Introduction
Zero Trust Network Access represents the most significant architectural shift in corporate security since the firewall. The premise is simple: stop trusting the network. Instead of VPNs that grant broad access to everyone inside the tunnel, verify every user, every device, and every request — regardless of network location.
Google formalized this concept in its 2014 BeyondCorp paper, describing how Google eliminated its corporate VPN by treating every network (including the corporate LAN) as untrusted. A decade later, every major cloud provider offers a commercial Zero Trust solution, but their implementations reflect very different architectural philosophies.
Cloudflare Access is part of Cloudflare One, a comprehensive SASE (Secure Access Service Edge) platform that provides ZTNA, DNS filtering, SWG (Secure Web Gateway), and CASB from Cloudflare's edge network.
AWS Verified Access provides ZTNA specifically for applications hosted on AWS, integrating with AWS networking primitives and identity services.
Azure Entra Private Access (formerly Azure AD Application Proxy + Global Secure Access) is Microsoft's ZTNA, deeply integrated with Entra ID (Azure AD) and the Microsoft 365 ecosystem.
Google BeyondCorp Enterprise commercializes Google's internal Zero Trust architecture, built on Chrome Enterprise, Identity-Aware Proxy, and Google's global network.
Architecture and Approach
Cloudflare Access: ZTNA at the Edge
Cloudflare Access operates through Cloudflare's global network, creating a security layer between users and applications without requiring those applications to be on any specific cloud.
How it works:
- User navigates to a protected application URL
- Cloudflare intercepts the request at the edge (the same network handling CDN and WAF)
- User is redirected to authenticate with their configured identity provider
- Cloudflare evaluates access policies: identity (who), device posture (what), location (where), and context (when/how)
- If authorized, the request is forwarded to the origin application through a Cloudflare Tunnel (encrypted outbound connection from origin to Cloudflare — no inbound ports required)
- Subsequent requests are validated against the session policy
Key architectural elements:
Cloudflare Tunnel (cloudflared): A lightweight daemon that runs on your origin infrastructure and creates an encrypted outbound connection to Cloudflare's network. Because the tunnel is outbound-only, your origin server needs no public IP address, no open inbound ports, and no firewall rules. This dramatically reduces attack surface.
WARP client: For non-HTTP applications (SSH, RDP, private networks), users install the WARP client which creates a WireGuard-based tunnel to Cloudflare. The WARP client also provides device posture signals (OS version, disk encryption, MDM enrollment, running processes).
Policy engine: Access policies combine multiple signals:
| Signal | Examples |
|---|---|
| Identity | Email, group membership, IdP attributes |
| Device posture | OS version, disk encryption, firewall status, specific software running |
| Location | Country, IP range |
| Authentication method | MFA requirement, specific IdP |
| Network context | Managed network (office), gateway policy compliance |
| Time | Session duration limits, time-of-day restrictions |
What makes Cloudflare Access distinctive:
- Free for up to 50 users — the most accessible entry point for ZTNA
- Cloud-agnostic — protects applications on AWS, Azure, GCP, on-premises, or SaaS equally
- Browser-based SSH/VNC — users can SSH into servers through a browser session without installing an SSH client
- Application-level isolation — each application has independent access policies; compromising access to one app does not grant access to others
- Part of a broader SASE platform — DNS filtering (Gateway), SWG, CASB, DLP, and email security are complementary Cloudflare One products
AWS Verified Access: ZTNA for AWS Workloads
AWS Verified Access provides Zero Trust access to applications running on AWS. It was generally available from June 2023, making it the newest solution in this comparison.
How it works:
- Create Verified Access instances, trust providers (IdP + device trust), and groups
- Define access policies using Cedar, AWS's purpose-built policy language
- Create Verified Access endpoints for each application (associated with an ALB, NLB, or network interface)
- Users access the application URL, authenticate, and have their device posture checked
- Verified Access evaluates Cedar policies against identity and device trust signals
- If authorized, traffic is forwarded to the application endpoint
Key architectural elements:
Cedar policy language: AWS built a dedicated policy language for Verified Access (and other AWS authorization services). Cedar policies are more expressive than simple allow/deny rules:
permit(
principal in Group::"engineering",
action == Action::"access",
resource == Application::"internal-dashboard"
) when {
context.device.os_version >= "14.0" &&
context.device.disk_encryption == true &&
context.identity.mfa == true
};
Trust providers: Verified Access integrates with IAM Identity Center (AWS SSO), OIDC-compatible IdPs (Okta, Ping), and device trust providers (CrowdStrike, Jamf, JumpCloud).
