Thay thế VPN bằng Zero Trust access Replace VPN with Zero Trust access

VPN truyền thống thường cấp quyền truy cập mạng quá rộng, gây friction và không phù hợp cho SaaS/remote work/app-specific access. Traditional VPN often grants overly broad network access, creates operational friction, and is not ideal for SaaS/remote work/app-specific access.

Kiến trúc gợi ý Suggested architecture

User + device + identity → Cloudflare Zero Trust policy → Private application User + device + identity → Cloudflare Zero Trust policy → Private application

Sơ đồ tham chiếu (Cloudflare Docs) Reference diagrams (Cloudflare Docs)

Figure 1: Only traffic that has passed the Cloudflare network and relevant policies is authorized to access the SaaS application. — Secure access to SaaS applications with SASE Secure access to SaaS applications with SASE

Zero Trust cho SaaS: policy theo identity, device posture và network context qua Cloudflare One. Cloudflare's SASE platform offers the ability to bring a more Zero Trust orientated approach to securing SaaS applications. Centralized policies, based on device posture, identity attributes and granular network location can be applied across one or many Saas applications.

Thuật ngữ: Concepts: SASE · Gateway · Access · Device posture · SaaS

Sơ đồ chính thức ↗ Official diagram ↗ · SASE / Cloudflare One Secure Access Service Edge (SASE)

Figure 1: Remote browser connected to private web service using internal hostname — Access to private apps without having to deploy client agents Access to private apps without having to deploy client agents

Learn how to provide access to private apps without having to deploy client agents. Learn how to provide access to private apps without having to deploy client agents.

Sơ đồ chính thức ↗ Official diagram ↗ · SASE / Cloudflare One Secure Access Service Edge (SASE)

Các bước thực hiện Recommended steps

Liệt kê internal apps List internal apps
Xác định user groups Identify user groups
Kết nối identity provider Connect identity provider
Define access policies Define access policies
Test với một low-risk app Test with one low-risk app
Monitor access logs Monitor access logs
Mở rộng dần Expand gradually

Lỗi thường gặp Common mistakes

Coi Zero Trust là “VPN mới” với full network access Treating Zero Trust as a “new VPN” with full network access

ZTNA cấp quyền theo app, không phải subnet. User không nên thấy toàn bộ mạng nội bộ sau khi login. ZTNA grants per-app access, not subnets. Users should not see the entire internal network after login.

Không log và audit Access sessions No Access session logging or audit

Thiếu log khiến không điều tra được sự cố. Bật logging và review định kỳ ai vào app nào. Missing logs make incidents hard to investigate. Enable logging and review who accessed which apps.

Policy không có owner và ngày review Policies without owners or review dates

Policy cũ tích tụ quyền thừa. Mỗi app policy cần owner và lịch review hàng quý. Stale policies accumulate excess access. Each app policy needs an owner and quarterly review.

Next step Next step

Tiếp tục hành trình học của bạn. Continue your learning journey.

Xem track Cloudflare One View Cloudflare One track