Setting up Cloudflare Zero Trust Applications and Policies for access control

Cloudflare zero trust applications and policies allow you to control who can access web applications with granular control.

Applications are resources you want to protect, e.g. an internal website.

Policies are the rules that determine who can acess the applications and under what conditions.

Creating a policy

To create a policy so that only users with specific email domains may access.

1. Login to Cloudflare dashboard
2. Navigate to Zero Trust -> Access -> Policies
3. Click “Add a policy”
4. Enter a name (e.g. “Internal Access”) and set Action to “Allow”
5. Add rules for:
   1. “Authentication method” as “otp - one-time password”
   2. “Emails ending in” as “@your-domain.example”
6. Save

Now the policy is ready to be added to an application.

Tip

It’s possible to configure other authentication methods for SSO such as GitHub authentication in Zero Trust -> Settings -> Authentication -> Login Methods. See the Cloudflare docs for more info.

Creating an application

To create an application that will protect a specific resource.

1. Login to Cloudflare dashboard
2. Navigate to Zero Trust -> Access -> Applications
3. Click “Add an application”
4. Select “Self-hosted”
5. Configure application details for name, domain and session duration
6. Click “Select existing policies” and select the policy you created earlier
7. Ensure same login methods are enabled for the application
8. Save

Your application now has access controls defined.

Note

The resources being protected must be managed by Cloudflare DNS so it is able to intercept the requests and perform the ACL checks.