What makes Verified Access distinctive:
- Deep AWS networking integration — endpoints map directly to ALBs, NLBs, and ENIs
- Cedar policy language — more powerful than most ZTNA policy engines for complex authorization logic
- No client required for web applications — browser-based access without agent installation
- AWS IAM integration — policies can reference IAM Identity Center groups and attributes
Limitations to acknowledge:
- Only protects applications hosted on AWS (cannot protect on-premises or multi-cloud apps natively)
- Relatively new with a smaller feature set than Cloudflare Access or Azure Entra
- No free tier
- Limited non-HTTP protocol support compared to Cloudflare's tunneling capabilities
Azure Entra Private Access: Enterprise Identity-First ZTNA
Microsoft's ZTNA is evolving rapidly. Azure Entra Private Access (part of Microsoft's Global Secure Access) replaces the legacy Azure AD Application Proxy and provides ZTNA tightly integrated with Entra ID (formerly Azure AD).
How it works:
- Deploy a Private Network Connector on your network (similar to Cloudflare Tunnel)
- Define application segments (IP ranges, FQDNs, ports) that represent internal applications
- Create conditional access policies in Entra ID combining user identity, group membership, device compliance, location, and risk level
- Users install the Global Secure Access client (or use browser-based access for web apps)
- Traffic to configured application segments routes through Microsoft's network to the Private Network Connector, which forwards it to the internal application
Key architectural elements:
Entra ID Conditional Access: Microsoft's policy engine is the most mature enterprise identity platform. Conditional Access policies combine:
| Signal | Details |
|---|---|
| User/group | Specific users, group membership, guest vs member |
| Device | Compliance state (Intune), hybrid joined, registered |
| Location | Named locations, IP ranges, countries |
| Risk level | Sign-in risk, user risk (from Identity Protection) |
| Application | Per-application policies |
| Session controls | App enforced restrictions, MCAS session control, sign-in frequency |
Microsoft Intune integration: For device posture, Entra Private Access leverages Intune's device compliance policies. If a device is not compliant (missing updates, no encryption, jailbroken), access is denied. This is the deepest device management integration of any ZTNA platform — but it requires Intune enrollment, which means Microsoft device management.
What makes Azure Entra Private Access distinctive:
- Deepest enterprise identity integration — if your organization uses Entra ID (Azure AD), the conditional access policies, MFA, Identity Protection risk scores, and Privileged Identity Management are all native
- Intune device compliance — the most comprehensive device posture system, but requires Intune MDM
- Microsoft 365 ecosystem — seamless access to SharePoint, Teams, and other M365 services with consistent policies
- Quick access — simplified configuration for common scenarios (RDP, SMB file shares, internal web apps)
Limitations to acknowledge:
- Requires Entra ID (Azure AD) as the identity provider — does not work as easily with non-Microsoft IdPs
- Global Secure Access client is required for non-web applications
- Licensing complexity — different capabilities at P1, P2, and Entra Suite tiers
- Strongest when paired with Microsoft endpoint management (Intune), weaker without it
Google BeyondCorp Enterprise: Chrome-Centric Zero Trust
Google BeyondCorp Enterprise commercializes the principles from Google's internal Zero Trust implementation. It takes a distinctive approach by centering the security model on the Chrome browser.
