Professional Documents
Culture Documents
DNS Filtering 11
Legacy Design - First Glance 12
Legacy Design - Operational Flaws 13
Legacy Design - Required Network Modifications 14
Cloudflare One Design 15
Diagram Comparison 16
Table Comparison 17
This design guide describes how organizations can simplify and strengthen
their network and security architecture with Cloudflare One, our SASE
platform. Cloudflare One combines network connectivity services with
Zero Trust security services— all delivered on our global network. Unifying
these networking and security services under one consistent, cloud-based
architecture addresses many of the challenges of traditional, perimeter-
based, on-premise deployments.
Each section of this design guide walks through a common technical use
case — first, how that problem is typically solved with a legacy approach,
and then, how Cloudflare One solves the same problem with greater
efficiency and heightened security.
These initial use cases were prioritized based on their popularity among
customers, but they by no means represent the full scope of Cloudflare
One’s capabilities. We will continue to expand this guide with additional use
cases, including secure access to private networks, advanced threat/data
protection, and more.
VPN Conc.
VPN Conc.
Load
balancer
Internal DNS
1
3 4 Subnet
Public Wifi VPN
Edge Firewall Internal Firewall 5a
Split tunnel 2
5b
Remote
Endpoint Web App
Network/Security Action
2 The remote device reaches corporate edge via VPN client, but split tunnels other traffic
4 Firewall policy grants remote user access to subnet with private web application
5 User accesses web app via private IP/URL [5a] or Public URL [5b] after authenticating to IDP
VPN Conc.
VPN Conc.
Load
balancer
Internal DNS
1
3 4 Subnet
Public Wifi VPN
Edge Firewall Internal Firewall 5a
Split tunnel 2
5b
Remote
Endpoint Web App
The remote endpoint reaches corporate edge VPN-specific security will not protect split-
2 Corporate VPN Client
via VPN client, but split tunnels other traffic tunneled traffic
Firewall policy grants remote user access to The user has access to resources outside
4 Internal Firewall
subnet with private web application their job function
User accesses web app via private IP/URL Active Directory If the endpoint is compromised, company
5 [5a] or Public URL [5b] after authenticating
Internal DNS (Private) app/network is at risk
to IDP
VPN Conc.
1 Load Internal Subnet
balancer VPN Conc. DNS
5a
Remote Public Wifi VPN
Endpoint 3 4
Web App
2 Edge Web Internal
Coffee Shop 5b Firewall Proxy Firewall
Split Tunnel
Malicious site
Cloud Data Center / HQ
User accesses web app via private Active Directory If the endpoint is compromised, Mobile Device Mgmt
5 IP/URL [5a] or Public URL [5b] after
Internal DNS (Private) company app/network is at risk (MDM) Server
authenticating to IDP
Compromised site
VPN Conc.
1 Load Internal Subnet
balancer VPN Conc. DNS
5a
Remote Public Wifi VPN
Endpoint 3 4
Web App
2 Edge Web Internal
Coffee Shop 5b Firewall Proxy Firewall
Split Tunnel
Malicious site
Cloud Data Center / HQ
Compromised site
User accesses web app via private Active Directory If the endpoint is compromised, Mobile Device Mgmt
5 IP/URL [5a] or Public URL [5b] after
Internal DNS (Private) company app/network is at risk (MDM) Server
authenticating to IDP
DNS Filtering
Office
Unacceptable site
Employee
Subnet
Internet
1
Edge
3
Firewall
Recursive
DNS
VPN 2
Malicious site
Remote user
DNS-Related Event
An onsite user has their DNS requests content filtered for security by the built-in feature on the Edge
1
Firewall
2 A remote user has their DNS requests filtered after connecting to the organization’s full tunnel VPN
Office
Unacceptable site
Employee
Subnet
Internet
1
Edge
3
Firewall
Recursive
DNS
VPN 2
Malicious site
Remote user
An onsite user has their DNS requests Relying on the Edge FW for too many essential
1 content filtered for security by the built- Edge Firewall operations can degrade performance across
in feature on the Edge Firewall the organization
Office
Unacceptable site
Employee
Subnet
Internet
1
Edge
3
Firewall
Recursive
DNS
VPN 2
Malicious site
Remote user
A remote user has their A full-tunnel VPN creates a ‘double tax’ Increase ISP bandwidth
DNS requests filtered after VPN Concentrator of internet packets, which can create a
2 Hardware upgrade
connecting to the organization’s Edge Firewall performance bottleneck for the entire
full tunnel VPN organization tunneled traffic Enable Split Tunnel*
The organization’s DNS Cloudflare’s 1.1.1.1 DNS resolver supports DNS over TLS/
2 requests are encrypted 1.1.1.1 DNS resolver HTTPs, encrypting DNS requests and hindering hostile
before being sent out. reconnaissance
Legacy Design
Office
Unacceptable site
Employee
Subnet
Internet
1
Edge
3
Firewall
Recursive
DNS
VPN 2
Malicious site
Remote user
Legacy Design
DNS-Related Event Relevant Elements Design Flaw Non-Cloudfare Solution
A remote user has their A full-tunnel VPN creates a ‘double tax’ Increase ISP bandwidth
DNS requests filtered after VPN Concentrator of internet packets, which can create a
2 Hardware upgrade
connecting to the organization’s Edge Firewall performance bottleneck for the entire
full tunnel VPN organization tunneled traffic Enable Split Tunnel*
The organization’s DNS Cloudflare’s 1.1.1.1 DNS resolver supports DNS over TLS/
2 requests are encrypted 1.1.1.1 DNS resolver HTTPs, encrypting DNS requests and hindering hostile
before being sent out. reconnaissance