Support options vary by plan type. Various professional advisory and hands-on implementation services available as add-ons to Contract plans.

Custom application and private network policies, plus policy tester. Supports temporary authentication, purpose justification, and any IdP-provided auth method.

Protect self-hosted, SaaS, and non-web (SSH, VNC, RDP) apps, internal IPs and hostnames, or any arbitrary L4–7 TCP or UDP traffic.

Authenticate via enterprise and social IdPs, including multiple IdPs concurrently. Can also use generic SAML and OIDC connectors.

Configure contextual access based on IdP groups, geolocation, device posture, session duration, external APIs, etc.

Verify device posture using third-party endpoint protection provider integrations.

Clientless access for web apps and browser-based SSH or VNC.

Privileged SSH and VNC access through in-browser terminal.

Split tunneling for local or VPN connectivity.

Customizable app launcher for all apps, including bookmarks to apps outside of Access.

Service token support for automated services.

Configure local domain fallback. Define an internal DNS resolver to resolve private network requests.

Automate deployment of Cloudflare resources and connections.

Certificate-based auth for IoT and other mTLS use cases.

Dependable service level agreements (SLA) for paid plans with 100% uptime and reliable service you can trust.
Learn more >

Support options vary by plan type. Various professional advisory and hands-on implementation services available as add-ons to Contract plans.

Zero Trust logs are stored for a varying period of time based on the plan type and service used. Contract users can export logs via Logpush.
See tech docs >

Securely connects resources to Cloudflare without a publicly routable IP address. Does not require VM infrastructure and has no throughput limitations.
See tech docs >

Securely and privately sends traffic from end user devices to Cloudflare’s global network. Enables capabilities like building device posture rules or enforcing filtering policies anywhere. Self-enroll or deploy via MDM.
See tech docs >

ZTNA provides granular identity- and context-based access to all your internal self-hosted, SaaS, and non-web (e.g., SSH) resources.
See tech docs >

SWG protects against ransomware, phishing, and other threats using L4–7 network, DNS, and HTTP filtering policies for faster, safer Internet browsing.
See tech docs >

Provides user-centric visibility into device, network, and application performance across your zero trust organization.
See tech docs >

Provides network traffic visibility and real-time alerts for unified insights into network activity. Available for free to everyone.
See tech docs >

CASB continuously monitors SaaS apps at rest to detect potential data exposure due to misconfigurations or weak posture findings.
See tech docs >

DLP detects sensitive data in transit and at rest across web, SaaS and private apps with controls or remediation guides to stop leakage or exposure.
See tech docs >

Free and pay-as-you-go plan: Free for the first 10 GB, $1 per GB per month after
Enterprise: Custom pricing

RBI layers additional threat defense and data protection controls across browsing activities by running all browser code on Cloudflare's global network.
See tech docs >

Email security helps block and isolate multi-channel phishing threats, including malware and business email compromise.
See tech docs >

Cloudflare One is our single-vendor SASE platform that converges zero trust security services from the plans above with network services — including Magic WAN and Firewall.
See tech docs >

Custom application and private network policies, plus policy tester. Supports temporary authentication, purpose justification, and any IdP-provided auth method.

Protect self-hosted, SaaS, and non-web (SSH, VNC, RDP) apps, internal IPs and hostnames, or any arbitrary L4-7 TCP or UDP traffic.

Authenticate via enterprise and social IdPs, including multiple IdPs concurrently. Can also use generic SAML and OIDC connectors.

Configure contextual access based on IdP groups, geolocation, device posture, session duration, external APIs, etc.

Verify device posture using third-party endpoint protection provider integrations.

Clientless access for web apps and browser-based SSH or VNC

Privileged SSH and VNC access through in-browser terminal

Split tunneling for local or VPN connectivity

Customizable app launcher for all apps, including bookmarks to apps outside of Access

Service token support for automated services

Configure local domain fallback. Define an internal DNS resolver to resolve private network requests.

Automate deployment of Cloudflare resources and connections.

Certificate-based auth for IoT and other mTLS use cases

Block by ransomware, phishing, DGA domains, DNS tunneling, C2 & botnet, and more.