How it works:
- Chrome Enterprise provides the endpoint: device signals, certificate-based device trust, DLP, and threat protection
- Identity-Aware Proxy (IAP) protects web applications by verifying identity and context before forwarding requests
- Endpoint Verification (Chrome extension or agent) collects device posture data
- VPC Service Controls provide network-level protection for GCP services
- Context-aware access policies combine identity, device, and request context
Key architectural elements:
Chrome as the security perimeter: Google's philosophy is that the browser is the primary application runtime for modern work. By instrumenting Chrome, Google can:
- Enforce DLP policies at the browser level (prevent copy/paste, downloads, screenshots)
- Detect threats in browsing sessions (phishing, malware downloads)
- Verify device posture through the browser extension (no MDM required for basic signals)
- Provide URL filtering and content inspection
Identity-Aware Proxy (IAP): Protects applications by requiring authentication and authorization before any traffic reaches the application. IAP sits in front of:
- GCP App Engine, Compute Engine, GKE applications
- On-premises applications (via Cloud IAP connector)
- Any HTTPS application
What makes BeyondCorp Enterprise distinctive:
- Chrome-centric security model — device signals and DLP enforcement through the browser, reducing dependence on endpoint agents
- Google's internal Zero Trust heritage — the architecture descends from the system that eliminated Google's own VPN
- Threat and data protection — browser-level DLP, phishing protection, and content inspection
- Certificate-based device identity — strong device authentication without requiring MDM
Limitations to acknowledge:
- Chrome-centric approach is a limitation if your organization uses other browsers significantly
- IAP primarily protects GCP-hosted applications (on-premises support exists but is less streamlined)
- Custom pricing makes cost comparison difficult
- Smaller market share and community than Cloudflare Access or Azure Entra
Feature Comparison
| Feature | Cloudflare Access | AWS Verified Access | Azure Entra Private Access | Google BeyondCorp Enterprise |
|---|---|---|---|---|
| Free tier | Yes (50 users) | No | No | No |
| Agent required (web apps) | No | No | No (browser) / Yes (non-web) | No (Chrome) |
| Agent for non-web | WARP client | Limited | Global Secure Access client | Endpoint Verification agent |
| Identity providers | SAML, OIDC, social (GitHub, Google), one-time PIN | IAM Identity Center, OIDC | Entra ID (primary), federated IdPs | Google Workspace, SAML, OIDC |
| MFA integration | Via IdP, built-in TOTP | Via IdP | Entra MFA (native) | Google MFA, third-party |
| Device posture | WARP client (OS, encryption, firewall, processes, MDM) | CrowdStrike, Jamf, JumpCloud | Intune compliance (deep) | Endpoint Verification, Chrome signals |
| Policy language | Visual rules + API | Cedar (powerful, programmatic) | Conditional Access UI + Graph API | Context-aware access policies |
| SSH/RDP access | Browser-rendered SSH/VNC | Limited | Quick Access (RDP, SMB) | IAP TCP forwarding |
| Private network access | WARP + Tunnel (full private network) | VPC endpoints | Private Network Connector | IAP connector |
| No public IP required | Yes (Cloudflare Tunnel) | Yes (VPC endpoints) | Yes (Private Network Connector) | Partial (IAP connector) |
| SWG (Secure Web Gateway) | Yes (Gateway) | No | Yes (Internet Access) | Yes (Chrome Enterprise) |
| DNS filtering | Yes (Gateway) | No | Yes (Internet Access) | No (separate product) |
| CASB | Yes (API-driven) | No | Yes (Defender for Cloud Apps) | No (separate product) |
| DLP | Yes (in-line and API) | No | Yes (Purview) | Yes (Chrome DLP) |
| Email security | Yes (Area 1) | No | Yes (Defender for Office 365) | Yes (Gmail security) |
| Multi-cloud support | Yes (any application, any cloud) | AWS only | Primarily Azure + on-premises | Primarily GCP + on-premises |
| Browser isolation | Yes (Remote Browser Isolation) | No | No | Yes (Chrome Enterprise) |
The SASE Dimension
ZTNA is often just one component of a broader Secure Access Service Edge (SASE) architecture. Here's how each provider's ZTNA fits into their broader security platform:
Cloudflare One (most comprehensive standalone SASE):
- Access (ZTNA) + Gateway (SWG/DNS filtering) + Browser Isolation + CASB + DLP + Area 1 (email security)
- All services run on the same edge network with a single management plane
AWS: No unified SASE platform. Verified Access handles ZTNA; other security functions require third-party products or separate AWS services.
