & DLP App connector Most peered
ZT platform access
Reduced damage caused by breach

All users are conceptually ‘off-net’ and

ANY ANY ANY ANY ANY ANY ANY ANY ANY
only access apps explicitly permitted,
· · · Device clients or IP tunnels · · · Direct App
connection connector
Device client eliminating lateral movement.

Hybrid workforce & multi-cloud ready

Denver DC
(primary) Simple reverse proxy and API setups
enable secure access for contractors,
Seattle Pittsburg BYOD, public cloud, SaaS apps & email.
Remote
Branch Branch
Users
Denver Faster innovation & revenue growth
HQ Interconnected
Global Network Accelerate digital transformation now
Scottsdale Atlanta Boulder DC
(failover) Replaces that the Internet is faster, more reliable
Branch Branch
MPLS & VPNs
& more secure with unlimited capacity.

1 888 99 FLARE | [email protected] | www.cloudflare.com REV:PMM-AUG2022

Cloudflare | Reference Architecture for Internet-Native Transformation
① Corporate network benefits
Before Cloudflare
Users, devices, apps, and data have traditionally been
grouped in a single location — your headquarters. It
remained the central hub as businesses expanded
geographically. Apps and data are hosted and
maintained there, so it made sense for users to
connect to that location to do their job. To reduce
hardware costs, it also makes sense to center your
security perimeter there. To protect the network, all
traffic enters and leaves that one location. Yet, as
users are increasingly more distant from these apps, it
creates a bottleneck for productivity with many costly,
complex band-aids to resolve this issue.
② Remote user benefits
Before Cloudflare
Users outside of the ‘secure’ perimeter must connect
back typically through a VPN connection terminating
on a firewall. Traditionally, this represents challenges in
(1) consistency and performance of user connectivity,
(2) excessive access permissions for users on the
network, and (3) inbound open ports in the firewall
exposed to DDoS attacks. As user Internet traffic
increases, businesses have to either accept the
performance loss and increased backhauling costs or
accept the loss of visibility and control by split
tunneling remote user traffic around the perimeter.
According to Gartner®
“By 2025, at least 70% of new remote
access deployments will be served
predominantly by ZTNA as opposed to
VPN services, up from less than 10% at
the end of 2021.” 1
1 888 99 FLARE | [email protected] | www.cloudflare.com
Note: ① to ⑤ are
references on page
2’s diagram
With Cloudflare
Instead of centralizing your network around your
physical security and application infrastructure,
Cloudflare becomes your ‘first hop’ for all security and
networking functions for both users — on any device,
in any location — and network locations. Users and
networks have a shared-state connection to any
Cloudflare data center wherein Anycast auto-selects
the lowest-latency route. All traffic enters and leaves
one customized Linux server where L3 firewall and
L4-7 Zero Trust policies are applied in a single pass.
This not only simplifies your existing hardware
investments at your data centers, but distributes
security infrastructure across the world, close to users,
networks, and apps.
With Cloudflare
Users benefit from a low-latency (<50ms) shared-state
connection. They then transit our Internet-native
backbone whether they are bound for internal or
external apps, reducing performance hiccups,
improving consistency, and eliminating the architecture
capacity constraints and design concerns that come
from backhauling user traffic. If you were split
tunneling, this allows you to recapture all user traffic
from anywhere in the world without backhauling,
improving visibility and control without negatively
impacting end user experience.
REV:PMM-AUG2022
Cloudflare | Reference Architecture for Internet-Native Transformation
③ Branch office benefits
Before Cloudflare
As your office footprint becomes more distributed,
there are difficult decisions for preparing each office
for both internal WAN and Internet access:
● How do you ensure consistency and reliability
supporting both? Or, do you overlay MPLS circuits
(and maybe SD-WAN) to send office Internet
traffic through your centralized security
infrastructure.
● With global supply chain challenges, how long will
it take to procure and deploy appliance hardware
to increase throughput capacity?
● Do offices have interoperability requirements such
as shared or local systems that each needs to
access to justify the expensive and complexity of
MPLS circuits and software-defined routers?
④ Security perimeter benefits
Before Cloudflare
The moat that protects the castle is generally
hardware derived. To ensure your sensitive data stays
internal, and to protect your users and devices when
engaging with the Internet, it made sense to centralize
your security infrastructure — often firewall, intrusion
detection, VPN, secure web and email gateway, and
DLP appliances — at the egress point where a majority
of your traffic needed to leave to the Internet. As the
network expanded, and as both users and apps
increasingly moved outside of the perimeter, this
architecture becomes a chokepoint for adopting new
