Cloudflare One Explained: A Clear Guide to Cloudflare’s SASE Products
- Sam Abizdris & Ido Sender
- 2 days ago
- 10 min read
Cloudflare One was previously known as Cloudflare Zero Trust. Today, Cloudflare One represents Cloudflare’s unified Secure Access Service Edge (SASE) platform, combining identity-driven security services with global network connectivity and segmentation inside one distributed system.
This evolution can create confusion. Some professionals still associate Cloudflare One only with Zero Trust Network Access (ZTNA). Others are unsure how Cloudflare WAN relates to Secure Web Gateway (SWG) or Cloudflare Network Firewall. This guide provides technical clarity, acting as a system glossary to remove ambiguity regarding Cloudflare’s current architecture.
Table of Contents
1. Introduction: How Cloudflare One Defines SASE
The transition from traditional site-centric security to SASE represents a move away from hardware-defined perimeters toward identity-defined edges. Legacy architectures backhaul traffic to central data centres for security processing, creating massive latency.
Cloudflare One eliminates this by running every security and networking function in every data centre across its global network. This ensures that whether a user is in Tokyo or London, their security policies are enforced mere milliseconds away. By unifying Security Service Edge (SSE) and Network as a Service (NaaS), Cloudflare One allows organisations to manage networking and access control through a single, cloud-native control plane. Previously known as Cloudflare Zero Trust, Cloudflare One has evolved to represent the company’s comprehensive SASE portfolio.
2. The Core Domains of Cloudflare One
Cloudflare One is architecturally divided into two symbiotic domains:
Workforce Security: This domain secures the "User-to-Application" flow. It focuses on the human element, ensuring that employees and contractors can safely access internet resources, SaaS apps and private infrastructure. This is primarily achieved through Zero Trust Network Access (ZTNA) and Cloudflare Secure Web Gateway (SWG), which together verify every identity and inspect every request for malicious content or data leakage.
Network and Connectivity: This domain secures the "Site-to-Site" and "Workload-to-Workload" flows. It focuses on the fabric that connects offices, data centres and multi-cloud environments. By utilising Cloudflare Tunnel and high-performance on-ramps, it replaces legacy technologies like MPLS and traditional VPNs with a global cloud backbone, eliminating the need for open inbound ports and vulnerable hardware gateways.
3. Domain 1: Workforce Security (The SSE Pillar)
Security Service Edge (SSE) represents the security-focused component of the SASE framework. This pillar ensures that users are protected and authenticated regardless of their physical location.
3.1 Cloudflare Access and Zero Trust Network Access (ZTNA)
Cloudflare Access is the foundation of ZTNA, applying the principle of least privilege to every request. It integrates with multiple Identity Providers (IdPs) simultaneously, allowing for complex policies that consider identity, device posture and geolocation.
Clientless Support: Based on technical specifications, Cloudflare Access supports a clientless mode for third-party contractors and unmanaged devices. This allows users to reach internal web apps, SSH and RDP sessions directly through their browser. Read more
3.2 Cloudflare One Client (formerly WARP Client)
The Cloudflare One Client (WARP) is the primary on-ramp for managed corporate devices. It utilizes the WireGuard protocol for an encrypted tunnel that offers high throughput and stability. The client continuously transmits Device Posture signals - such as disk encryption status, OS versions and the presence of endpoint protection (EDR) - to the policy engine to ensure the device meets security standards before granting access.
3.3 Cloudflare Tunnel
Cloudflare Tunnel establishes an outbound-only connection between your origin infrastructure and Cloudflare’s edge. By eliminating the need for open inbound firewall ports, it hides your servers from the public internet, making them "dark" and invisible to DDoS attacks or reconnaissance scans.
3.4 Secure Web Gateway (SWG)
The SWG inspects DNS, HTTP and network traffic to enforce Acceptable Use Policies (AUP).
Advanced Inspection: It performs full TLS decryption at the edge to scan for malware in encrypted payloads.