Microsoft Global Secure Access (strongest for Microsoft-centric enterprises):
- Entra Private Access (ZTNA) + Entra Internet Access (SWG) + Defender for Cloud Apps (CASB) + Purview (DLP)
- Deep integration with Microsoft 365 and Windows
Google BeyondCorp Enterprise (Chrome-centric):
- BeyondCorp (ZTNA + threat protection) + Chrome Enterprise (DLP, browser security)
- Unique browser-centric approach
Pricing Comparison
Prices as of February 2026. All prices in USD.
| Tier | Cloudflare Zero Trust | AWS Verified Access | Azure Entra | Google BeyondCorp |
|---|---|---|---|---|
| Free | 50 users | — | — | — |
| Entry | $7/user/month (Pay-as-you-go) | ~$0.27/hr per instance + data processing | Included in Entra P1 ($6/user/mo) | Custom pricing |
| Standard | $7/user/month | Same | Included in Entra P2 ($9/user/mo) | Custom ($6-10/user/mo estimate) |
| Enterprise | Custom | Custom + hourly | Entra Suite ($12/user/mo) | Custom |
Cost at Different Scales
50 users (small business):
| Provider | Monthly Cost | Notes |
|---|---|---|
| Cloudflare | $0 | Free tier covers 50 users |
| AWS | ~$200-500 | Minimum instance hours + data |
| Azure | $300-450 | Requires Entra P1 minimum ($6/user) |
| Custom (~$300-500) | BeyondCorp Enterprise licensing |
500 users (mid-market):
| Provider | Monthly Cost | Notes |
|---|---|---|
| Cloudflare | $3,500 | $7/user/month |
| AWS | ~$1,000-3,000 | Varies by instance count and data |
| Azure | $4,500-6,000 | Entra P2 ($9) or Suite ($12) per user |
| ~$3,000-5,000 | Custom pricing |
5,000 users (enterprise):
| Provider | Monthly Cost | Notes |
|---|---|---|
| Cloudflare | Custom (volume discounts) | Typically $4-6/user at scale |
| AWS | Custom | Instance-based pricing becomes complex |
| Azure | $45,000-60,000 | P2 or Suite licensing |
| Custom | Volume discounts available |
The Azure Licensing Nuance
Azure's pricing is misleading in isolation. Most enterprises already pay for Entra P1 or P2 licensing as part of their Microsoft 365 E3/E5 agreements. If you are already paying for M365 E5, Entra Private Access is included at no additional cost — making it effectively free for Microsoft-first organizations. This changes the cost calculation dramatically.
Cloudflare's free tier for 50 users is the most accessible entry point, but for enterprises already on Microsoft 365 E5, Azure's ZTNA is a $0 incremental cost.
Calculate Your Costs
Use the calculator below to estimate costs for your specific workload:
Zero Trust / ZTNA Cost Calculator
Compare zero trust network access costs per user.
Estimates based on published pricing as of February 2026. Actual costs may vary by region, commitment, and usage patterns.
Implementation Complexity
Cloudflare Access: Simplest Setup
- Sign up for Cloudflare Zero Trust (free)
- Add your identity provider (Google Workspace, Okta, Azure AD, etc.)