technologies (e.g. Microsoft 365) and network
paradigms. Downstream from this egress point, the
MPLS circuits and hardware- or software-defined IP
tunnels transporting corporate WAN traffic through
your data center will also have hardware-based
bandwidth limitations that must be taken into account.
1 888 99 FLARE | [email protected] | www.cloudflare.com
With Cloudflare
Instead of a heavy-handed, MPLS ripout approach,
Cloudflare recommends an incremental roadmap to
improve visibility and control plus reliability and
performance.By using a combination of our device
client and app connector software or configuring
Anycast GRE and IPsec tunnels on existing routers, you
can enable both internal WAN and Internet access to
applications with more secure Zero Trust policies and
cross-network connectivity on an as-needed basis
without building overly permissive network policies. It
enables you to remove office users (and IoT devices)
from the traditional hub-and-spoke network, instead
enabling them with a better cafe-like experience. All
offices immediately gain a simple, fast software-
defined path to the Internet without expensive firewall
(or SD-WAN) hardware. Apply the same comprehensive
IP firewall, DNS filter, and Secure Web Gateway policies
used to gain visibility and control for end users from
the same simple management interface to reduce TCO.
With Cloudflare
As networks expand, application consumption matures
and distributes, and users become increasingly
geographically heterogenous, Cloudflare transforms
this hub and spoke architecture to distribute policy
enforcement across our Internet edge, closer to all
your users and applications they consume. Cloudflare
can now provide the services provided by your FW,
IDS, VPN, SWG, SEG, and DLP appliances plus DDoS,
WAF, and newer technologies including ZTNA, CES,
CASB and RBI. Since it also serves as the “first hop”
termination point for both internal and external users,
you get the benefit of this modern Zero Trust security
applied in-line to ensure the transformation is effective
and efficient.
REV:PMM-AUG2022
Cloudflare | Reference Architecture for Internet-Native Transformation
⑤ SaaS app and email security benefits
Before Cloudflare
Most businesses are part way through their SaaS
adoption journey, especially Microsoft 365 and Google
Workspace that includes every office suite tool
including email. SaaS represents both increased
productivity and new challenges because it lives
outside the perimeter. Often there is no security of
data-in-transit between users and SaaS apps due to
VPN split tunneling, unaffordable or non-scalable TLS
inspection, or because it’s an external user. And often
there is no or fragmented visibility and control across
all SaaS apps’ configurations and data-at-rest profiles.
Email is still the number one way that attackers get in
without any network intrusion or malware download
due to our implicit trust of inboxes — making everyone
an insider. For things that are permanently outside the
perimeter, how can you regain some of this visibility?
According to Gartner®
“By 2025, 30% of organizations will
rely solely on SaaS applications for
their mission-critical workflows.” 2
1 888 99 FLARE | [email protected] | www.cloudflare.com
With Cloudflare
Security modernization frameworks — whether you call
them Zero Trust Architecture (ZTA), Security Service
Edge (SSE), or Secure Access Service Edge (SASE) —
are all about unifying security posture in the face of
continually distributed application and data usage.
Cloudflare helps realize this vision by providing multiple
modes of security; in addition to our in-line CASB
delivered via the combination of our client or clientless
SWG, ZTNA and RBI deployments we can also provide
out of band API-driven CASB and cloud email security
(CES). This delivers deep scans within SaaS apps,
including Microsoft and Google’s suites, with just a few
clicks for profile discovery with findings that will
prevent data exfiltration and identify new risks
continuously — notably, phishing and BEC attacks that
evade traditional secure email gateway methods.
REV:PMM-AUG2022
Cloudflare | Reference Architecture for Internet-Native Transformation

With Others: Many stitched together architectures

Many offer piecemeal network and security infrastructure that cannot rapidly scale and evolve
to connect all users to apps end to end. Visibility and policies are inconsistent to secure access
against modern threats. Operations are complex and non-agile. User experiences are degraded.

Remote and external users Public cloud, SaaS apps & email Modern threats

New Internet connectivity expands
beyond our offices. New Zero
Trust security is bolted on with
reverse proxy and isolation modes
to secure access for untrusted
users, devices, and locations.
New Internet connectivity breaks
out of our offices. New Zero Trust
security expands to combine
API-driven with inline proxy modes
to secure access to apps and email
beyond our private network.
Excessive trust within offices and
data centers is exploited. New
Zero Trust security is bolted on
with forward proxy and isolation
modes to secure access against
lateral movement.

