Starter Hub Starter Hub

Phần 2: ZTNA — thay thế VPN từng bước Part 2: ZTNA — replace VPN step by step · Bài 2/2 Lesson 2/2

Policy: ai được vào app nào Policies: who can access which app

Ví dụ: group Eng → staging admin; group All → company wiki. Log mọi session để audit. Example: Eng group → staging admin; All → company wiki. Log sessions for audit.

Policies: who can access which app
Minh họa từ Cloudflare Reference Architecture (developers.cloudflare.com) Illustration from Cloudflare Reference Architecture (developers.cloudflare.com)

Các bước thực hiện Step-by-step

  1. Access → Applications → Add application (Self-hosted hoặc SaaS). Access → Applications → Add application (Self-hosted or SaaS).
  2. Policy: Allow group Eng → staging; Allow All → wiki. Policy: Allow Eng group → staging; Allow All → wiki.
  3. Require device posture (nếu có) cho app nhạy cảm. Require device posture (if available) for sensitive apps.
  4. Review Access logs sau 1 tuần pilot. Review Access logs after a one-week pilot.

Giải thích chi tiết Detailed explanation

ZTNA = quyền theo app, không phải toàn mạng — mỗi policy nên có owner và review date. ZTNA = per-app access, not full network — each policy should have an owner and review date.

Lưu ý (best practices) Note (best practices)

Trước production, đọc Application paths để hiểu wildcard/path. Policy trùng lặp → dùng rule group. Mục tiêu đơn giản hóa nhiều domain → một domain chính/app + IaC (Terraform) cho phần còn lại. Before production, review Application paths to understand wildcards. Duplicate policy rules → use rule groups. To streamline many domains → one primary domain per app and automate the rest with IaC (Terraform).

Nguồn: Source: Access application — Best practices Access application — Best practices

Ví dụ triển khai (Cloudflare Resources) Deployment examples (Cloudflare Resources)

Tutorial, solution guide và reference từ developers.cloudflare.com/resources ↗ — gợi ý theo chủ đề bài học. Tutorials, solution guides, and reference docs from developers.cloudflare.com/resources ↗ — matched to this lesson topic.

Duyệt toàn bộ catalog → Browse full catalog →

Tài liệu Cloudflare Developers Cloudflare Developer docs

Sơ đồ kiến trúc (Cloudflare Docs) Architecture diagrams (Cloudflare Docs)

Figure 1: Only traffic that has passed the Cloudflare network and relevant policies is authorized to access the SaaS application.

Secure access to SaaS applications with SASE Secure access to SaaS applications with SASE

Zero Trust cho SaaS: policy theo identity, device posture và network context qua Cloudflare One. Cloudflare's SASE platform offers the ability to bring a more Zero Trust orientated approach to securing SaaS applications. Centralized policies, based on device posture, identity attributes and granular network location can be applied across one or many Saas applications.

Thuật ngữ: Concepts: SASE · Gateway · Access · Device posture · SaaS

Sơ đồ chính thức ↗ Official diagram ↗ · SASE / Cloudflare One Secure Access Service Edge (SASE)

Figure 1: Showing a request to a private resource and where Access can be customized for AuthZ and AuthN

Extend ZTNA with external authorization and serverless computing Extend ZTNA with external authorization and serverless computing

Cloudflare's ZTNA enhances access policies using external API calls and Workers for robust security. It verifies user authentication and authorization, ensuring only legitimate access to protected resources. Cloudflare's ZTNA enhances access policies using external API calls and Workers for robust security. It verifies user authentication and authorization, ensuring only legitimate access to protected resources.

Thuật ngữ: Concepts: Access · External Evaluation · Workers · ZTNA

Sơ đồ chính thức ↗ Official diagram ↗ · SASE / Cloudflare One Secure Access Service Edge (SASE)

Sản phẩm liên quan Related products

Đọc thêm trong hub → Read more in the hub →