AI Governance: SWG policies can block specific AI tools or restrict them to "Read-Only" mode to prevent unauthorized uploads to public LLMs.
3.5 Remote Browser Isolation (RBI)
RBI executes all browser code in a remote container on the Cloudflare edge.
Air-Gapped Browsing: Instead of running potentially malicious scripts on the local device, Cloudflare renders only safe draw commands to the user. This creates an absolute air gap, protecting the device from zero-day browser exploits.
3.6 Cloud Access Security Broker (CASB)
Cloudflare CASB operates via API integrations to provide visibility and control over SaaS applications such as Google Drive, GitHub and Microsoft 365. It focuses on securing data at rest by scanning for security gaps that exist within the cloud environment itself.
Technical Capabilities: It identifies misconfigurations, over-shared files and "Shadow IT", detecting unauthorised SaaS apps or AI bots that users have integrated into the corporate environment without IT approval.
3.7 Data Loss Prevention (DLP)
Cloudflare DLP protects sensitive information by inspecting data both in motion and at rest. It ensures that proprietary or regulated data does not leave the secure environment, regardless of the communication channel.
Data in Motion: Operates inline via the SWG to perform real-time scanning of HTTP payloads. It can redact or block sensitive data such as PII or source code within the text of requests, including prompts sent to AI chat interfaces.
Data at Rest: When integrated with CASB, Cloudflare DLP scans stored files within SaaS platforms to identify and categorise sensitive information that has already been uploaded, ensuring consistent security policies across all data states
3.8 Cloudflare Email Security (formerly Area 1)
Cloudflare provides a cloud-native defence against phishing, business email compromise (BEC) and account takeover. Unlike traditional gateways, it operates at the edge to preemptively stop threats before they reach the inbox.
HOPS Analysis: The system utilises HOPS (Hyper-converged Organization Profiling and Security) analysis, which employs AI-driven models to analyse identity, trust and relationship patterns. By understanding the historical communication "hops" and typical sender behaviour, it can identify sophisticated impersonation attempts that bypass standard filters.
Search and Destroy: Beyond pre-delivery blocking, the system integrates with the Microsoft Graph API and Google Workspace to provide post-delivery remediation. It can crawl existing inboxes to identify and retroactively delete malicious emails that have already been delivered, mitigating the risk of "sleeper" threats.
3.9 Digital Experience Monitoring (DEX)
Cloudflare DEX provides end-to-end telemetry and visibility across the entire Zero Trust ecosystem. Its primary purpose is to eliminate the guesswork for IT teams by pinpointing exactly where performance bottlenecks occur, whether on the user's device, a local network, ISP or the application itself.
Consider a remote employee reporting that a SaaS application is "slow". Without DEX, IT cannot easily determine the cause. Cloudflare DEX provides immediate data showing that the user's local Wi-Fi signal is weak or that their laptop's CPU is spiking, rather than a failure in the corporate network or the application server. This telemetry allows for rapid troubleshooting and reduces the mean time to resolution (MTTR) for help desk tickets.
3.10 AI for Workforce
This is a dedicated governance layer designed to enable safe AI adoption across the organisation. Rather than a blanket block on AI tools, it provides granular control over how these services are used, ensuring productivity does not compromise corporate security.
Access Governance: Administrators can define exactly which AI services are permitted for use. For example, the marketing team might be allowed access to specific image generation tools, while the engineering team is restricted to approved coding assistants.
Prompt Control and Redaction: By integrating with Cloudflare SWG and DLP, the system performs real-time inspection of AI prompts. It can automatically redact proprietary source code or customer PII before it is submitted to a public LLM. Furthermore, it allows for "Read-Only" policies, where users can query an AI but are blocked from uploading or pasting sensitive data into the interface.
