Zero Trust with Egress IP Control for a Financial Services Group
A leading EMEA financial services group ($100B+ AUM) · Insurance & asset management · EMEA
Implemented Cloudflare Zero Trust with static Egress IPs for Microsoft CSP authentication, GitHub, and Microsoft apps at a $100B+ AUM financial group — replacing legacy VPN with WARP, Access, and Tunnels under continuous compliance monitoring.
financial group secured on Cloudflare Zero Trust
governed for Microsoft CSP, GitHub, and MS apps
legacy tunnels retired for WARP + Cloudflare Tunnels
Egress IP audits and log integration for compliance
The challenge
- Manage secure, static Egress IPs for outbound traffic to Microsoft CSP authentication, GitHub, and Microsoft applications.
- Replace traditional VPN with WARP while keeping consistent Egress IP control for critical services.
- Integrate ZTNA with SSO for internal systems, SaaS, and GitHub, and replace VPN tunnels with Cloudflare Tunnels between AWS and on-prem under continuous compliance monitoring.
Our approach
- 1 Defined static Egress IP policies for outbound traffic and deployed the WARP client across all devices so traffic routed through the designated Egress IPs.
- 2 Configured WARP in full mode plus firewall and secure web gateway rules to enforce the use of the designated Egress IPs.
- 3 Integrated Cloudflare Access with SSO for secure access to internal systems, SaaS platforms, and GitHub.
- 4 Set up Cloudflare Tunnels with split-tunneling between AWS and on-prem, and established regular Egress IP usage audits with log integration for compliance.
Cloudflare & cloud services used
Client identity is withheld at the customer’s request. The figures and outcomes above are client-reported and reflect the engagement as delivered.
Facing something similar?
Nanosek can scope the work, the risks, and the rollback plan with you — as an authorized Cloudflare MSP/ASDP partner that also runs the rest of your cloud estate.