Thousands of Employees, Zero VPN: How Modern Companies Actually Do It

It's Not a Theory — It's Tuesday

When people hear "no VPN," they picture chaos. Unprotected connections. Sensitive data flying across the open internet. Developers SSHing into production from coffee shop Wi-Fi with no security layer.

The reality is the opposite. Organizations running without VPNs are typically more secure, more productive, and more auditable than their VPN-dependent peers. Here's how it actually works in practice.

The Architecture: How 5,000 People Access Internal Apps Without VPN

Let's walk through a real-world architecture for a 5,000-person company with: - 200+ internal web applications - Engineering teams needing SSH access to production and staging - A customer support team using thick client CRM software - Contractors and partners who need limited access - Employees across 15 countries - A mix of managed laptops and BYOD

Layer 1: Web Applications (80% of access)

The vast majority of internal applications are web-based: dashboards, admin panels, internal tools, wikis, HR portals, project management, CI/CD interfaces.

Each application is published through Cloudflare Tunnel. There's a small connector (cloudflared) running in each environment where applications live — the main data center, AWS production, and a GCP staging environment. These connectors maintain outbound-only connections to Cloudflare's edge.

When an employee navigates to, say, hr.company.com: 1. The request hits the nearest Cloudflare PoP (there's one within 50ms of almost anywhere on Earth) 2. Cloudflare's Access policy engine checks: Is this user authenticated? Is their session still valid? Does their identity group have permission for this app? 3. If the user needs to authenticate, they're redirected to the company's Okta login page 4. After authentication, the request is forwarded through the Tunnel to the application 5. The response comes back through the same path

From the user's perspective, it's indistinguishable from accessing any public website. There is no client to install for web applications. The browser is the client.

Layer 2: SSH and RDP (15% of access)

Engineers need terminal access to servers. Support staff need RDP to specific Windows machines. In the VPN world, this meant full network-level access to server subnets.

With Cloudflare, SSH and RDP work through browser-based rendering: 1. An engineer navigates to ssh.company.com 2. They authenticate through Okta (with hardware key MFA required for infrastructure access) 3. Cloudflare renders a terminal in the browser, connected to the target server through the Tunnel 4. The engineer works in their browser — no SSH key distribution needed, no local SSH client configuration

For power users who prefer native SSH, the WARP agent can proxy SSH traffic through Cloudflare with short-lived certificates. No long-lived SSH keys sitting on laptops. No bastion hosts to maintain.

Layer 3: Thick Client and Custom Protocol (5% of access)

The CRM software, the legacy ERP system, the custom inventory tool that only speaks a proprietary TCP protocol — these can't run in a browser.

For these applications, the WARP agent runs on managed devices and routes specific traffic through Cloudflare's network to the internal destination. But unlike a VPN, the agent only routes traffic for these specific applications. Everything else goes direct.

And unlike a VPN, every connection through WARP is logged at the application level: who connected, to what, when, for how long.

What About Contractors and Partners?

This is where VPN-free architecture really shines. With a VPN, onboarding a contractor means: 1. Procuring a managed device (or fighting with their device) 2. Installing VPN software 3. Creating VPN credentials 4. Configuring the right VPN profile 5. Setting up network segmentation so they can't reach everything 6. Revoking all of the above when the engagement ends

With Cloudflare Access, onboarding a contractor means: 1. Add them to the relevant Access policy (by email or IdP group) 2. Done

The contractor opens their browser, navigates to the app URL, authenticates with their email, and they're in. Only to the specific applications they're authorized for. Nothing else. No client, no credentials to provision, no device requirements.

When the engagement ends: remove them from the policy. Access is instantly revoked across every application.

The Security Model: Why This Is More Secure Than VPN

Counterintuitively, removing the VPN makes things more secure:

No lateral movement: There's no "network" to move through. Each application is an independent access decision. Compromising one app gives you access to one app — not the entire corporate network.

Continuous verification: VPNs authenticate once at connection time. Cloudflare Access can re-verify identity, device posture, and session validity on every request. Anomalous behavior triggers step-up authentication.

No credential sprawl: VPN credentials are high-value targets because they grant broad access. Application-level access tokens are lower value and shorter lived.

Full visibility: Every access attempt — successful or not — is logged with user identity, device info, location, and timestamp. VPN logs only tell you "someone connected."

Phishing resistance: Cloudflare Access supports hardware security keys and platform authenticators. VPN credentials are typically username/password with (maybe) TOTP — all phishable.

The Performance Reality

Users notice the difference immediately. Instead of: - Waiting 15-30 seconds for VPN connection - Dealing with 100-300ms added latency - Suffering through VPN client crashes and reconnections - Losing bandwidth to tunnel overhead

They get: - Instant access (it's a web page) - Sub-50ms to Cloudflare's edge - No client to crash - Full bandwidth for actual work

The most common feedback after a VPN-to-Zero-Trust migration: "Why didn't we do this years ago?"

The Numbers

For a 5,000-person organization running this architecture: - Zero VPN concentrators to maintain - Zero VPN client support tickets - 200+ applications secured with per-request authorization - Full audit trail for every access attempt - Minutes to onboard or offboard a user or contractor - Global performance — same experience in Tokyo, London, and São Paulo

This isn't the future of enterprise access. It's the present. The only question is when your organization catches up.