The following matrix breaks down how Cloudflare’s AI Security Suite enhances the Workforce (SSE) pillar by protecting against AI-specific risks:
Product | General Capabilities (Protecting Against...) | AI-Driven Capabilities (AI Security Suite) |
Cloudflare Access (ZTNA) | Lateral Movement & Unauthorized Access: Enforces Least Privilege access to internal applications. Integrates with IdPs to verify identity and device posture before granting access. | Model Access Governance: Controls which users or groups can access specific AI models or interfaces, preventing unauthorised personnel from interacting with sensitive internal LLMs. |
Cloudflare SWG (Gateway) | Malware & Phishing: Blocks malicious domains and enforces Acceptable Use Policies (AUP). Inspects encrypted traffic for hidden threats and C2 communication. | Shadow AI Discovery: Identifies and blocks "Shadow AI" (unapproved AI tools). Allows for "Read-Only" policies where users can query public LLMs but are restricted from uploading data. |
Cloudflare DLP | Data Exfiltration: Scans outbound traffic for sensitive strings like PII, credit card numbers and source code to prevent data leaks. | AI Prompt Inspection & Redaction: Real-time scanning of prompts sent to LLMs. It automatically redacts or blocks proprietary code or customer data within the text of the prompt itself. |
Cloudflare Email Security | BEC & Account Takeover: Stops sophisticated phishing and Business Email Compromise (BEC) by analysing sender trust and relationship patterns. | Generative AI Phishing Defense: Uses AI-driven models to detect and block highly convincing phishing lures and "synthetic" content generated by malicious actors using LLMs. |
Cloudflare RBI (Isolation) | Zero-Day Browser Exploits: Executes all browser code on Cloudflare’s edge. Protects local devices from malicious scripts and browser-based vulnerabilities. | Secure AI Sandboxing: Provides an air-gap for AI interactions, ensuring that sensitive session tokens or browser-stored data cannot be scraped by malicious AI extensions or plugins. |
Cloudflare CASB | SaaS Misconfigurations: Identifies security gaps in platforms like M365 and Google Workspace, such as over-shared files or insecure settings. | AI Third-Party Risk Management: Detects and audits third-party AI bots or plugins that have been granted permissions to scan corporate SaaS repositories without IT approval. |
4. Domain 2: Network and Connectivity (The NaaS Pillar)
4.1 Cloudflare WAN (formerly Magic WAN)
Cloudflare WAN replaces legacy MPLS with a global, software-defined backbone. It provides any-to-any connectivity, ensuring that offices and data centers are connected over a high-performance, secure network fabric.
4.2 Cloudflare WAN (formerly Magic WAN) implementation Via IPsec or GRE
These are standardised L3 protocols that act as on-ramps. They allow existing network hardware (routers, firewalls) to connect directly to the Cloudflare WAN via encrypted (IPsec) or encapsulated (GRE) tunnels.
4.3 Cloudflare One Appliance (formerly Magic WAN Connector)
The Cloudflare One Appliance is available as either a physical hardware device or a virtual machine image designed to automate branch office connectivity. It serves as the primary on-ramp for local area networks (LANs) to connect directly to the Cloudflare global network. It provides application-aware routing and path optimisation, ensuring that branch traffic is secured and prioritised at the source. By replacing traditional branch routers, the appliance simplifies the transition to a SASE architecture, offering "plug-and-play" connectivity that automatically establishes secure tunnels to the nearest Cloudflare data centre without manual IPsec configuration.
4.4 Cloudflare Network Firewall (formerly Magic Firewall)
Cloudflare Network Firewall is a cloud-native, Layer 3/4 firewall that replaces legacy hardware appliances with a distributed software-defined model. It allows organisations to enforce security policies across their entire network fabric, including on-premises data centres and cloud VPCs, from a single dashboard.
Granular Micro-segmentation: It enables strict isolation of sensitive workloads, such as separating AI GPU clusters or financial training data segments from the rest of the corporate WAN.
Integrated L3 DDoS Protection: Because the firewall operates on Cloudflare’s global network, it includes always-on, line-rate DDoS mitigation. It automatically detects and blocks volumetric Layer 3 attacks at the edge, ensuring that malicious traffic is dropped before it can congest the organisation's private network or consume origin resources.
