The most important thing to understand about Cloudflare One is that the name is marketing fluff. It does a bunch of things with a number of confusingly similar products. (Some of its features are provided by third-party "partners.")
The products are designed to be compatible, which is what the name "Cloudflare One" is designed to reflect, but there isn't just one product/feature being offered here. It's more of a vision statement than anything else.
What they're announcing is the compatibility of three previously released features:
Note that despite being a "VPN," when WARP launched, it wasn't designed to connect to any company's internal corporate network. WARP is/was a "public VPN," the sort of thing an ordinary user would use to hide their IP address from web sites for privacy reasons. (Cloudflare claimed that WARP would also improve your network performance.)
2. Cloudflare Magic Transit, which is basically a reverse VPN product for on-premise datacenters, providing DDOS protection and packet filtering.
Magic Transit is kinda like Cloudflare's HTTP CDN product, but for all of a datacenter's traffic, geared toward IT professionals.
3. Cloudflare Network Interconnect (CNI), which lets you connect corporate offices to each other over Cloudflare's backbone infrastructure. Like Magic Transit, it was designed to allow IT staff to do traffic management and packet filtering.
Perhaps you'd have thought that these products would work together in some way, but they didn't, and now they kinda do.
Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.
If you squint and think of a VPN as a giant proxy, even traditional VPN solutions can seem like "Zero Trust," but that is not at all what anybody meant by that term.
What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.
>BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.
BeyondCorp is about trusting nothing and allowing what is allowed. It's an inversion of being Inside or Outside the network, in that everyone is outside. When they say "without a VPN" what they mean is that you arent connecting to inside the trust and then gaining access to everything.
This product from cloudflare, by integrating with an identity manager, is offering that same kind of deny by default, and allow the allowlist type paradigm. Whether or not it is VPN tech is a bit irrelevant, and misses the point of BeyondCorp. Googles implementation was a proxy by choice, but it's not the only way to accomplish the same idea. I get that you get that, but drawing the beyondcorp/not-beyondcorp line at vpn/proxy is missing the forest for the trees.
> Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.
I thought this was referring to the combination of Access (identity constraints on connections) and the tunnel system and your app servers only connect outbound to the CDN nodes, forcing all connections to be made through Access. That seems like zero-trust to me, doesn’t it?
> What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.
This can also be accomplished with rules and micro-segmentation of various types.
The products are designed to be compatible, which is what the name "Cloudflare One" is designed to reflect, but there isn't just one product/feature being offered here. It's more of a vision statement than anything else.
What they're announcing is the compatibility of three previously released features:
1. Cloudflare WARP, their public VPN product for end users https://blog.cloudflare.com/1111-warp-better-vpn/
Note that despite being a "VPN," when WARP launched, it wasn't designed to connect to any company's internal corporate network. WARP is/was a "public VPN," the sort of thing an ordinary user would use to hide their IP address from web sites for privacy reasons. (Cloudflare claimed that WARP would also improve your network performance.)
2. Cloudflare Magic Transit, which is basically a reverse VPN product for on-premise datacenters, providing DDOS protection and packet filtering.
Magic Transit is kinda like Cloudflare's HTTP CDN product, but for all of a datacenter's traffic, geared toward IT professionals.
3. Cloudflare Network Interconnect (CNI), which lets you connect corporate offices to each other over Cloudflare's backbone infrastructure. Like Magic Transit, it was designed to allow IT staff to do traffic management and packet filtering.
Perhaps you'd have thought that these products would work together in some way, but they didn't, and now they kinda do.
Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.
If you squint and think of a VPN as a giant proxy, even traditional VPN solutions can seem like "Zero Trust," but that is not at all what anybody meant by that term.
What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.