Office users Self-hosted private DC,

FWaaS colo and cloud
MPLS
DDoS
Legacy WAN

DNSF

Remote users Direct DLP

Internet Azure
Access vWAN Self-hosted public cloud

SD-WAN
AWS
ZTNA Transit
Gateway

External users Broadband

SWG SaaS apps and email

SEG
RBI

DMVPN

CASB
4G/5G

“By 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services and
private application access using a SASE/SSE architecture, up from 20% in 2021.” 3

1 888 99 FLARE | [email protected] | www.cloudflare.com REV:PMM-AUG2022

Cloudflare | Reference Architecture for Internet-Native Transformation

With Cloudflare: One unified and composable architecture

Your corporate network is as ubiquitous as the Internet
All connectivity and security services live in the cloud alongside applications within
Cloudflare’s network platform, ready and waiting to plug in and work together seamlessly.
Now, any user across your hybrid workforce can consistently access any application across
your hybrid multi-cloud environment — without security and performance tradeoffs.

Helping Build a Better Internet

Securely Proxy Transport Distribute,

Hybrid connect any north-south east-west build, & secure Hybrid
Internet-native
workforce connectivity
user, device, requests with traffic with connections to multi-cloud
and location Zero Trust acceleration any app

One network, one control plane — everywhere

With Cloudflare, your corporate network can run with greater speed, reliability and security,
than the Internet. Every service operating at the edge is built to run in every data center, so
your users have a consistent, lightning-fast experience everywhere — whether they are in
Chicago or Cape Town. This means all customer traffic is processed in a single pass at the
data center closest to its source, with no backhauling or service chaining that adds latency.

Global Every Every Every

network data center server service

275+ cities available to everyone 100% uptime SLA with Anycast

155+ Tbps of network edge capacity FedRAMP in-process since July 2021
11,000+ interconnects to service and IPv6 and TLS 1.3 processing and inspection
cloud providers, plus major enterprises without security tradeoffs
~50ms from 95% of Internet users

1 888 99 FLARE | [email protected] | www.cloudflare.com REV:PMM-AUG2022

Cloudflare | Reference Architecture for Internet-Native Transformation

How our Zero Trust Network as a Service works

Composable on-ramps for any-to-any, end-to-end connectivity
Cloudflare network on-ramps use a shared-state connection via one unified control plane.
So, data centers with network interconnects, offices with Anycast IPsec or GRE tunnels,
users with wireguard clients, and app servers with Cloudflare Tunnels can transport and/or
proxy traffic between each other and the Internet through every Cloudflare service.

L2 Direct Cloudflare
See options on left Network resources
Data Connection
that cannot be
centers Magic WAN w/CNI Magic WAN proxied
Network
Locations w/ services Internal Many L4 subnets
L3 Anycast IPsec L4 QUIC
unencrypted proxy host w/ w/non-web apps
Magic WAN Transport East-West Tunnel
WAN traffic our daemon RDP, SMB, DNS
L3-7 Traffic with
Smart Routing for
Locations w/ Acceleration Internal Many L7 app
L3 Anycast GRE L4 QUIC
encrypted proxy host w/ servers
WAN traffic Magic WAN Tunnel our daemon HTTP, SSH, VNC
Multi-Direction
Locations Traffic Flows
L4 QUIC L7 app server with
L7 DNS (1.1.1.1)
without closed inbound port
WAN traffic Gateway DNS Tunnel w/ our daemon
Zero Trust
services
Users on L7 app server with
L4 Wireguard L7 HTTPS
managed device Proxy North-South open inbound port
w/ our client* WARP L4-7 Requests with DNS (reverse proxy) to Internet
Identity & Endpoint
Users on Integrations Internet, SaaS apps & email
L7 HTTPS L3 IP
unmanaged w/ optional out-of-band API and inline
device DNS (reverse proxy)
MX, SAML, or URL-rewrite on-ramps

*Transports traffic over both Network and Zero Trust services

Zero Trust services Built-in application security and performance

● Access control: Access and Gateway w/CASB Customers also benefit from our application services
● Traffic filtering: Gateway & Area 1 Email Security that run inline with our Zero Trust services. Many are
already enabled by default within your license.
● Content inspection: Gateway and Area 1
● Protect apps with open ports: L7 DDoS Protection
● Threat and data protection: Area 1 and
Gateway w/Browser Isolation, CASB and DLP ● Prevent contractors from exploiting apps: WAF
● Simplify on-ramping traffic to apps: DNS
Network services
● Increase app reliability with zero downtime: LB
● Access control: Magic Firewall
● Reduce bandwidth costs and improve UX: CDN
● Traffic routing optimization: Magic WAN
● Intrusion detection: Magic Firewall
● DDoS protection: Magic Transit

1 888 99 FLARE | [email protected] | www.cloudflare.com REV:PMM-AUG2022

Cloudflare | Reference Architecture for Internet-Native Transformation

No security vs. user experience tradeoffs

Our entire edge service stack — plus, out of band services — are natively built to work together. Zero
Trust, network, and application services sit between the appropriate on-ramps based on the domain,
IP, and protocol. Requests and traffic are filtered, inspected, isolated, and verified in a lightning-fast
single pass closest to its source; then routed and accelerated across the Internet to its destination.