- Create an application and define access policies
- Deploy
cloudflaredon your origin server (one binary, one command) - Users navigate to the application URL and authenticate
Time to first protected application: 30 minutes to 2 hours
AWS Verified Access: AWS Networking Knowledge Required
- Create a Verified Access instance
- Configure trust providers (IAM Identity Center, OIDC IdP, device trust)
- Create a Verified Access group with Cedar policies
- Create a Verified Access endpoint (requires ALB/NLB/ENI)
- Configure DNS to point to the Verified Access endpoint
- Users authenticate and access the application
Time to first protected application: 2-4 hours (longer if unfamiliar with AWS networking)
Azure Entra Private Access: Microsoft-Familiar, Complex Licensing
- Enable Global Secure Access in Entra admin center
- Install Private Network Connector on-premises or in Azure
- Configure application segments (IP/FQDN/port)
- Create conditional access policies in Entra ID
- Deploy Global Secure Access client to users
- Users authenticate via Entra ID and access applications
Time to first protected application: 2-4 hours (assumes existing Entra ID deployment)
Google BeyondCorp Enterprise: Chrome-First
- Enable BeyondCorp Enterprise in Google Cloud console
- Deploy Endpoint Verification (Chrome extension)
- Configure Identity-Aware Proxy for applications
- Create context-aware access levels
- Apply access levels to IAP-protected resources
- Users authenticate through Google identity and access applications in Chrome
Time to first protected application: 3-6 hours (Chrome Enterprise setup adds complexity)
Decision Framework
Choose Cloudflare Access When:
- Multi-cloud or hybrid — you need ZTNA that works identically across AWS, Azure, GCP, and on-premises
- Budget-conscious or getting started — free tier for 50 users, $7/user for larger deployments
- Simplest deployment — Cloudflare Tunnel eliminates inbound firewall rules, public IPs, and VPN infrastructure
- Broader SASE needs — Access is part of Cloudflare One (SWG, DNS filtering, CASB, DLP, email security)
- Developer-friendly — browser-based SSH/VNC, social IdP support (GitHub, Google), and API-first design
- You are not locked into a single cloud or identity provider
Choose AWS Verified Access When:
- AWS-native workloads only — your applications are on AWS and you want ZTNA without a third-party vendor
- Cedar policy language appeals — the most expressive ZTNA policy language for complex authorization logic
- AWS networking integration — you want ZTNA that plugs into VPC, ALB, and IAM natively
- You accept the limitations — newer product, no multi-cloud, limited non-HTTP support
Choose Azure Entra Private Access When:
- Microsoft-first organization — Entra ID for identity, Intune for device management, Microsoft 365 for productivity
- Already paying for M365 E5 — ZTNA is included at no additional cost
- Deepest device compliance — Intune integration provides the most comprehensive device posture checking
- Enterprise identity maturity — Conditional Access, Privileged Identity Management, and Identity Protection are already deployed
- Windows-heavy environment — native Windows device integration is unmatched
Choose Google BeyondCorp Enterprise When:
- GCP-native workloads — Identity-Aware Proxy is the most streamlined ZTNA for GCP applications
- Chrome-centric workforce — Chrome Enterprise provides browser-level security, DLP, and threat protection
- Google Workspace identity — seamless integration with Google Workspace for authentication
- You value the BeyondCorp philosophy — Google literally wrote the book on Zero Trust networking
The Strategic Picture
Zero Trust is the security category where each provider's strengths are most sharply differentiated by their existing market position:
Cloudflare wins on accessibility and flexibility. Free for 50 users, works with any cloud, any identity provider, any application. Cloudflare's ZTNA is the natural choice for organizations that are not committed to a single cloud or identity ecosystem — and the only choice that makes ZTNA economically viable for small businesses.
Azure wins on enterprise identity depth. If your organization has already invested in Entra ID, Intune, and Microsoft 365, Azure's ZTNA adds zero incremental cost and provides the deepest identity-context-device integration. The conditional access policy engine is the most mature enterprise identity platform.
Google wins on architectural purity. BeyondCorp is the closest commercial implementation to the Zero Trust ideal that Google pioneered internally. The Chrome-centric model is innovative but only compelling if Chrome is your primary application runtime.
AWS wins on AWS-native simplicity — if your applications are exclusively on AWS and you want ZTNA from your cloud provider, Verified Access avoids a third-party dependency. But it is the most limited of the four solutions.
The honest recommendation for most organizations: start with Cloudflare Access (free for 50 users, simplest deployment, cloud-agnostic) unless you are deeply embedded in the Microsoft ecosystem (choose Azure Entra) or exclusively on GCP (consider BeyondCorp). ZTNA is one of those categories where starting quickly and iterating is more valuable than spending months evaluating — the sooner you replace VPN access with per-application Zero Trust policies, the sooner your security posture improves.