Back to all labs
LAB 03

Zero Trust

Protect your workforce, applications, and data with a modern security framework

45 minutes Level 1 3 Captains
Access Lab Guide
AccessCloudflare TunnelGatewayWARP

Summary

This hands-on lab provides participants with the practical skills needed to deploy Cloudflare's Zero Trust platform. By the end of the session, you will know how to secure remote user access, applications, and corporate data using core Zero Trust components.

Objectives

  • Enable and deploy the foundational elements of Cloudflare Zero Trust.
  • Securely connect self-hosted applications to the Cloudflare network using Cloudflare Tunnel.
  • Protect self-hosted applications using identity-aware security policies provided by Cloudflare Access.
  • Deploy web traffic filtering and security policies for user internet access using Cloudflare Gateway.

Lab Authors

FA
Fiffy Amiera Digital Solutions Engineer
JHL
Jun Hao Lee Digital Solutions Engineer
SA
Shahrul Azhar Digital Solutions Engineer

Lab Modules

Step-by-step hands-on modules

1

Getting Started -- Foundation Setup

15 min

This foundational module guides participants through the essential setup required for Cloudflare Zero Trust deployment. Participants will access and configure their dedicated lab environment on Cloudflare Labs (Windows 11 client workstation and Ubuntu origin server), integrate a SAML-based Identity Provider, configure TLS decryption, and deploy the WARP client with proper device enrollment policies.

Objective: Successfully access and verify the Cloudflare managed lab environment, integrate SAML-based Identity Provider, configure proxy and TLS decryption settings, and deploy and authenticate WARP client with device enrollment policies.

Key Steps:

  • Access and configure the dedicated Cloudflare Labs environment
  • Integrate Trusted SAML Server as a SAML-based Identity Provider
  • Configure account-level proxy and TLS decryption settings
  • Deploy WARP client on the Windows 11 workstation
  • Set up device enrollment policies and authenticate
2

Access & Tunnel -- Secure Application Publishing

15 min

This module introduces Cloudflare Tunnel and Access as a secure way to allow users to reach internal applications without exposing them to the internet. Participants will see how a private application can be published securely and protected with a login step, ensuring only authorized users can access it.

Objective: Securely publish a private application and restrict access so that only approved users can log in and use it.

Key Steps:

  • Create a Cloudflare Tunnel to connect internal infrastructure
  • Configure a public hostname for the private application
  • Set up Cloudflare Access policies for identity-aware protection
  • Test access with authorized and unauthorized users
  • Verify the application is not directly exposed to the internet
3

Gateway -- DNS Filtering & Data Protection

15 min

This module focuses on bolstering threat defense by starting with DNS filtering and progressively layering on more comprehensive inspections and controls across all Internet activity with Cloudflare Gateway. Participants will explore how to block security-risk domains, control access and user behavior for internal applications, and enforce Data Loss Prevention (DLP) policies to detect and block sensitive data exfiltration.

Objective: Configure DNS policies to block security-risk domains, isolate traffic for internal applications, and apply DLP-enabled HTTP policies to prevent sensitive data exfiltration.

Key Steps:

  • Configure DNS policy to block security-risk domains
  • Validate enforcement using dig or nslookup for malicious domains
  • Isolate traffic for an internal application with browser notification on restricted actions
  • Apply DLP-enabled HTTP policy to block sensitive data sent to ChatGPT
  • Verify Block action logs with DLP profile in the Cloudflare dashboard

Ready to start this lab?

Join the hands-on session and build something real.

Access Lab Guide View All Labs