4.5 Cloudflare Virtual Network and Multi-Cloud Networking
Virtual Network: Defines isolated, logical routing domains (VRFs) within the Cloudflare fabric.
Multi-Cloud Networking: Orchestrates routing across AWS, Azure and GCP, maintaining a consistent security posture across disparate cloud environments.
4.6 Cloudflare Mesh (formerly WARP Connector)
Cloudflare Mesh enables identity-aware, service-to-service communication. It secures workloads in private subnets, allowing them to communicate via secure tunnels based on workload identity rather than fragile IP rules.
4.7 Network Flow (formerly Magic Network Monitoring)
This telemetry layer analyzes NetFlow/SFlow data to provide deep visibility into traffic patterns and network health. It identifies volumetric anomalies and "top talkers" across the global infrastructure.
4.8 AI for Network
This layer focuses on the infrastructure requirements of AI operations, ensuring that the network fabric can handle the unique demands of large-scale model training and inference. It optimises high-bandwidth data flows required for AI training clusters, ensuring secure and low-latency transport between distributed storage and compute resources.
AI Gateway: This serves as a control plane for AI applications, providing visibility and management for requests sent to model providers. It allows organisations to cache responses to reduce costs, rate-limit requests to prevent abuse and log all interactions for compliance.
AI Firewalls: Operating at the edge, these specialised firewalls inspect incoming traffic to AI models for specific threats, such as prompt injection attacks or attempts to exploit model vulnerabilities. By applying these protections at the network level, Cloudflare ensures that AI workloads are shielded from malicious exploitation without adding significant processing overhead.
5. Conclusions: The Single-Pass Advantage
The technical foundation of Cloudflare One is the transition from fragmented service chaining to a Single-Pass Enforcement model. In legacy SASE environments, traffic is routed through a series of discrete virtual appliances, each adding cumulative latency. Cloudflare One eliminates this by processing identity verification, network policies and content inspection (DLP/SWG) simultaneously within a single inspection cycle at the edge.
By unifying Workforce Security and Network Connectivity into a single global fabric, the platform ensures that security enforcement is decoupled from physical hardware and tied directly to identity and context. This architecture allows organisations to maintain sub-millisecond performance while scaling complex security requirements—from AI prompt governance to Layer 3 DDoS mitigation—across a single, cloud-native control plane.
6. Frequently Asked Questions (FAQ)
Q: Is Cloudflare One a VPN replacement?
A: Yes. Cloudflare One replaces legacy VPNs with Cloudflare Access (ZTNA). Unlike a traditional VPN that grants broad network-level access, Cloudflare Access provides granular, identity-based access to specific applications, effectively eliminating the risk of lateral movement within the network.
Q: Does Cloudflare One require an agent on every device?
A: Not necessarily. For managed corporate devices, deploying the Cloudflare One Client (formerly WARP) is the recommended approach as it provides the most comprehensive security posture and device telemetry. However, for contractors or unmanaged devices, Cloudflare supports a Clientless approach, enabling secure, browser-based access to internal resources without requiring any software installation.
Q: How does Cloudflare protect against data leakage to AI?
A: Protection is enforced through Cloudflare DLP profiles. These profiles scan outgoing HTTP payloads for sensitive information such as source code or PII, redacting or blocking the data in real-time before it reaches the AI service interface.
Q: Can Cloudflare Email Security protect my existing inbox?
A: Yes. Through API integration with Microsoft 365 or Google Workspace, Cloudflare Email Security can perform a "Retro Scan". This allows the system to crawl existing mailboxes, identifying and retroactively deleting malicious emails or "sleeper" threats that were delivered before the service was active.
Q: How does Cloudflare One integrate with my existing security stack?
A: Cloudflare One is designed as an open platform. It integrates with major Identity Providers (IdP) like Okta and Azure AD and Endpoint Detection and Response (EDR) platforms such as CrowdStrike and SentinelOne to verify device posture before granting access. Additionally, for SIEM/SOAR requirements, Cloudflare Logpush can stream high-fidelity logs to third-party providers or cloud storage in near real-time
Comments