Filter by security or content category. Deploy via our device client or via routers for locations.

Control traffic based on source, destination country, domains, hosts, HTTP methods, URLs, and more. Unlimited TLS 1.3 inspection.

Allow or block traffic based on ports, IPs, and TCP/UDP protocols.

Scan uploaded / downloaded files across types (PDFs, ZIP, RAR, etc.)

Detection via our own machine learning algorithms and third-party threat feeds.

All functionality available for IPv4 and IPv6 connectivity.

Create network policies to manage and monitor SSH access to your applications

Secure connectivity for DNS filtering directly from offices.

Render all browser code at the edge, instead of locally, to mitigate threats. Deploy with or without a device client. Selectively control what activity to isolate and when.

Stop phishing and business email compromise.

Apply HTTP policies at the browser level by configuring a PAC file. Apply filters without deploying client software on user devices.

Dedicated range of IPs (IPv4 or IPv6) geolocated to one or more Cloudflare network locations.

Set least-privilege policies per application to ensure users only access data they need.

Allow or block uploads / downloads of files based on Mime type.

Allow or block traffic to specific apps or app types.

Add Cloudflare CASB to detect if misconfigurations in SaaS applications leak sensitive data. View full list of supported integrations.

Inspect HTTP(S) traffic and files for the presence of sensitive data. Free tier includes predefined profiles like financial info, while full-featured Contract plans also include custom profiles, custom datasets, OCR, DLP logs, and more.

Restrict download, upload, copy/paste, keyboard input, and printing actions within isolated web pages and applications. Prevent data leakage onto local devices, and control user inputs on suspicious websites. Deploy with or without a device client.

All access controls, data controls, and threat protection capabilities (as outlined in prior sections) apply consistently across SaaS apps.

Allow traffic only to corporate tenants of SaaS apps. Prevent leakage of sensitive data to personal or consumer tenants.

Review apps your end users visit. Set approval status for those apps.

Integrate with your must used SaaS apps (e.g. Google Workspace, Microsoft 365) to scan, detect, and monitor for security issues. View full list of supported integrations.

API integrations continuously monitor SaaS apps for suspicious activities, data exfiltration, unauthorized access, and more.

Identify inappropriate file sharing behaviors within your most used SaaS apps.

Discover misconfigurations and incorrect user permissions within SaaS apps. Immediately action surfaced security findings with step-by-step remediation guides.

Stop phishing and business email compromise with Cloudflare’s email security.

On Contract plans, DNS logs are stored 6 months, and HTTP and network logs for 30 days.

Comprehensive details for all requests, users, and devices, including block reasons. Block policy decisions are stored for a week, and authentication logs for 6 months.

Audit logs for the connection status of tunnels and for when a new DNS record is registered for an app.

Track usage and review approval status across applications end users visit.

Full replay of all commands run during an SSH session. Provides SSH visibility at a network layer.

Passively monitor private network traffic to catalog discovered apps and users who access them.

By default, logs will not store any employee PII (source IP, user email, user ID, etc.) and be unavailable to all roles in your organization.

Provides predictive, historical, and real time intelligence around application outages, network issues, and performance slow-downs to keep users productive. View capabilities

Anycast network spanning 330 cities in 125 countries with 405 Tbps of network edge capacity

13,000 interconnects, including major ISPs, cloud services, & enterprises

Network architected so that every service operating at the edge is built to run in every data center and available to every customer.

All traffic is processed in a single pass at the data center closest to its source. No backhauling.

Optimized routes to avoid congestion issues.

Available across all major OSes (Win, Mac, iOS, Android, Linux, ChromeOS).

Default mode sends traffic through WireGuard tunnels to enable the full range of security functionality.
Use DoH mode to only enforce DNS filtering policies, or use proxy mode to filter traffic only to specific apps.

Deploy to your entire device fleet via MDM tools. Or, users can download the device client themselves to self-enroll.

Connect resources to Cloudflare without a publicly routable IP address. Deploy via UI, API, or CLI.