Out of User on-ramps: WARP, PAC, URL-rewrite Internet aka. “Eyeball”

Band: Out of Band:
Location on-ramps: IPsec, GRE, CNI (combine with URL-rewrite to
API Integration
DNS (user and location on-ramps can be combined) use forward proxy services)

Public
Domains All Domains (some Orange-Clouded) Orange-Clouded Domains Your SaaS apps and email

Recursive DNS (w/filter & bypass rules) Authoritative DNS … MX Cloud Email Security
(w/link isolation coming)
Public or Private IPs Cloudflare or Customer IPs
CASB
Private IP NAT* coming soon DDoS Protection

Packet Filtering Firewall*

Intrusion Detection System*

TCP/UDP Forward Proxy TCP/UDP Reverse Proxy

Non-
TCP or TCP/UDP Traffic
UDP
Traffic TLS Termination (w/bypass rules)

SWG (w/CASB & device posture)

HTTP/S Traffic
Non-
Remote Browser Isolation HTTP/S
Traffic
Data Loss Prevention
Every server
Serverless Web Apps (e.g. SSH/VNC in-browser terminal) can run every
edge service
Bot Mgmt
in a single pass
Web Application Firewall

Content Distribution

Load Balancer

ZTNA (w/CASB and force SWG rules) * N/A for PAC or URL-rewrite

Network Optimization
Supports identity using
Public IPs Private, Cloudflare, or Customer IPs either an identity proxy or
embedded identifiers
Public IP NAT Private IP NAT coming soon

Applies to customer-
owned apps with
orange-clouded domains
Internet Tunnel, IPsec, GRE, CNI, WARP

1 888 99 FLARE | [email protected] | www.cloudflare.com REV:PMM-AUG2022

Cloudflare | Reference Architecture for Internet-Native Transformation

Three reasons to transform your architecture with Cloudflare

Deployment simplicity Network resiliency Innovation velocity

Cloudflare customers value a The Cloudflare global network Cloudflare is architected to

uniform and composable
platform for easy setup and
operations. They do not want
piecemeal services that lead to
a more time-consuming,
error-prone experience.
is built with end-to-end traffic
automation for reliability and
performance that customers
trust. No one wants manual
connectivity to many cloud
networks that forces
security tradeoffs.
integrate innovations into the
same network that customers
use to evolve fast. No one
wants new services bolted on
or stagnating adoption of new
standards that delays
their future.

Start your journey to a faster,

more reliable, more secure network

Request an architecture workshop

Not ready for your architecture workshop?

Keep learning more about Cloudflare One

Acronyms: Sources:

● BEC = Business Email Compromise
● CASB = Cloud Access Security Broker
● CDN = Content Delivery Network
● CES = Cloud Email Security
● DDoS = Distributed Denial of Service
● DLP = Data Loss Prevention
● DNS = Domain Name System
● DNSF = DNS Filter
● FW = Firewall
● IDS = Intrusion Detection System
● LB = Load Balancer
● MPLS = Multiprotocol Label Switching
● RBI = Remote Browser Isolation
● RDP = Remote Desktop Protocol
● SD-WAN = Software-Defined WAN
● SEG = Secure Email Gateway
● SMB = Server Message Block
● SWG = Secure Web Gateway
● WAF = Web Application Firewall
● WAN = Wide Area Network
● VPN = Virtual Private Network
● ZTNA = Zero Trust Network Access
1. Gartner, Emerging Technologies: Adoption Growth
Insights for Zero Trust Network Access,
8 April 2022 (link)
2. Gartner, How to Establish Effective SaaS Governance, 27
December 2021 (link)
3. Gartner, 2022 Strategic Roadmap for SASE
Convergence, 24 June 2022 (link)
GARTNER is a registered trademark of Gartner, Inc. and/or its affiliates in the
U.S. and internationally and are used herein with permission. All rights reserved.

1 888 99 FLARE | [email protected] | www.cloudflare.com REV:PMM-AUG2022